illegitimi non carborundum - international association for ... · illegitimi non carborundum...
TRANSCRIPT
Illegitimi non carborundum
(Don’t let the bastards grind you down!)
Ronald L. Rivest
Viterbi Professor of EECSMIT, Cambridge, MA
CRYPTO 20112011-08-15
1
Illegitimi non carborundum(Don’t let the bastards grind you down!)
Ronald L. Rivest
Viterbi Professor of EECSMIT, Cambridge, MA
CRYPTO 20112011-08-15
2
Illegitimi non carborundum(Don’t let the bastards grind you down!)
Ronald L. Rivest
Viterbi Professor of EECSMIT, Cambridge, MA
CRYPTO 20112011-08-15
3
Outline
Overview and Context
The Game of “FLIPIT”
Non-Adaptive Play
Adaptive Play
Lessons and Open Questions
4
Cryptography
Cryptography is mostly about usingmathematics and secrets to achieve
confidentiality, integrity, or other securityobjectives.
5
Assumptions
We make assumptions as necessary, such asability of parties to generate unpredictable keys
and to keep them secret, or inability ofadversary to perform certain computations.
6
Murphy’s Law: “If anything can go wrong, it will!”
7
Assumptions may fail, badly. (Maginot Line)
8
Even worse...
In an adversarial situation, assumption may failrepeatedly...
(ref Advanced Persistent Threats)9
Most crypto is like Maginot line...
We work hard to make up good keys anddistribute them properly, then we sit back and
wait for the attack.
There is a line we assume adversary can notcross (theft of keys).
10
Partial key theft
Much research allows adversary to steal someportion of key(s).
I secret-sharing [S79,...]I proactive crypto [HJKY95,...]I signer-base intrusion-resilience [IR04,...]I leakage-resilient crypto [MR04,...]
But adversary isn’t allowed to steal everything,all at once. (Some exceptions, e.g.intrusion-resilient secure channels [IMR’05])
This just moves the line in the digital sand a bit...
11
Total key loss
To be a good security professional, thereshouldn’t be limits on your paranoia!
(The adversary won’t respect such limits...)Are we being sufficiently paranoid??
12
Lincoln’s Riddle
Q: “If I call the dog’s tail a leg, how many legs does ithave?”
A: “Four. It doesn’t matter what you call the tail; it is still atail.”
13
Lincoln’s Riddle
Q: “If I call the dog’s tail a leg, how many legs does ithave?”
A: “Four. It doesn’t matter what you call the tail; it is still atail.”
14
Corollary to Lincoln’s Riddle
Calling a bit-string a “secret key” doesn’tactually make it secret...
Rather, it just identifies it as an interesting targetfor the adversary!
15
Corollary to Lincoln’s Riddle
Calling a bit-string a “secret key” doesn’tactually make it secret...
Rather, it just identifies it as an interesting targetfor the adversary!
16
Our goal
To develop new models for scenarios involvingtotal key loss.
Especially those scenarios where theft isstealthy or covert
(not immediately noticed by good guys).
17
FLIPIT
The Game of “FLIPIT”(aka “Stealthy Takeover”)
joint work withAri Juels, Alina Oprea, Marten van Dijk
of RSA Labs
18
FLIPIT is a two-player game
Defender = Player 0 = Blue
Attacker = Player 1 = Red
FLIPIT is rather symmetric, and we say“player i ” to refer to an arbitrary player.
19
FLIPIT is a two-player game
Defender = Player 0 = Blue
Attacker = Player 1 = Red
FLIPIT is rather symmetric, and we say“player i ” to refer to an arbitrary player.
