 So the ICIP's newest lecture of this year is Ron Rivest and I can start with a cliche that of course Ron doesn't need introduction in this community We all know his work on RSA on digital signatures Is very creative work on cyphers and hash functions the RCX family the MDX family, which actually Help cryptography switch from hardware to software But Ron also has worked in many other topics of crypto Ideas which he put forward like to equal encryption Certificate management and SOTC. He worked in RFID tax Micro payments voting and outside crypto also on computer algorithms and machine learning If I would start enumerating all the honors run received it would take most of his talk So I will not do that. I Just want to mention that he's a member of the National Academy of Engineering and of science a fellow of the ACM ICR An American Academy of Arts and Sciences and in 2002 together with Adish Amir and an Edelman. He won the Turing award In addition to his academic work, of course, Ron is also known as the founder of our data security And he has also been very active in the voting community, not on the technical side But also helping to make voting systems work. So please join me in welcoming Ron. You're best Thank you Bart. It's a pleasure to be here It's been 30 years since the first one of these so it's an honor and I want to thank the organizing committee for inviting me to come talk So the talk will not be in Latin In fact, that's not even Latin. That's that's mock Latin the translation of this is don't let the bastards grind you down It's a phrase that originated in World War two and Carburendum didn't exist of course at the time of the Romans. That's an abrasive, right? So this is mock Latin has its own Wikipedia page if you want to hear more about about that so this talk will take us a actually A keynote talk is an opportunity to stretch a bit. So this is Sort of marginally cryptography. It's related to cryptography as you'll see but it's not your sort of usual Crypto thing I'm going to do some new models and some new questions But we'll be talking about games. They sort of go back and forth back and forth continually In a simple model that reflects that and some results on that So there'll be some overview context and then this particular game. That's a model for The situation. I'll call it flip it and then some discussion of results within that framework non adaptive play first and then adaptive play and Some lessons and some open questions But the high-level goal is to capture some aspects of the field of security that Maybe we're not capturing well yet and trying to encourage you to focus more on these other kinds of issues It's not something that's been ignored, but I think it needs more emphasis and maybe some new models will help So cryptography is mostly about using mathematics and secrets to achieve some goals confidentiality integrity and so on so the mathematics We're starting to understand pretty well But it's the managing of secrets that this talk will focus more on or emphasize more so we're making we make assumptions we make assumptions that parties can generate good secrets and we've seen some discussion of that today with with Extractors and so on for generating secrets and and keeping them secret. That's the point. I want to focus on today is keeping secrets We also assume that the adversary can't do certain computations etc So these are normal assumptions that we make But things go wrong Right Murphy's law says if anything can go wrong it will There's no connection with the fact that the beaver is the MIT mascot, but And things can go wrong badly the measure in a line in World War two was built around an assumption by the French that The Germans would not try to attack there and if they did go around try to go around it it would take them too long and It did fail badly the Germans skirted the defenses quickly the assumption failed very badly And now the Maginot line is a is a metaphor for building static defenses and relying too much on your assumption that they will Hold or cause the adversary to take too much trouble to go around them in an adversarial situation, of course assumptions may fail repeatedly Idea that somebody could fly a plane into a building as part of a hijacking skim and do that more than once Showed the weakness of our assumptions And APT's are sort of like that advanced persistent threats where adversaries continually push against your defenses and try to get around them in Various ways and it may succeed often I mean even now the NSA says you know They assume that a certain fraction of their networks are compromised So most of the crypto that we have today is sort of like the Maginot line in its style, right? I mean we designed these schemes We assume that setup has been done properly that the keys are well Well generated and that they're distributed properly and then we're ready to play the game right then we assume that the adversary is Not going to steal the keys We've got our Maginot line set the cryptographic assumptions and the assumption that the keys will be kept secret Because there that's our Maginot line. So we've made our assumptions. We're gonna live behind those lines But the theft that the assumption that the adversary won't steal keys is qualitatively a bit different I think then The assumption that you know computations are hard because that's a problem that in the real world that somebody has to solve Using tools and techniques that are that are Qualitatively I would argue much weaker than some of the mathematical complexity of the assumptions that we have It's not a strong assumption as we've seen over and over again, especially recently So we have some research in the field that allows us to assume that the adversary can steal keys or at least portions of them Going back to secret sharing Adi Shamir in 79 Proactive cryptography, and I'm just giving a smattering of citations here. This excuse me if I haven't listed your favorite paper my proactive cryptography with Hertzberg-Jarekki, Krowczek and Young Finer-based intrusion resilient cryptography It gets in raisin of four leakage