Fact-checked by Grok 2 weeks ago

Rubber-hose_cryptanalysis

Rubber-hose cryptanalysis is a term in cryptography denoting the extraction of secret keys or passwords from individuals through physical coercion or torture, often humorously depicted as beating the victim with a rubber hose until they reveal the information. The phrase alludes to a form of corporal punishment applied to the soles of the feet, emphasizing that such attacks bypass technical encryption strength by targeting the human weakness in the security chain. The term was coined on October 16, 1990, by security researcher Marcus J. Ranum in a post to the sci.crypt Usenet newsgroup, where he described it as a process in which "a rubber hose is applied forcefully and frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive." This origin highlights its roots as a wry commentary on the limitations of cryptographic systems when faced with real-world threats beyond mathematical analysis. Over time, the concept has expanded to encompass not only physical violence but also psychological pressure, threats to loved ones, or legal compulsion, underscoring that even the strongest algorithms are vulnerable if the keyholder can be forced to disclose secrets. In practice, rubber-hose cryptanalysis represents a critical challenge in information security, as it exploits the "weakest link" in cryptosystems—the human operator—often rendering advanced encryption moot in coercive environments like interrogations or state surveillance. Notable real-world instances include allegations of Turkish police using torture to extract passwords from suspects in 2008, demonstrating how such methods can undermine digital protections in authoritarian contexts. To counter these attacks, cryptographers have developed defenses such as deniable encryption schemes, which allow users to provide a coerced passphrase that reveals innocuous data while concealing the true secrets, or multi-factor systems incorporating hardware tokens that cannot be easily compelled. These approaches aim to introduce plausible deniability, ensuring that even under duress, the integrity of sensitive information can be preserved.

Overview

Definition

Rubber-hose cryptanalysis is a euphemistic term for the extraction of cryptographic secrets, such as passwords or encryption keys, from individuals through coercion or torture, thereby bypassing the mathematical foundations of cryptosystems. This approach exploits human vulnerability rather than algorithmic weaknesses, rendering even robust encryption ineffective if the key holder is compelled to disclose the information. The phrase "rubber hose" symbolizes physical beating, particularly to the soles of the feet, as a crude method of interrogation that targets the person as the "weakest link" in the security chain, distinct from technical exploits. In essence, it underscores how coercion can defeat cryptography by forcing voluntary revelation, independent of the system's computational security. Unlike formal cryptanalysis methods, which depend on computational power, side-channel information, or mathematical analysis to break codes, rubber-hose cryptanalysis relies solely on threats or physical force to obtain secrets. A basic scenario involves an adversary compelling the key holder under duress to reveal the information, thus nullifying the encryption's protective value. Techniques such as deniable encryption provide a partial countermeasure by enabling plausible deniability during coercion.

Etymology and Origin

The term "rubber-hose cryptanalysis" was coined by Marcus J. Ranum on October 16, 1990, in a post to the sci.crypt Usenet newsgroup, where he described it as a method of extracting cryptographic keys through physical coercion, specifically by applying a rubber hose to the soles of the feet until the victim complies. This usage arose in response to ongoing debates in the group about the feasibility of unbreakable ciphers and the limitations of purely mathematical security models. The phrase "rubber-hose" draws from the historical practice of using flexible rubber hoses as improvised tools for bastinado-style torture, a form of corporal punishment that inflicts pain without necessarily causing permanent injury, thereby evoking a vivid image of coerced disclosure in cryptographic contexts. Ranum's coinage highlighted the human vulnerability in security systems, contrasting sharply with traditional technical cryptanalysis that relies on algorithmic weaknesses rather than interpersonal pressure. The term emerged during a period of heightened interest in public-key cryptography following its invention in the mid-1970s, amid post-Cold War discussions on government surveillance and access to encrypted communications in the early 1990s. Initial references appeared in cypherpunk mailing lists throughout the 1990s, where privacy advocates explored digital rights and resistance to state coercion. By the mid-1990s, it had entered early cryptographic literature, such as Bruce Schneier's Applied Cryptography (1996), solidifying its place as standard jargon in the field by the 2000s.