20
There is a contested critical secret or resource
Examples:I A passwordI A digital signature keyI A computer systemI A mountain pass
21
There is a contested critical secret or resource
Examples:I A password
I A digital signature keyI A computer systemI A mountain pass
22
There is a contested critical secret or resource
Examples:I A passwordI A digital signature key
I A computer systemI A mountain pass
23
There is a contested critical secret or resource
Examples:I A passwordI A digital signature keyI A computer system
I A mountain pass
24
There is a contested critical secret or resource
Examples:I A passwordI A digital signature keyI A computer systemI A mountain pass
25
State of secret or resource is binary
Good | Bad
Secret | Guessed or StolenClean | Compromised
Controlled by Defender | Controlled by AttackerBlue | Red
26
State of secret or resource is binary
Good | BadSecret | Guessed or Stolen
Clean | CompromisedControlled by Defender | Controlled by Attacker
Blue | Red
27
State of secret or resource is binary
Good | BadSecret | Guessed or StolenClean | Compromised
Controlled by Defender | Controlled by AttackerBlue | Red
28
State of secret or resource is binary
Good | BadSecret | Guessed or StolenClean | Compromised
Controlled by Defender | Controlled by Attacker
Blue | Red
29
State of secret or resource is binary
Good | BadSecret | Guessed or StolenClean | Compromised
Controlled by Defender | Controlled by AttackerBlue | Red
30
A player can “move” (take control) at any time
Defender move puts resource into Good state
= Initialize Reset Recover Dis-infect
Attacker move puts resource into Bad state= Compromise Corrupt Steal Infect
Time is continuous, not discrete.Players move at same time with probability 0.
31
A player can “move” (take control) at any time
Defender move puts resource into Good state= Initialize Reset Recover Dis-infect
Attacker move puts resource into Bad state= Compromise Corrupt Steal Infect
Time is continuous, not discrete.Players move at same time with probability 0.
32
A player can “move” (take control) at any time
Defender move puts resource into Good state= Initialize Reset Recover Dis-infect
Attacker move puts resource into Bad state
= Compromise Corrupt Steal Infect
Time is continuous, not discrete.Players move at same time with probability 0.
33
A player can “move” (take control) at any time
Defender move puts resource into Good state= Initialize Reset Recover Dis-infect
Attacker move puts resource into Bad state= Compromise Corrupt Steal Infect
Time is continuous, not discrete.Players move at same time with probability 0.
34
A player can “move” (take control) at any time
Defender move puts resource into Good state= Initialize Reset Recover Dis-infect
Attacker move puts resource into Bad state= Compromise Corrupt Steal Infect
Time is continuous, not discrete.
Players move at same time with probability 0.
35
A player can “move” (take control) at any time
Defender move puts resource into Good state= Initialize Reset Recover Dis-infect
Attacker move puts resource into Bad state= Compromise Corrupt Steal Infect
Time is continuous, not discrete.Players move at same time with probability 0.
36
Examples of moves:
Create new password or signing key.Steal password or signing key.
Re-install system software.Use zero-day attack to install rootkit.
Send soldiers to mountain pass.Send soldiers to mountain pass.
37
Examples of moves:
Create new password or signing key.Steal password or signing key.
Re-install system software.Use zero-day attack to install rootkit.
Send soldiers to mountain pass.Send soldiers to mountain pass.
38
Examples of moves:
Create new password or signing key.Steal password or signing key.
Re-install system software.Use zero-day attack to install rootkit.
Send soldiers to mountain pass.Send soldiers to mountain pass.
39
Continual back-and-forth warfare...
I Note that Attacker can take over at any time.
I There is no “perfect defense”.I Only option for Defender is to re-take control
later by moving again.I The game may go on forever...
40
Continual back-and-forth warfare...
I Note that Attacker can take over at any time.I There is no “perfect defense”.
I Only option for Defender is to re-take controllater by moving again.
I The game may go on forever...
41
Continual back-and-forth warfare...
I Note that Attacker can take over at any time.I There is no “perfect defense”.I Only option for Defender is to re-take control
later by moving again.
I The game may go on forever...
42
Continual back-and-forth warfare...
I Note that Attacker can take over at any time.I There is no “perfect defense”.I Only option for Defender is to re-take control
later by moving again.I The game may go on forever...
43
Moves are “stealthy”
I In practice, compromise is oftenundetected...
I In FLIPIT,players do not immediately know when theother player makes a move!(Very unusual in game theory literature!)
I Player’s uncertainty about system stateincreases with time since his last move.
I A move may take control (“flip”) or have noeffect (“flop”).
I Uncertainty means flops are unavoidable.
44
Moves are “stealthy”
I In practice, compromise is oftenundetected...
I In FLIPIT,players do not immediately know when theother player makes a move!(Very unusual in game theory literature!)
I Player’s uncertainty about system stateincreases with time since his last move.
I A move may take control (“flip”) or have noeffect (“flop”).
I Uncertainty means flops are unavoidable.
45
Moves are “stealthy”
I In practice, compromise is oftenundetected...
I In FLIPIT,players do not immediately know when theother player makes a move!(Very unusual in game theory literature!)