resilient crypto McAulean raisin of four for example some of these these these Assume that the adversary can sort of get at some of your key But not very much of it or not all of it anyway and that you can manage so we show that you know some amount of leakages Some amount of theft is what we can tolerate But the adversary typically isn't allowed to steal everything and there are some papers that do allow that to intrusion resilient secure channels by it gets McNerney and Russell Example Assuming that the adversary can actually steal everything But we have very little research on what how to think about keys being stolen Hirely so assuming that the adversary can get some leakage or steal some of the key That's sort of moving your imagine a line your digital your line in the sand a little bit I assume the adversary is not gonna cross that line or maybe not even that line But that that's as far as he can go, you know, he's just gonna walk all over you So to be a security professional you think there shouldn't be limits on your paranoia, right? The adversary is not gonna pay attention to your assumptions. He's gonna do what he what he can So are we being sufficiently paranoid? So I would argue that maybe we're not that we're Making up problems for other people to solve that we haven't solved our so how to keep secrets and we're assuming that could be kept solved well and That may be false There's a famous riddle due to our 16th president Abraham Lincoln If I call the dogs tail a leg how many legs does it have? The answer of course is for it doesn't matter what you call call a tail. It's still a tail, right? That was one of his favorite But we have something similar here right now calling a bit string a secret key doesn't actually make it secret Doesn't do anything towards making a scene that just points at us as that should somebody's got to keep that See not my job, but you know somebody should keep that thing secret It just identifies it's an interesting target for the adversary really So labeling it is not the same thing as protecting it We do a lot of labeling that should be secret that should be secret that should be secret We're making a problem for other people to solve But you know they've got to be solved They got to be solved well or we've got to figure out how to deal with the situation when they're not solved Maybe that's more the point of this talk So our goal here is to develop a new model or new models for scenarios involving total key loss and related scenarios Especially and this is the new point where the where the theft is covert Right, so sometimes happening your password gets stolen or your secret key gets stolen and you don't know it Right, that's an interesting scenario. That's one that we shouldn't be caring about as security professionals What do you do? How do you think about those situations? How do you model them? What can you do? so I'm going to be introducing a model that tries to capture at least some aspects of those situations where the theft is Stealthy where the theft is covert. You don't know that you've been hacked Maybe until later so I'm going to do this in the framework of a game so that that was all motivation and So I'm going to present a game here a very simple to person I think you'll enjoy it very simple two-person game that tries to capture capture this and give some some initial results This is very much sort of work in progress or preliminary But I encourage you to think about these kinds of models and what we can do or how to model these kinds of situations better, too so this is joint work with folks at RSA labs Ari Jules Alino prey Martin van Dyke and So we'll talk about the game of flip it and they've been thinking about some of the Results and actually there's there's some work that may be available on the web soon where you can actually play this game online if you like So as I said, it's a very simple game. It's a two-player game. There's a Defender whose Player zero and a attacker whose player one and this is supposed to be blue and red. Can you tell the difference in the colors? I think that's okay, so blue and red So these these are the places it's a very much a symmetric game Aside from the move cause so the players will have a different cost of moving And you'll see how this works in just a second So there's some contested resource or critical resource and it could be a password or a secret or something like this that The game is about and so this is just abstract in this situation It's the thing that's being fought up fought over by these two players The security of the password the security of the digital key But this model also Applies equally well to other things like computer systems where the computer system can either be hacked or not or Maybe a mountain pass if you want a military situation, right? So mountain pass could be secured by one side or the other So we've got some contested resource And the state of that resource is binary. You need to be in a good state or bad state So in the case of a password it might be Secure secret or it might be guessed or stolen So compromised clean or compromised For your key controlled by the defender controlled by the text. What's the binary? That's it's a very simple Blue or red so two players Each player has this corresponding favorite state And a player can move to put the game into his state at any time So the defender can move and put the game into the state resource into his state So in the case of a password you might initialize the password or change his password Reset the password. You might recover the computer system put it back into a clean state It might disinfect get rid of the virus or the malware or whatever So so there's some move I'm just calling it abstractly a move that the good guy can take that puts it into a good state And correspondingly there's some move that the bad guy can do that puts it into the bad state It's compromised It's correct corrupt somebody he installs malware. He steals it. He steals the password. He infects it Right, so that's all there's those two kinds of moves One move for the good guy one move for the bad