Methods of Coercion

Physical Coercion

Physical coercion in rubber-hose cryptanalysis involves the direct application of bodily harm to compel individuals to disclose cryptographic keys or passwords, often employing methods designed to maximize pain while minimizing visible evidence of abuse. A hallmark technique is beating with flexible objects like rubber hoses, which distribute force to cause internal bruising and intense discomfort without leaving lasting external marks, facilitating deniability in interrogations. This method has been documented in various global contexts, including police stations in Bahrain where detainees were suspended and struck with rubber hoses to extract confessions. Other prevalent tactics include waterboarding, which simulates drowning to induce panic and submission, and stress positions that force prolonged physical strain, such as hanging by the wrists or extended handcuffing. The United Nations Committee against Torture's 2006 report highlighted waterboarding and similar "enhanced interrogation techniques" used by U.S. authorities in secret detentions, criticizing them as forms of torture employed to obtain sensitive information during interrogations worldwide. In Ethiopia's Maekelawi police station, Human Rights Watch reported instances where detainees were beaten with sticks and electric wires, subjected to stress positions, and coerced into revealing email and Facebook passwords under threat of further violence. These practices draw from historical precedents of torture for information extraction, as outlined in reports from human rights organizations, including Amnesty International on systematic abuses in Malaysia and Human Rights Watch on Papua New Guinea, where rubber hose beatings and other non-lethal tools were used to break resistance without immediately endangering the subject's life. The effectiveness of physical coercion stems from its ability to provoke rapid compliance through overwhelming pain, often yielding keys or access codes before permanent harm occurs, though outcomes vary by the victim's resilience. However, such methods carry significant risks to the perpetrator, including the potential for accidental death from complications like internal injuries or cardiac arrest, as evidenced in Syrian detention facilities where torture led to mass fatalities. In authoritarian regimes, these tactics persist despite international condemnation, but they invite legal repercussions and diplomatic isolation when exposed, as noted in UN and Amnesty International analyses of global torture patterns.

Psychological Coercion

Psychological coercion in rubber-hose cryptanalysis encompasses non-physical tactics designed to compel the disclosure of cryptographic keys by exploiting emotional and cognitive vulnerabilities, such as fear, guilt, and desperation. These methods contrast with physical approaches by avoiding direct bodily harm, thereby minimizing detectable evidence while still achieving compliance through mental strain. Common techniques include threats to family members, where interrogators or attackers imply potential legal repercussions or harm to relatives to leverage familial bonds and induce panic-driven revelation of keys. Prolonged isolation represents another key tactic, involving the separation of the individual from social support and external stimuli to foster disorientation and heightened suggestibility, with one analysis of Canadian police interrogations observing an average isolation duration of 2.58 hours, far exceeding the five-minute recommendation in a standard interrogation manual. False promises of leniency further pressure targets by suggesting reduced consequences or favorable outcomes in exchange for cooperation, a method shown to significantly increase the risk of coerced statements during interrogations. The effectiveness of these psychological strategies stems from their ability to manipulate human psychology without leaving physical traces, making them more sustainable for prolonged application compared to violent methods, which may escalate to physical coercion if mental tactics fail. By targeting emotions like fear of loss or guilt over endangering loved ones, these approaches can break resistance more subtly, often leading to voluntary disclosure under duress. Research on interrogation practices indicates that such tactics, including promises of leniency, produce highly persuasive outcomes in legal contexts, though empirical data on isolation shows no significant correlation with confession rates (r = -0.06, p = 0.82). In the realm of cryptography, this sustainability allows attackers to maintain pressure over extended periods, increasing the likelihood of key extraction without immediate legal repercussions for the coercer. Examples of these tactics appear in law enforcement interrogations, where suspects facing encryption-related charges may encounter offers of plea bargains that worsen penalties for withholding keys, effectively using desperation over legal outcomes to prompt disclosure. In one documented framework, collaboration through implied leniency during questioning has been noted to facilitate sensitive admissions, analogous to key revelation in crypto scenarios. Subtle forms of psychological coercion extend to social engineering, such as impersonation of trusted entities like technical support or authorities to trick individuals into voluntarily sharing keys via misinformation or fabricated urgency. For instance, attackers posing as cryptocurrency exchange representatives have successfully obtained private keys by exploiting authority bias and trust, leading to unauthorized access without overt confrontation. These non-violent manipulations highlight the human element's vulnerability in cryptographic security.

Cryptographic Implications

The Human Element in Security

Rubber-hose cryptanalysis exemplifies the principle that security systems are only as strong as their weakest link, where human operators often represent the most vulnerable component despite the robustness of underlying algorithms. In cryptographic contexts, even the most secure protocols can be compromised if individuals under pressure disclose sensitive information such as encryption keys, highlighting how psychological and physical stressors bypass technical safeguards. This vulnerability persists because humans, unlike machines, are susceptible to fear, pain, or manipulation, rendering perfect encryption ineffective when the keyholder yields. The implications extend to advanced ciphers like AES-256, which offers theoretical resistance to brute-force attacks for centuries, or quantum-resistant algorithms designed to withstand future computational threats; yet, these fail entirely if the key is coerced from the holder. Such disclosures undermine the confidentiality guarantees of end-to-end encrypted communications, as seen in scenarios where users of secure messaging apps reveal passphrases under duress, exposing entire datasets. This underscores a fundamental mismatch between the mathematical invulnerability of modern cryptography and the finite resilience of human participants in the security chain. Philosophically, rubber-hose cryptanalysis aligns with the cypherpunk ethos of the 1990s, which emphasized that true privacy requires tools accounting for real-world coercion rather than assuming flawless user behavior. Cypherpunk manifestos, such as those advocating for anonymous remailers and digital cash, explicitly recognized that state or adversarial forces could compel key disclosure, urging the development of systems resilient to human frailties. This perspective influenced early cryptographic designs focused on deniability and plausible alternatives to direct revelation, reinforcing the idea that cryptography must evolve beyond code to address societal pressures on individuals.