I Player’s uncertainty about system stateincreases with time since his last move.
I A move may take control (“flip”) or have noeffect (“flop”).
I Uncertainty means flops are unavoidable.
46
Moves are “stealthy”
I In practice, compromise is oftenundetected...
I In FLIPIT,players do not immediately know when theother player makes a move!(Very unusual in game theory literature!)
I Player’s uncertainty about system stateincreases with time since his last move.
I A move may take control (“flip”) or have noeffect (“flop”).
I Uncertainty means flops are unavoidable.
47
Moves are “stealthy”
I In practice, compromise is oftenundetected...
I In FLIPIT,players do not immediately know when theother player makes a move!(Very unusual in game theory literature!)
I Player’s uncertainty about system stateincreases with time since his last move.
I A move may take control (“flip”) or have noeffect (“flop”).
I Uncertainty means flops are unavoidable.
48
Moves may be informative
I A player learns the state of the system onlywhen he moves.
I In basic FLIPIT, each move has feedbackthat reveals all previous moves.
I In variants, move reveals only current state,or time since other player last moved...
49
Moves may be informative
I A player learns the state of the system onlywhen he moves.
I In basic FLIPIT, each move has feedbackthat reveals all previous moves.
I In variants, move reveals only current state,or time since other player last moved...
50
Moves may be informative
I A player learns the state of the system onlywhen he moves.
I In basic FLIPIT, each move has feedbackthat reveals all previous moves.
I In variants, move reveals only current state,or time since other player last moved...
51
Cost of moves and gains for being in control
I Moves aren’t for free!
I Player i pays ki points per move:Defender pays k0, Attacker pays k1
I Being in control yields gain!I Player earns one point for each second he is
in control.
52
Cost of moves and gains for being in control
I Moves aren’t for free!I Player i pays ki points per move:
Defender pays k0, Attacker pays k1
I Being in control yields gain!I Player earns one point for each second he is
in control.
53
Cost of moves and gains for being in control
I Moves aren’t for free!I Player i pays ki points per move:
Defender pays k0, Attacker pays k1
I Being in control yields gain!
I Player earns one point for each second he isin control.
54
Cost of moves and gains for being in control
I Moves aren’t for free!I Player i pays ki points per move:
Defender pays k0, Attacker pays k1
I Being in control yields gain!I Player earns one point for each second he is
in control.
55
How well are you playing? (Notation)
I Let Ni(t) denote number moves by player iup to time t . His average rate of play is
αi(t) = Ni(t)/t .
I Let Gi(t) denote the number of secondsplayer i is in control, up to time t .His rate of gain up to time t as
γi(t) = Gi(t)/t .
56
How well are you playing? (Notation)
I Let Ni(t) denote number moves by player iup to time t . His average rate of play is
αi(t) = Ni(t)/t .
I Let Gi(t) denote the number of secondsplayer i is in control, up to time t .His rate of gain up to time t as
γi(t) = Gi(t)/t .
57
How well are you playing? (Notation)
I Score (net benefit) Bi(t) up to time t isTimeInControl - CostOfMoves:
Bi(t) = Gi(t)− ki · Ni(t)
I Benefit rate is
βi(t) = Bi(t)/t= γi(t)− ki · αi(t)
I Player wishes to maximize βi = limt→∞ βi(t).
58
Movie of FLIPIT Game – Global View
59
Movie of FLIPIT Game – Defender View
60
How to play well?
61
Non-Adaptive Play
62
Non-adaptive strategies
I A non-adaptive strategy plays on blindly,independent of other player’s moves.
I In principle, a non-adaptive player canpre-compute his entire (infinite!) list ofmoves before the game starts.
I Some interesting non-adaptive strategies:
I Periodic playI Exponential (memoryless) playI Renewal strategies: iid intermove times
63
Non-adaptive strategies
I A non-adaptive strategy plays on blindly,independent of other player’s moves.
I In principle, a non-adaptive player canpre-compute his entire (infinite!) list ofmoves before the game starts.
I Some interesting non-adaptive strategies:
I Periodic playI Exponential (memoryless) playI Renewal strategies: iid intermove times
64
Non-adaptive strategies
I A non-adaptive strategy plays on blindly,independent of other player’s moves.
I In principle, a non-adaptive player canpre-compute his entire (infinite!) list ofmoves before the game starts.