guy and they they can move at any time and time is continuous here It's convenient to have continuous time rather than discrete time Unlike most games this is not staged or anything like this So somebody can steal your password anytime whatsoever. So time is continuous not discrete and So players move at the same time with probability zero We assume that so that we don't have to worry about what happens if they both try to move at the same time so The password case creating a new password or signing key stealing it Reins, I think I said these before reinstalling the system software using a zero-day attack to install a root kit Would be moved by the attacker sending soldiers to the mountain pass by either side would Represent a move for the mountain pass game. So there's very simple game So it's continual back-and-forth warfare. You can take over they can take over You can take over again. They can take over at some point. So the attacker can take over at any time There's no such thing as a perfect defense here unlike most crypto where we talk about building our defenses and living behind them You know, this is a situation where the attacker can take control whenever he wants to and the only option for the defender is to retake it later So it goes on forever perhaps So moves can be stealthy. This is the unique aspect of this game in practice Compromise is often undetected here. We assume that players don't know when the other player moves. So this is unusual. I've been trying to find Things in the game literature where game theory literature where you don't know when the other player moves There's a little bit of it, but very little. I mean, there's some imperfect monitoring is the buzzword you'll find it under I haven't seen this game studied at all So the players don't know when if your machine is infected with malware, you don't know that it happens And if you change your password the adversary may not know that you've changed your password until later So you're uncertainty about the state of the system increases Over time, right? So you you move and you've taken control, but then As time evolves, you don't know whether you've retained control or not So your move when you move might be a flip we've taken control or might be what we call a flop Where it has no effect is useless. You change your password unnecessarily. It would be a flop So flops are sort of unavoidable So what do you know about the state of the system what's your feedback so you only learn about The state of the system when you move So in general if you're not moving you're not seeing anything new about the system when you move you can find out And don't you have different models for different aspects? So like when you change your password, do you know whether your password was compromised or not? So in the basic flip it game, we assume that when you move you find out the complete history of moves by both players So you find out not only was your password compromised But you find out if it was compromised when it was compromised and maybe other moves that the player made So that's sort of the maximum amount you could hope to get You could certainly study variants of the game where you learn less Like you'll just learn whether it had been compromised or not or maybe you don't even Learn much of anything. We'll study some of those too so You might spend the time since the player last moved or whatever So In real life moving In these examples moving cost something right changing your password takes effort you've got to Write it down on those sheet of paper you attach to your computer or whatever put it in your wallet or whatever you do You know you've got some cost to sort of the reinstalling the system software cost something Attacking cost them if you're the attacker attacking cost something so moves aren't for free So we assume just some abstract model that says player i when he moves it costs him case of i points And so the defender plays case of zero To move and the attacker pays case of one. We don't make them the same necessarily. I think it's important that they could be different In fact the difference between these two is I think an important part of the modeling here So there's a move cost and The point of the game is to be in control right you want to Have a system that's secure from abuse by the adverse area or you want your password to be clean Uncompromised so we'll assume that the player earns one point for every second that he's in control All right, so now we've got the the basic framework here. We've got moves. We've got a state state of the system Now we've got a scoring function So that we can you pay to move and when you take move you take control and you gain at one point per second of Being in control if if you're the defender and it cost you case of zero to move Then you hope that you're going to get at least case of zero seconds of benefit because that you need that to pay Pay back the benefit. Otherwise you're getting negative benefit and you might as well not play And similarly the attacker wants to be in control for at least k one seconds on the average to pay for his move So how well are you playing if you have a two players playing over time? You can count how many moves you've made right? So the number of moves made by player i and sub i Of t is the number of moves he makes up the time t and his rate of play then is alpha sub i of t Just n sub i of t divided by t So you can have some rate of play And that corresponds to your rate of expenditure for the moves, of course too And you have some rate of being in control, right? So that at each time either one player or the others in control So g sub i of t can be the number of seconds you're in control up to time t Gamma sub i is the rate at which you're gaining benefit from being in control And then your score your benefit is just the difference between the amount of time You're in control and k sub i your move cost times the number of moves you made up to a given time And your rate of benefit then is just that divided by t So gamma sub i is your rate of gain minus k sub i times your rate of moving So the