Relation to Other Cryptanalytic Attacks

Rubber-hose cryptanalysis fundamentally differs from traditional cryptanalytic techniques such as differential cryptanalysis and linear cryptanalysis, which are mathematical methods that exploit structural weaknesses in a cipher's algorithm to recover keys from observed plaintext-ciphertext pairs without requiring access to the key holder. In contrast, rubber-hose cryptanalysis employs direct coercion against individuals to extract secrets, representing a form of "brute force" applied to human vulnerabilities rather than computational or algorithmic analysis. This approach bypasses the cipher's technical strength entirely, targeting the human link in the security chain. Similarly, while side-channel attacks like power analysis observe physical emanations—such as variations in electricity usage during encryption operations—to infer keys, rubber-hose cryptanalysis relies on psychological or physical pressure on the user, making it a non-implementation-based threat that operates outside the cryptographic system's design. A closely related euphemism is black-bag cryptanalysis, which involves covert physical intrusion, such as burglary or installing keyloggers on devices, to acquire secrets—serving as a semi-physical counterpart to rubber-hose's interpersonal coercion. Both terms emerged satirically within cryptographic discourse to highlight non-technical threats but reflect genuine risks in real-world scenarios. Within the hierarchy of attack vectors, rubber-hose cryptanalysis is frequently regarded as the most efficient means to compromise even robustly designed systems, as it leverages the relative ease of extracting information from humans compared to breaking strong algorithms. Security expert Bruce Schneier has emphasized this practicality in his writings, noting its effectiveness over purely technical alternatives. In contemporary applications, particularly in law enforcement or adversarial settings, it often integrates with digital forensics—such as analyzing seized hardware post-coercion—yet maintains its distinction from algorithmic cryptanalysis by prioritizing human disclosure over data recovery techniques.

Countermeasures

Technical Defenses

Technical defenses against rubber-hose cryptanalysis focus on cryptographic systems that incorporate plausible deniability, allowing users to reveal partial or decoy information without compromising sensitive data. One early implementation is the Rubberhose filesystem, developed between 1997 and 2000 by Julian Assange, Ralf Weinmann, and Suelette Dreyfus, which provides transparent disk encryption resistant to coercion by supporting multiple independent keys that unlock different plausible datasets, enabling the user to provide a key revealing non-sensitive "decoy" data while denying knowledge of additional volumes. This deniable encryption leverages steganographic techniques to hide the existence of encrypted compartments, making it difficult for coercers to prove the presence of undisclosed information. A prominent feature in modern tools is the use of hidden volumes, as implemented in TrueCrypt (discontinued in 2014) and its successor VeraCrypt. These systems allow the creation of an outer encrypted volume containing innocuous decoy files, within which a hidden inner volume stores sensitive data accessible only via a separate passphrase; upon coercion, the user can disclose the outer volume's key, providing plausible deniability since the hidden volume's existence cannot be cryptographically distinguished from random data in the outer volume's free space. VeraCrypt enhances this by supporting protection mechanisms to prevent damage to hidden volumes during outer volume access, ensuring the inner data remains intact and undetectable. Advanced cryptographic primitives aim to further resist coercion by designing keys or protocols that are difficult or impossible to consciously recall or reveal under duress. For instance, a 2012 USENIX Security paper by Bojinov et al. proposes coercion-resistant systems inspired by neuroscience, using implicit learning to embed secrets that users can deny knowing explicitly, as the information is stored subconsciously and resistant to forced extraction. Complementary ideas, such as honeywords—fake passwords planted alongside real ones to mislead attackers—can support security in authentication systems primarily through breach detection when unauthorized logins occur, though their role in direct coercion resistance is limited. Multi-party computation (MPC) protocols, particularly threshold schemes, distribute cryptographic keys across multiple participants such that no single individual possesses the complete key, thereby mitigating single-point coercion vulnerabilities. In Shamir's secret sharing scheme (1979), a secret is divided into shares where a threshold number (e.g., t out of n) is required for reconstruction, ensuring that coercing one party yields no useful information while requiring simultaneous compromise of t parties to access the full key; this is foundational to MPC applications like threshold signatures in blockchain systems. Modern implementations, such as those in secure multi-party protocols, extend this to distributed decryption or signing without revealing partial keys. Despite these advancements, technical defenses have inherent limitations, as no system can fully prevent success if all relevant parties are coerced or if side-channel attacks (e.g., forensic analysis) reveal inconsistencies in decoy data. These tools complement legal protections but cannot eliminate the human element in coercion scenarios.