I Some interesting non-adaptive strategies:
I Periodic playI Exponential (memoryless) playI Renewal strategies: iid intermove times
65
Non-adaptive strategies
I A non-adaptive strategy plays on blindly,independent of other player’s moves.
I In principle, a non-adaptive player canpre-compute his entire (infinite!) list ofmoves before the game starts.
I Some interesting non-adaptive strategies:I Periodic play
I Exponential (memoryless) playI Renewal strategies: iid intermove times
66
Non-adaptive strategies
I A non-adaptive strategy plays on blindly,independent of other player’s moves.
I In principle, a non-adaptive player canpre-compute his entire (infinite!) list ofmoves before the game starts.
I Some interesting non-adaptive strategies:I Periodic playI Exponential (memoryless) play
I Renewal strategies: iid intermove times
67
Non-adaptive strategies
I A non-adaptive strategy plays on blindly,independent of other player’s moves.
I In principle, a non-adaptive player canpre-compute his entire (infinite!) list ofmoves before the game starts.
I Some interesting non-adaptive strategies:I Periodic playI Exponential (memoryless) playI Renewal strategies: iid intermove times
68
Periodic play
Player i may play periodicallywith rate αi and period 1/αi
E.g. for α0 = 1/3, we might have:
t
It is convenient to assume that periodic playinvolves miniscule amounts of jitter or drift; playis effectively periodic but will drift out of phasewith truly periodic.
69
Periodic play
Player i may play periodicallywith rate αi and period 1/αi
E.g. for α0 = 1/3, we might have:
t
It is convenient to assume that periodic playinvolves miniscule amounts of jitter or drift; playis effectively periodic but will drift out of phasewith truly periodic.
70
Periodic play
Player i may play periodicallywith rate αi and period 1/αi
E.g. for α0 = 1/3, we might have:
t
It is convenient to assume that periodic playinvolves miniscule amounts of jitter or drift; playis effectively periodic but will drift out of phasewith truly periodic.
71
Adaptive play against a periodic opponent
An adaptive Attacker can easily learn the periodand phase of a periodic Defender, so thatperiodic play is useless against an adaptiveopponent, unless it is very fast.Examples:
I a sentry make his regular roundsI 90-day password reset
72
Periodic Attacker
TheoremIf Attacker moves periodically at rate α1 (andperiod 1/α1, with unknown phase), thenoptimum non-adaptive Defender strategy is
I if α1 > 1/2k0, don’t play(!),I if α1 = 1/2k0, play periodically at any rate α0,
0 ≤ α0 ≤ 1/2k0,I if α1 < 1/2k0, play periodically at rate
α0 =
√α1
2k0> α1
73
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
74
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
75
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
76
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
77
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefit
if α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
78
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
79
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefit
if α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
80
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
81
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
82
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
83
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
84
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
85
Graph for Periodic Attacker and Periodic Defender(k0 = 1, k1 = 1.5)
α023
12
13
16
α1
23
12
13
16
if α1 >1
2k0Attacker too fast for Defender
if α1 = 12k0
Defender can play with 0 benefitif α1 <1
2k0
Defender maximizes benefit withα0 =
√α12k0
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 13 ,
29 )
(γ0, γ1) = ( 23 ,
13 )
(β0, β1) = ( 13 ,0)
86
Exponential Attacker
If Attacker plays exponentially with rate α1, thenhis moves form a memoryless Poisson process;he plays independently in each interval of timeof size dt with probability α1 dt
Probability that intermove delay is at most x is
1− e−α1x
For α1 = 0.5, we might have:
t
87
Graph for Exponential Attacker and Defender)(k0 = 1, k1 = 1.5)
α012
313