players want to maximize the limit limiting rate of benefit So this is not a zero-sum game, right? The players can Can move at different rates and they can both move very fast and pay a lot And and get not much benefit out of it or they could both play slowly and maybe they do better So there's not a zero-sum game here We're sort of assuming that each player is playing to maximize his own benefit as in typical two-person non-zero sum games All right, so these but each player will have his own benefit rate that he wishes to maximize So here's a uh, I made a little movie. So here, you know, it's just sort of obvious What's going on here? So the red circles represent attack attacking moves by the adversary the blue circles are attacking moves by the defender and Right you Play along and the defenders in control he starts off the game playing and then all of a sudden he's hacked But he doesn't know this right so now the attackers in control the defender doesn't know the defender Plays he may find out at that time that he was hacked Maybe he sits around maybe he plays again. He doesn't know right what's going on. He plays again his cost at any time Right at this point we can see we played a bit of the game the attackers have been in control five and a half seconds Two moves it cost three two Giving a score. He's got negative score at this point the defenders played three times I've been in control for 15 seconds and has a cost of 12 Very simple game. This is very very simple game Now from the Defenders point of view Right just to emphasize right you only get feedback When you move so here the defender has moved once but he doesn't know now Who whether he's in control or not He's actually been hacked when he moves he finds out Oh my god, I've been hacked Right now. He still doesn't know if he's in control anymore. Is the adversary going to play again? He tries again. He's got a flop And maybe he just waits it out in this case you wait So you only get information when you move that just just emphasize that point all right So the question how do you play this game? Well? So this is a model of a situation where you can be hacked and then you can undo the hack and you can be hacked again And you don't know anything until you've Moved yourself How do you got a scoring system you want to be in control minus the cost of your moves? How do you play this game? Well? so non-adaptive play Let's start with that. All right, so when you move you You get information about the Other players history of moves and you could pay it try to figure out what he's doing and And do that, but let's start with a simple case and look at non-adaptive play where in fact your moves are Pre-programmed they don't depend on what the other party does So a non-adaptive strategy plays on blindly without attention to the other players moves, right? That's one class of strategies you could have so you just Make up your list of moves ahead of time if you will An infinite list So there's some interesting non-adaptive strategies for example periodic play You can just move every so often You change your password Every 90 days That's periodic play you reboot your system every morning or whatever That's periodic play you could have exponential play you could have play where the At any given instant of time your probability is the same of playing. That's a plus-on process You have an exponential Or you could have a renewal strategy where the time between moves is determined by some probability distribution that you pick That's sort of the generalization of those two. There's three classes of interesting non-adaptive strategies So let's look at periodic play It turns out to be quite interesting So a player may play periodically With some rate alpha sub i and period one over alpha sub i of course so for Alpha alpha zero equals one third the defender might just play every third step I want to assume here that There's a little bit of jitter or drift in the moves. Otherwise an adaptive player will easily or two two It's an adaptive player can anyway play well, but the non adaptive player even can sync up So I don't want these strategies periodic play versus periodic play to sync up at all So we're going to assume there's a little periodic doesn't mean exactly periodic Periodic means, you know, you're playing with period three. You're moving three plus or minus a little bit of jitter and that will tend to drift That's convenient for the analysis and the assumptions to work out I mean you could talk about precisely periodic case then you've got a bunch of degenerate cases to worry about too So if you even if you've got a little bit of jitter though an adaptive player can easily learn what you're doing, right? So if you're playing the defender and you're changing you're Rebooting your system every morning You know the attacker can once once he learns that because every time he moves he learns that history He can learn your period in your phase and he can just take over the system If you if you reboot your system at 9 a.m. He can re take over at 9 0 5 a.m and you've had it so Periodic play doesn't work very well against an adaptive attacker unless you're playing very fast if you're playing so fast that the attacker doesn't have time to Get his benefit before before the You play again, then then he's not Not going to play so essentially he's making his regular rounds That's the classic movie situation where you see the guy go around the castle every 10 minutes and you watch them You go right out sneaking right afterwards or your 90 day passwords so With the periodic attacker Against a periodic defender. Let's look at that case. It's actually quite interesting. So suppose The attackers moving periodically at some rate alpha one and You're the defender you know that and you're going to play a periodic strategy What's what's your optimal defender strategy in the case that you're being attacked by a periodic attacker? so if You have the attackers playing quickly You shouldn't play at all Because you'll have negative benefit right so if the attackers playing with period I'm sorry with rate bigger than 1 over 2 k 0 