Legal and Societal Safeguards

Strong human rights frameworks and the rule of law serve as critical deterrents to state-sponsored rubber-hose cryptanalysis, as analyzed by Cory Doctorow in his 2022 examination of the topic, which highlights how accountable political processes responsive to citizens rather than donors can prevent coercive abuses by law enforcement and governments. These frameworks emphasize protections against arbitrary detention and forced disclosure, fostering environments where encryption users can rely on legal recourse rather than physical or psychological duress. International standards reinforce these protections through treaties like the United Nations Convention Against Torture, adopted in 1984, which explicitly prohibits all acts of torture and other cruel, inhuman, or degrading treatment or punishment, including any form of coercion aimed at extracting information such as cryptographic keys. Ratified by 175 countries (as of November 2025), the convention obligates states to prevent such practices in any territory under their jurisdiction and to criminalize attempts to compel disclosures through duress, thereby establishing a global baseline against rubber-hose tactics. Advocacy efforts by organizations such as the Electronic Frontier Foundation (EFF) and the Tor Project further bolster these safeguards by promoting encryption without mandated backdoors, as articulated in their 2016 statements opposing government access mechanisms that could incentivize coercion. These initiatives highlight how robust encryption reduces the perceived need for aggressive interrogation, encouraging policymakers to prioritize privacy-respecting alternatives over confrontational methods. Societal measures, including public education on rights like the Fifth Amendment's privilege against self-incrimination in the United States—which the EFF has argued extends to prohibiting compelled decryption of encrypted data—empower individuals to assert protections during encounters with authorities. Whistleblower protections in democratic systems also enhance resilience by shielding those who report coercive practices, promoting a culture of accountability. However, these safeguards prove ineffective in non-democratic regimes lacking independent judiciaries, where coercion remains unchecked; post-2020 encryption debates have spurred calls from groups like the Global Encryption Coalition for universal norms to extend protections globally and mitigate such gaps.

Legal Aspects

Key Disclosure Legislation

Key disclosure legislation refers to statutes that mandate the surrender of cryptographic keys or decryption assistance to authorities, often under penalty of criminal sanctions, thereby enabling forms of rubber-hose cryptanalysis through legal compulsion. In the United Kingdom, the Regulation of Investigatory Powers Act 2000 (RIPA) under Part III empowers law enforcement and intelligence agencies to issue notices requiring individuals to disclose encryption keys or provide intelligible forms of protected information. Refusal to comply is criminalized under Section 53, carrying penalties of up to two years' imprisonment for general cases or five years for national security-related offenses. The legislation places the burden of proof on the defendant to demonstrate they no longer possess the key, presuming possession unless rebutted. Similar provisions exist in other jurisdictions. Australia's Assistance and Access Act 2018 amends prior telecommunications laws to compel both service providers and individuals to assist with decryption or key disclosure, with non-compliance punishable by up to ten years' imprisonment in serious cases. In Belgium, Article 90quater of the Code of Criminal Procedure, as amended, obliges competent persons to decrypt data upon judicial order, with refusal leading to fines or up to one year's imprisonment. India's Information Technology Act 2000, Section 69 (as amended in 2008), authorizes government agencies to direct decryption of information through any computer resource, with failure to provide assistance penalized by up to seven years' imprisonment. The United States lacks a federal mandate for key disclosure, relying instead on the Fifth Amendment's protection against self-incrimination, which courts have applied variably to compelled decryption—viewing it as testimonial if it implies knowledge of contents. State laws vary, with some allowing compelled passwords under limited circumstances, while federal pressures, such as in the 2016 FBI-Apple dispute over iPhone access, have highlighted tensions without resulting in broad legislation. Internationally, the European Union has seen ongoing debates since 2022 on encryption liability, particularly through the proposed Child Sexual Abuse Regulation (Chat Control). As of November 2025, the proposal remains under negotiation, with delays in adoption due to privacy concerns, potentially imposing scanning obligations on encrypted services if passed, effectively requiring access mechanisms amid concerns over privacy erosion. As of 2025, many such laws remain outdated, lacking provisions for quantum-resistant cryptography that could render traditional key disclosure ineffective against advanced threats. Critics argue these laws facilitate coercion without sufficient due process, potentially enabling misuse by authorities lacking oversight. Amnesty International has highlighted how mandatory key disclosure undermines human rights by interfering with privacy and freedom of expression, recommending strict safeguards like immediate data deletion post-use to mitigate abuses.