α1
1
23
13
Attacker too fast if α1 > 1
Optimal Defender play for α1 < 1
α0 =√
α1k0− α1
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 625 ,
425 )
(γ0, γ1) = ( 35 ,
25 )
(β0, β1) = ( 925 ,
625 )
88
Graph for Exponential Attacker and Defender)(k0 = 1, k1 = 1.5)
α012
313
α1
1
23
13
Attacker too fast if α1 > 1
Optimal Defender play for α1 < 1
α0 =√
α1k0− α1
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 625 ,
425 )
(γ0, γ1) = ( 35 ,
25 )
(β0, β1) = ( 925 ,
625 )
89
Graph for Exponential Attacker and Defender)(k0 = 1, k1 = 1.5)
α012
313
α1
1
23
13
Attacker too fast if α1 > 1
Optimal Defender play for α1 < 1
α0 =√
α1k0− α1
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 625 ,
425 )
(γ0, γ1) = ( 35 ,
25 )
(β0, β1) = ( 925 ,
625 )
90
Graph for Exponential Attacker and Defender)(k0 = 1, k1 = 1.5)
α012
313
α1
1
23
13
Attacker too fast if α1 > 1
Optimal Defender play for α1 < 1
α0 =√
α1k0− α1
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 625 ,
425 )
(γ0, γ1) = ( 35 ,
25 )
(β0, β1) = ( 925 ,
625 )
91
Graph for Exponential Attacker and Defender)(k0 = 1, k1 = 1.5)
α012
313
α1
1
23
13
Attacker too fast if α1 > 1
Optimal Defender play for α1 < 1
α0 =√
α1k0− α1
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 625 ,
425 )
(γ0, γ1) = ( 35 ,
25 )
(β0, β1) = ( 925 ,
625 )
92
Graph for Exponential Attacker and Defender)(k0 = 1, k1 = 1.5)
α012
313
α1
1
23
13
Attacker too fast if α1 > 1
Optimal Defender play for α1 < 1
α0 =√
α1k0− α1
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 625 ,
425 )
(γ0, γ1) = ( 35 ,
25 )
(β0, β1) = ( 925 ,
625 )
93
Graph for Exponential Attacker and Defender)(k0 = 1, k1 = 1.5)
α012
313
α1
1
23
13
Attacker too fast if α1 > 1
Optimal Defender play for α1 < 1
α0 =√
α1k0− α1
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 625 ,
425 )
(γ0, γ1) = ( 35 ,
25 )
(β0, β1) = ( 925 ,
625 )
94
Graph for Exponential Attacker and Defender)(k0 = 1, k1 = 1.5)
α012
313
α1
1
23
13
Attacker too fast if α1 > 1
Optimal Defender play for α1 < 1
α0 =√
α1k0− α1
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 625 ,
425 )
(γ0, γ1) = ( 35 ,
25 )
(β0, β1) = ( 925 ,
625 )
95
Graph for Exponential Attacker and Defender)(k0 = 1, k1 = 1.5)
α012
313
α1
1
23
13
Attacker too fast if α1 > 1
Optimal Defender play for α1 < 1
α0 =√
α1k0− α1
Optimal Attacker play
Nash equilibrium at (α0, α1) = ( 625 ,
425 )
(γ0, γ1) = ( 35 ,
25 )
(β0, β1) = ( 925 ,
625 )
96
Renewal Strategies
A renewal strategy is one with iid intermovedelays for player i ’s moves:
Pr(delay ≤ x) = Fi(x)
for some distribution Fi .
Renewal strategies form a very large class of(non-adaptive) strategies; periodic, exponential,etc. are special cases...Origin of term: player’s moves form a renewalprocess.
97
Optimal (renewal) play against a renewal strategy.
One of our major results is the following:
TheoremThe optimal renewal strategy against anyrenewal strategy is either periodic or not playing.
98
Proof notes
Average time between buses6=
Average waiting time for a bus
Proof considers size-biased interval sizes...
Note that a periodic strategy minimizes varianceof interval sizes, and thus minimizes size-biasedinterval size.
99
Proof notes
Average time between buses6=
Average waiting time for a bus
Proof considers size-biased interval sizes...
Note that a periodic strategy minimizes varianceof interval sizes, and thus minimizes size-biasedinterval size.
100
Proof notes
Average time between buses6=
Average waiting time for a bus
Proof considers size-biased interval sizes...
Note that a periodic strategy minimizes varianceof interval sizes, and thus minimizes size-biasedinterval size.
101
Adaptive Play
102
Adaptive Strategies
I Periodic strategy not very effective againstadaptive Attacker, who can learn to movejust after each Defender move.
I FLIPIT with adaptive strategies can becomplicated – generalizes iterated Prisoner’sDilemma—e.g. for periodic play:
slow(α1 = 0.1) fast(α1 = 0.2)slow(α0 = 0.1) 0.40,0.40 -0.10,0.55fast(α0 = 0.2) 0.55,-0.10 0.30,0.30
103
Adaptive Strategies
I Periodic strategy not very effective againstadaptive Attacker, who can learn to movejust after each Defender move.