then his intervals are smaller than 2 k 0 and you as a defender need a k 0 interval in order to get your benefit And to to pay for your move so on the average you're going to get half of the interval of the adversary So 2 k 0 is sort of the limiting point and if it's the intervals are shorter than that the attackers intervals are shorter than that You shouldn't be playing at all If the attacker is leaving you intervals of exactly 2 k 0 Then You should you can play I mean it doesn't matter much you can play Not at all or you can play up to a certain rate But you're not going to get any benefit at all you're going to get on the average half of the attackers intervals You're going to get just enough to pay for your moves and that's it no more And therefore you can play that but you get no benefit on the other hand if the adversary is more leisurely You can play for positive benefit. So you have you can play periodically At some rate alpha zero and if you do a little bit of the calculus and optimize It turns out you want to play faster than the adversary and this is the optimum rate that maximizes your net benefit So graphically We can display that here So look at the situation for Periodic attacker and periodic defender here. You've got a graph with the rate of play by the defender One six one third one half two thirds Rate of play by the attacker And let's look at first at the Optimum rate of play by the defender the theorem. We just saw for the attacker. I'm assuming here that we've got Cost of one for the defender and cost of one and a half say for the attacker so If the attacker is playing quickly rate a half or greater Then he's not leaving you intervals that are big enough for you to play in You shouldn't play at all your rate is zero if the attacker Is playing exactly with rate a half his intervals are size two Doesn't matter what you play you're in this range and if you're Attacker is nice and playing slower than a half. He's leaving you some breathing room playing periodically with rate alpha zero Here Following this curve is what you want to be doing. So this is alpha zero optimum else zero is a function of alpha one. So this is the dependent variable You play zero rate if he's playing too quickly. It doesn't matter here and it dumps up and Was back down symmetrically The attacker has a similar curve slightly offset, right? So if you're playing too quickly as defender He's got a cost of one and a half. So if he's If you're playing with a rate a third or bigger Your intervals are size three. He's getting half of those on the average So if you're playing a third or better, he has no motivation to play whatsoever He's going to have negative benefit if you're playing exactly one third And he can play anywhere in that range Otherwise, so this is just the flip of the curve. You just saw otherwise he plays Like this and the question is where these players are going to end up playing, right? So if you both know they're going to play Periodic strategies The Nash equilibrium of course is where these cross where they're not Motivated to change at all it doesn't mean they're going to play at this Nash equilibrium, but this is What you have or you have a Nash equilibrium at defender playing at rate one third Attacker playing at rate two ninths And that's where these curves cross And at this point They are sharing The resource and the ratio of two thirds to one third. So the Gamma rates the rates of control are the ratio of two thirds to one third The rates of benefit are one third and zero. So the defender is gaining here His move costs are less He can play faster And so he's getting positive benefit And he's forcing the adversary best to play on this this part of the curve here where the adversary gets no benefit whatsoever So he's the adversary might as well drop out This is not a stable equilibrium Uh, you have the defender might just play a little bit faster and cause the adversary to drop out and get more gain But then the adversary would jump in back in so it's not a stable situation particularly Game theory is hard to figure out what players will actually do when you end up with situations like this where and maybe somebody will invest some time to to force you out for a while or This seems like the most Likely point for them to end up though All right, so that's periodic play Nobody said you have to play periodically of course, right? So exponential play is An interesting possibility. This is a kind of process that Uh Is well studied because it's memoryless, right? So every time you Look at an interval of time dt your chance of playing in that time interval is the same Independent of what you played previously. So this is a plus on process you have Probability of a delay x of being at most most x is going to be one minus e to the minus alpha one x for the for the attacker all right, so you Looks random, right? It's just just uh It's raindrops falling on your tin roof or whatever because there's no correlation between them Time of one move and time of the other and compared to the periodic display the intervals are High variance, right? You have a mean one, but you'll have variance one is our standard deviation is one as well That's what could be high Higher variance. So that makes it easier to play in the larger gaps as we'll see So we can make the same kind of graph for Exponential play versus exponential play as we did for periodic play versus periodic play And so here's a same graph with the rates for the defender the move rates for the attacker and let's look at the defender's strategy then as a function of the Attacker's rate of play if the attackers playing at rate More than doesn't make this like more than one then the attackers playing too quickly There's no point in the defender playing. He won't get any benefit whatsoever But once the attacker plays the rate slower than one It's worthwhile for the defenders to start playing We don't have that straight line business I'm curious here here one once the Meantime between plays by the attacker is less than one Then the average waiting time Average control time for the defender once he makes a