Notable Cases and Incidents

One notable incident highlighting the risks of physical coercion in accessing election infrastructure occurred during the 2017 Kenyan general election. Christopher Msando, the ICT manager for the Independent Electoral and Boundaries Commission (IEBC), was abducted and murdered just days before the vote, with an autopsy revealing signs of torture including strangulation and multiple injuries consistent with beatings. As one of the few officials with access to the commission's computer system passwords and server locations, his death raised suspicions that the torture aimed to extract credentials to manipulate the electoral process, amid widespread allegations of hacking and irregularities. The case remains unsolved, underscoring vulnerabilities in securing critical digital systems against targeted violence. In the 2013 arrest of Ross Ulbricht, founder of the dark web marketplace Silk Road, law enforcement seized his unlocked laptop by distraction during the arrest in a San Francisco library to access encrypted data without needing passwords or further cooperation. This approach highlighted workarounds to avoid interrogation pressure or compelled disclosure in high-stakes cybercrime investigations, where revealing cryptographic keys could be demanded. During the 2019-2020 Hong Kong pro-democracy protests, police were alleged to have used physical coercion to compel protesters to unlock mobile devices, accessing evidence of participation. In one documented case, officers attempted to force a detainee's face toward his phone to trigger facial recognition unlocking, part of broader patterns where over 3,700 phones were seized and forensically examined for protest-related content. Amnesty International reported instances of beatings and hooding in custody amounting to torture, with device access often demanded during interrogations to identify organizers via apps like Telegram. Protesters responded by disabling biometric locks and using burner devices to mitigate such risks. Amid the 2022 Russian invasion of Ukraine, reports emerged of kidnappings and torture targeting cryptocurrency assets, exploiting the conflict's chaos for financial gain. In October 2022 in Kharkiv, a man was abducted by individuals in military uniforms, beaten, zip-tied, and threatened at gunpoint in a basement until he transferred approximately 83,000 USDT from his wallet to his captors, who were later detained. Such incidents, documented in compilations of physical crypto attacks, illustrate how wartime instability enables coercion for seed phrases or private keys, with victims often unable to seek recourse amid ongoing hostilities. For instance, in 2024, reports documented kidnappings targeting crypto holders in regions like Thailand and France, where victims were coerced to transfer assets similar to the 2022 Ukraine case. Sources indicate incomplete coverage of verified incidents from 2023 to 2025, attributed to underreporting in conflict zones and the clandestine nature of coercion cases, limiting public documentation.

Cultural References

In Media and Humor

The concept of rubber-hose cryptanalysis has gained cultural traction through humorous depictions in webcomics and satirical commentary, emphasizing the fragility of human resolve against coercion despite robust technical safeguards. A prominent example is the 2008 xkcd comic strip #538, titled "Security," which illustrates a cryptographer boasting about unbreakable 4096-bit encryption only to succumb to threats of physical violence from an assailant wielding a rubber hose, captioned to highlight that security ultimately hinges on the "weakest link"—the individual. This portrayal has resonated in broader media and humor, serving as a shorthand for the inefficacy of encryption under duress. In cybersecurity satire, the term appears in discussions at hacker conferences like DEF CON, where presenters invoke it to underscore human vulnerabilities, often via lighthearted anecdotes or visual aids to engage non-experts on why purely algorithmic defenses fall short. Such references extend to science fiction and online commentary, where authors like Cory Doctorow explore rubber-hose cryptanalysis as a vivid metaphor for state-sponsored coercion, blending humor with warnings about real-world privacy threats in an era of surveillance. In a July 2025 commentary in Locus Magazine, Doctorow critiques depictions of encryption in technothrillers, arguing that rubber-hose cryptanalysis underscores the importance of rule-of-law protections over purely technical solutions. These depictions have popularized the notion beyond specialist circles, fostering public awareness of the need for societal and legal barriers to complement technological ones amid ongoing digital rights debates.