I FLIPIT with adaptive strategies can becomplicated – generalizes iterated Prisoner’sDilemma—e.g. for periodic play:
slow(α1 = 0.1) fast(α1 = 0.2)slow(α0 = 0.1) 0.40,0.40 -0.10,0.55fast(α0 = 0.2) 0.55,-0.10 0.30,0.30
104
Adaptive Strategies
I Periodic strategy not very effective againstadaptive Attacker, who can learn to movejust after each Defender move.
I FLIPIT with adaptive strategies can becomplicated – generalizes iterated Prisoner’sDilemma—e.g. for periodic play:
slow(α1 = 0.1) fast(α1 = 0.2)slow(α0 = 0.1) 0.40,0.40 -0.10,0.55fast(α0 = 0.2) 0.55,-0.10 0.30,0.30
105
Exponential works well even against adaptivestrategies
TheoremThe optimal strategy (of any sort, even adaptive)against an exponential strategy is either periodicor not playing.
Defender can always play exponential strategyagainst a potentially adaptive Attacker; Attackercan’t then do better than playing periodically (ornot playing).
106
Defender’s (α0 = 0.25) net benefit β0
against optimal (periodic) Attacker (α1variable)
α123
13
β0
23
13
Periodic Attacker
Periodic Defender
⇓Adaptive Attacker
Exponential Defender
∃ ? Better Defender ?
107
Defender’s (α0 = 0.25) net benefit β0
against optimal (adaptive) Attacker (α1variable)
α123
13
β0
23
13
Periodic Attacker
Periodic Defender
⇓Adaptive Attacker
Exponential Defender
∃ ? Better Defender ?
108
Defender’s (α0 = 0.25) net benefit β0
against optimal (adaptive) Attacker (α1variable)
α123
13
β0
23
13
Periodic Attacker
Periodic Defender
⇓Adaptive Attacker
Exponential Defender
∃ ? Better Defender ?
109
Lessons and Open Questions
110
Lessons
I Be prepared to deal with continual repeatedfailure (loss of control).
I Play fast! Aim to make opponent drop out!(Agility!)
I Arrange game so that your moves cost muchless than your opponent’s!(Cheap to refresh passwords or keys, easyto reset system to pristine state (as with avirtual machine))
111
Lessons
I Be prepared to deal with continual repeatedfailure (loss of control).
I Play fast! Aim to make opponent drop out!(Agility!)
I Arrange game so that your moves cost muchless than your opponent’s!(Cheap to refresh passwords or keys, easyto reset system to pristine state (as with avirtual machine))
112
Lessons
I Be prepared to deal with continual repeatedfailure (loss of control).
I Play fast! Aim to make opponent drop out!(Agility!)
I Arrange game so that your moves cost muchless than your opponent’s!(Cheap to refresh passwords or keys, easyto reset system to pristine state (as with avirtual machine))
113
Open question 1
Conjecture: The optimal non-adaptive strategyagainst a renewal strategy is periodic.
(We only proved that optimal renewal strategy isperiodic.)
114
Open question 2
What is “optimal” renewal strategy against anadaptive rate-limited Attacker?(e.g. N1(t)/t ≤ α1 for all t)?
That is, how to balance trade-off betweenperiodic play, which has low-variance intervalsbut is predictable, and exponential, which hashigh-variance intervals but is veryunpredictable?
Perhaps using gamma-distributed intervals ordelayed exponentials?
115
Open question 2
What is “optimal” renewal strategy against anadaptive rate-limited Attacker?(e.g. N1(t)/t ≤ α1 for all t)?
That is, how to balance trade-off betweenperiodic play, which has low-variance intervalsbut is predictable, and exponential, which hashigh-variance intervals but is veryunpredictable?
Perhaps using gamma-distributed intervals ordelayed exponentials?
116
Open question 3
Are there information-theoretic bounds on howwell a rate-limited Attacker can do against afixed renewal strategy by Defender?
117
Open question 4
What learning theory algorithms yield adaptivestrategies provably optimal against renewalstrategies?
118
Open questions 5, 6, 7, ...
5 Multi-player FLIPIT6 Other feedback models (e.g. add low-cost
“check”)7 How to structure PKI when any party
(including CA’s) may get “hacked” at anytime?
... ...
119
Online version of FLIPIT
More information on FLIPIT, including anonline interactive version of the game, will beavailable in the next few weeks at:
www.rsa.com/flipit
Enjoy!
120
The End
121