In Academic and Professional Discourse

Rubber-hose cryptanalysis has been a recurring theme in cryptographic literature since the mid-1990s, often highlighted as an inevitable limitation of human-dependent security systems. In Bruce Schneier's seminal book Applied Cryptography (1996), the concept is introduced as a form of attack where coercion—through threats, blackmail, or physical force—compels the disclosure of keys, underscoring that no cryptographic protocol can fully mitigate human vulnerabilities. Schneier revisited the topic in a 2008 blog post, emphasizing its practicality in real-world scenarios and joking that it represents the "most powerful attack" against even the strongest ciphers. A notable academic contribution came in 2012 with the USENIX Security Symposium paper "Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks" by Bojinov et al., which proposed subconscious key generation techniques using implicit learning to resist coercion, demonstrating through experiments that users could recall long keys without conscious awareness. The topic has received frequent attention at major security conferences, particularly in discussions of coercion resistance. At Black Hat Europe 2005, Jon Callas's presentation on "Hacking PGP" referenced rubber-hose cryptanalysis as a persistent threat in email security, advocating for protocols that account for human compromise. Similarly, DEF CON talks in the 2010s, such as those on deniable encryption, often invoked the term to illustrate the need for systems resilient to physical duress. In scholarly archives, the International Association for Cryptologic Research (IACR) ePrint repository features numerous preprints post-1996, including works on secure multi-party computation that address rubber-hose risks through threat modeling. In professional contexts, rubber-hose cryptanalysis informs guidelines on human-centered security design. The National Institute of Standards and Technology (NIST) updated its post-quantum cryptography recommendations in 2024, incorporating considerations of human factors such as awareness, readiness, education, and training as part of broader migration strategies to quantum-resistant algorithms. A 2022 analysis by Cory Doctorow on Pluralistic.net linked the attack to encryption policy debates, arguing that strong technical defenses must pair with societal protections to counter state-sponsored coercion. Scholarly coverage reveals gaps, with much pre-2020 literature focusing on theoretical defenses while underemphasizing empirical human behavior studies; however, emerging 2025 research on duress authentication identifies use cases in critical societal systems and personal accounts where coercion risks are high. This body of work has profoundly influenced secure system design, promoting "coercion-resistant" standards in areas like electronic voting, where protocols ensure users can plausibly deny knowledge of hidden data under pressure.

References

  1. [1]
    Modern Cryptographic Attacks: A Guide for the Perplexed
    a term coined in 1990 by Security Researcher Marcus J. Ranum, who described an attack where “[..] a rubber hose is ...
  2. [2]
    rubber-hose cryptanalysis - catb. Org
    Shorthand for any method of coercion: the originator of the term drily noted that it “can take a surprisingly short time and is quite computationally ...Missing: origin | Show results with:origin
  3. [3]
    Rubber-Hose Cryptanalysis - Schneier on Security
    Oct 27, 2008 · Cryptographers have long joked about rubber-hose cryptanalysis: basically, beating the keys out of someone. Seems that this might have actually happened in ...
  4. [4]
    Designing Crypto Primitives Secure Against Rubber Hose Attacks
    These attacks, known as rubber hose cryptanalysis, are often the easiest way to defeat cryptography. We present a defense against coercion attacks using the ...Missing: definition | Show results with:definition
  5. [5]
    Commentary: Cory Doctorow: Rubber-Hose Cryptanalysis
    Jul 7, 2025 · Cryptographers call all of these methods “rubber-hose cryptanalysis” (“cryptanalysis” is the act of probing an encryption system for weaknesses) ...
  6. [6]
    [PDF] APPLIED CRYPTOGRAPHY, SECOND EDITION
    ... Rubber-hose cryptanalysis. The cryptanalyst threatens, blackmails, or tortures someone until they give him the key. Bribery is sometimes referred to as a ...
  7. [7]
    [PDF] Designing Crypto Primitives Secure Against Rubber Hose Attacks
    These attacks, known as rubber hose cryptanalysis, are often the easiest way to defeat cryptography. We present a defense against coercion attacks using the ...
  8. [8]
    Torture Redux: The Revival of Physical Coercion during ...
    Feb 8, 2010 · Muhammad estimates that he remained suspended for 10 to 15 minutes while officers hit him with what felt like a rubber hose and kicked him. “I ...
  9. [9]
    Malaysia: Government must investigate police torture claims
    Jan 22, 2009 · Mr Prabakar says the police beat him with a rubber hose, splashed boiling water on his body, and asked him to stand on a chair, with a cloth ...
  10. [10]
    "They Want a Confession": Torture and Ill-Treatment in Ethiopia's ...
    Oct 17, 2013 · Torture and ill-treatment is used both to extract information and ... On the first day when I entered I gave them my email and password.
  11. [11]
    "Making Their Own Rules": Police Beatings, Rape, and Torture of ...
    Aug 30, 2005 · They were also whipping me with a long rubber hose. . . . They whipped me on the back of my body and the front. Afterwards, I was bleeding and ...
  12. [12]
    If the Dead Could Speak: Mass Deaths and Torture in Syria's ...
    Dec 16, 2015 · Suffocation: Detainees describe guards put their boots on the detainee's neck and strangling the detainee with a rubber hose;; Falaqa: beating ...<|separator|>
  13. [13]
    Is rubberhose cryptanalysis a sidechannel - formally?
    Mar 6, 2016 · Rubberhose cryptanalysis could be seen as a side-channel, yes, but you couldn't say that you are attacking a specific cryptosystem (e.g., AES) ...
  14. [14]
    [PDF] Cryptology - Lomont.org
    • Black bag. • steal keys via burglary, keyloggers, social engineering ... • Rubber hose – torture to get the key. • Physical insertion of devices. • USB ...<|separator|>
  15. [15]
    [PDF] Methods of cryptanalysis
    • Replay attack. External attacks: • Black-bag cryptanalysis. Rubber-hose cryptanalysis. Attack model. Attack models or attack types specify how much ...Missing: comparison | Show results with:comparison
  16. [16]
    [PDF] Encryption Workarounds - Georgetown Law
    attack is “rubber-hose cryptanalysis,” which emphasizes the physical nature of this coercion.56. This concept is humorously depicted in the popular webcomic ...
  17. [17]
    Rubberhose cryptographically deniable transparent disk encryption system
    ### Summary of Rubberhose Filesystem
  18. [18]
    [PDF] Honeywords: Making Password-Cracking Detectable
    Mar 28, 2013 · ABSTRACT. We propose a simple method for improving the security of hashed passwords: the maintenance of additional “honey-.
  19. [19]
    [PDF] Secure Multi-party Computation & Financial Cryptography
    Dec 21, 2016 · It is an open research agenda how to mitigate the risk of rubber hose attack through aforesaid threat analytics of the mobile commerce mechanism ...Missing: cryptanalysis | Show results with:cryptanalysis
  20. [20]
    The Best Defense Against Rubber-Hose Cryptanalysis
    Mar 27, 2022 · The best defense against rubber-hose cryptanalysis is a political process that answers to voters, not donors.Missing: definition | Show results with:definition
  21. [21]
    Convention against Torture and Other Cruel, Inhuman or Degrading ...
    1. Each State Party shall ensure that all acts of torture are offences under its criminal law. The same shall apply to an attempt to commit torture and to an ...
  22. [22]
    EFF to Support Apple in Encryption Battle
    Feb 16, 2016 · We have been fighting to protect encryption, and stop backdoors, for over 20 years. That's why EFF plans to file an amicus brief in support of ...Missing: Tor | Show results with:Tor
  23. [23]
    Day of Action: Stop the Changes to Rule 41 | The Tor Project
    Jun 21, 2016 · ... 2016),. o encryption backdoors (repeatedly shot down, but FBI keeps trying),. o expansion of NSL powers (secret subpoenas for anything, no ...
  24. [24]
    Fifth Amendment Prohibits Compelled Decryption, New EFF Brief ...
    Oct 30, 2013 · When it comes to compelled decryption, the Fifth Amendment clearly applies because the government would be learning new facts beyond simply the ...
  25. [25]
    Global Encryption Coalition
    We promote and defend encryption in key countries and multilateral fora where it is under threat. We also support efforts by companies to offer encrypted ...
  26. [26]
    (PDF) Regulation of Investigatory Powers Act 2000 (1) - ResearchGate
    ... disclose it. This. places the burden of proof on defendants to show that they no longer hold a key that they. may previously have held. The presumption of ...
  27. [27]
    World map of encryption laws and policies - Global Partners Digital
    Section 58 of Law No. 2010/013 of 21 December 2010 Regulating ... However, there is no requirement that such persons disclose encryption keys or passwords.
  28. [28]
    Fifth Amendment | Wex | US Law | LII / Legal Information Institute
    The Fifth Amendment of the US Constitution "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment ...
  29. [29]
    Compelled Decryption Primer - NACDL
    This primer outlines the state of the law on compelled decryption and offers a guide for defense lawyers on this important emerging issue.
  30. [30]
    [PDF] EDPB-EDPS Joint Opinion 04/2022 on the Proposal for a ...
    Jul 28, 2022 · The Proposal would impose qualified obligations on providers of hosting services, interpersonal communication services and other services ...
  31. [31]
    The Encryption Debate - CEPA
    Aug 7, 2025 · Countries around the world are imposing new regulations to limit encryption. CEPA's new Encryption Debate map tracks the state of these rules.
  32. [32]
    Kenya election official tortured, murdered before vote, officials say
    Jul 31, 2017 · A senior Kenyan election official was found murdered on Monday, three days after he went missing, poll officials said, as opposition leaders ...
  33. [33]
    Kenyan election official was tortured, strangled to death: autopsy
    Aug 3, 2017 · An autopsy conducted on the body of the slain Independent Electoral and Boundaries Commission (IEBC) ICT Manager Chris Msando revealed Wednesday that he was ...
  34. [34]
    The murder that shook the Kenyan elections - Al Jazeera
    Aug 1, 2017 · Why was electoral commission official Chris Msando tortured and killed just days before the Kenyan elections?
  35. [35]
    Kenyan elections jarred by torture murder of election official - New ...
    Msando was one of a handful of officials who had the electoral commission's computer system passwords and knew the exact location of the servers to run the ...
  36. [36]
    Detectives retrace Chris Msando's final steps | Daily Nation
    Jun 28, 2020 · Mr Christopher Msando's widow and a waiter are among those questioned by detectives, seeking to piece together his last moments and find his killers.
  37. [37]
    [PDF] Encryption Workarounds - UC Berkeley Law
    The phrase cryptographers use for this attack is. “rubber-hose cryptanalysis.”36 In this essay, we restrict ourselves to legal compulsion techniques. Of ...
  38. [38]
    Identifying Dread Pirate Roberts - Schneier on Security
    Sep 17, 2014 · There is a mises.org acct with the name Ross Ulbricht and his pic that matches google+ and linkedin. ... rubber hose / thermorectal and other ...
  39. [39]
    Faced with encrypted devices, cops choose warranted smash and ...
    Dec 6, 2016 · Ross Ulbricht, the former operator of the Silk Road dark net market ... “Rubber hose cryptanalysis” is a three-decade old sardonic ...
  40. [40]
    US: Senate Report Slams CIA Torture, Lies - Human Rights Watch
    Dec 10, 2014 · (Washington, DC) – The US Senate Intelligence Committee's report summary on the Central Intelligence Agency (CIA) detention and ...
  41. [41]
    Statement by the President Report of the Senate Select Committee ...
    Dec 9, 2014 · The report documents a troubling program involving enhanced interrogation techniques on terrorism suspects in secret facilities outside the ...
  42. [42]
    Biometric data becomes new weapon in Hong Kong protests - PBS
    Jul 27, 2019 · ... phone and so they tried to actually force his face in front of his phone to use the phone's facial recognition function to get it to unlock.
  43. [43]
    Hong Kong police seized more than 3,700 mobile phones from ...
    Jan 8, 2020 · Hong Kong police seized more than 3,700 mobile phones from protesters in space of five months and had devices broken into to read contents, ...
  44. [44]
    Hong Kong: Arbitrary arrests, brutal beatings and torture in police ...
    Sep 19, 2019 · This has included arbitrary arrests and retaliatory violence against arrested persons in custody, some of which has amounted to torture.” More ...Missing: passwords | Show results with:passwords
  45. [45]
    Hong Kong Police 'Tortured' and Beat Protesters, Amnesty Says
    Sep 19, 2019 · Hong Kong police beat pro-democracy protesters in custody and committed acts that amount to “torture” during recent demonstrations, ...Missing: passwords | Show results with:passwords
  46. [46]
    In Hong Kong Protests, Faces Become Weapons
    Jul 26, 2019 · It all failed: Mr. Cheung had disabled his phone's facial-recognition login with a quick button mash as soon as they grabbed him. As Hong Kong ...
  47. [47]
    https://archive.is/El9EI
  48. [48]
    Known Physical Bitcoin Attacks - GitHub
    Police kidnap a businessman, torture him, and force his wife to send them 7 bitcoin. ... Ternopil, Ukraine, Man kidnapped and tortured for $800k. Unknown ...
  49. [49]
    Security - xkcd
    A webcomic of romance, sarcasm, math, and language. Special 10th anniversary edition of WHAT IF?—revised and annotated with brand-new illustrations and answers ...Missing: honeywords | Show results with:honeywords
  50. [50]
    DEFCON Quantum Village 2: Electric Boogaloo - Dhole Moments
    Aug 20, 2023 · This year, while I was walking around the Crypto + Privacy Village at DEFCON ... On one paw, you have the risk of rubber-hose attacks. Just ...
  51. [51]
    [PDF] APPLIED CRYPTOGRAPHY, SECOND EDITION - Internet Archive
    The literature of cryptography has a curious history. Secrecy, of course, has always played a central role, but until the First World War, important.
  52. [52]
    [PDF] Hacking PGP - Black Hat
    Apr 2, 2005 · – You don't have to give a Black Hat talk on it. – It is good to ... • Don't forget rubber hose cryptanalysis. Page 43. 4/2/05. Real World ...
  53. [53]
    Technical Sessions - USENIX
    Many schemes, however, cannot resist coercion attacks where the user is forcibly asked by an attacker to reveal the key. These attacks, known as rubber hose ...
  54. [54]
    [PDF] NSTAC PQC Scoping Paper - CISA
    Aug 23, 2024 · with the PQC transition, such as protection of stored data, backward compatibility, cost and complexity, and human factors? Page 3. 3.
  55. [55]
    Use Cases for Duress Authentication - ACM Digital Library
    Oct 17, 2025 · Neuroscience meets cryptography: crypto primitives secure against rubber hose attacks. ... Duress detection for authentication attacks ...
  56. [56]
    [PDF] Coercion-Resistant Electronic Elections - Cryptology ePrint Archive
    We define a scheme to be coercion-resistant if it is infeasible for the adversary to determine whether a coerced voter complies with the demands. A first ...