move is going to be At least one Right because it's memoryless So once the defender moves the time to the mix attacker move Is going to be at least at least one and so it's going to be worthwhile for him to jump in and start playing and so you get a curve like this for the optimum rate of play by the defender For various rates of play by the attacker the optimum rate of play It's not hard to figure out by the defender as a function of the attacker's rate of play alpha one It's just square root of alpha one over k zero minus minus alpha one. That's this curve So that maximizes the net benefit rate to the defender if If the attacker has these various rates So that's the curve for the defender's optimum play given the attacker's rate of play And symmetrically or almost symmetrically I've got again A slight difference because the costs are different here for the two players the cost of the adversaries Moves is one one and a half. So his point of Where it starts becoming worthwhile is when the defender starts playing with rate less than two-thirds so similar kind of shape and the Nash equilibrium For this one It's where these two curves cross is At the point alpha zero alpha one the two rates of six twenty-fifths and four twenty-fifths All right, so the ratios of rates of play correspond to the cost of three to two ratio And this equilibrium looks like a stable one to me. I think I think that's right. It looks like a You can tell by the slopes of these curves and whether it's good, you know A little bit of there's a little bit of deviation For she back towards it or not and this looks like a stable equal whereas the one for the periodic Play, it doesn't seem like one So the rates of gain are Again three to two and so the defender is In control sixty percent of the time the attackers in control forty percent of the time And the net benefit rates are both positive in this case. So they're the optimum At the the equilibrium here. They're they're sharing the resource 60 percent 40 percent and Getting both getting positive benefits So this corresponds to the kind of situation where you know, you're living with some parasites or something Right, you got some some malware. It's you know, you got you got to live with the bad guy some of the time Right and that that's You know a qualitative feature of this model that seems to reflect reality as well You can't keep them. You can't have perfect defense You can't keep them out all the time But you can figure out how to play how to adjust your strategy to try to keep them out as much as possible And get your own maximum gain considering the cost of your moves as well So I consider that qualitative aspect of this, you know reflective of reality and interesting So the third kind of non adaptive strategy is renewal strategies, right? So this is a generalization of those two right both periodic and exponential strategies had probability distributions that said Well, once you've made one move the time to your next move is is determined by some Probability distribution an exponential delay or just a fixed delay in the case of a periodic So in general the generalization of that is a renewal Distribution where you've got a probabilities distribution that you can pick whatever you like But you use it every time after you've moved until your next move. So the probability of Your delay being less than equal to x is determined by some distribution f sub i that's unspecified You specify it to choose your moves So these are a large class of moving strategies Includes the periodic and exponential as I said there's lots of others If you look at the literature on stochastic processes the term renewal process defines precisely this kind of a sequence of events So one of our major results is this one here that the If your opponent is playing a renewal strategy of any sort whatsoever So as long as if your opponent is playing a renewal strategy and you want to play a Renewal strategy yourself that optimizes then your optimal renewal strategy is going to be periodic Or maybe not playing if he's playing too quickly so periodic play In the case of non adaptive play is in fact optimal For non adaptive Playing here right or at least for renewal playing right so we got You might think that having more Unpredictability would be helpful But in fact we're talking about non adaptive play here where the players don't see how you're playing And so periodic play is That's fine The proof notes There's this nice Classic exercise and statistics about the waiting time for the bus versus the average time between the buses right so you go to A bus stop right if the bus has come periodically Every 10 minutes and you go to the bus stop then it's going to be five minutes To the bus arrives But if you go to the if the buses arrive with some other distribution You know the average time Between buses and the average time you have to wait for the bus if you when you arrive at the bus stop Those are different random variables. They're related and the one you care about really is the average time to wait for the bus The average time till the attacker moves if you're the defender So these are different distributions in the case of the exponential Right, I mean the average time between them is the same as the amount you have to wait as I said Once you arrive there It's a memoryless process So the average time to the next bus is the average time between buses because the average time between From any given point to the next one is the same So most of the analysis has to do with the waiting time Which if you flip it around is the time since the last one too Size biased interval sizes what we call them what they usually call them and One of the key insights is that a periodic strategy minimizes the variance of the interval size So if the adversary steps in the middle of a interval Then you minimize his expected gain By having a periodic strategy because then it will his waiting time will be precisely one half of your interval size whereas if You've got some variance some positive variance in your move sizes You're giving him Because of the difference between these two notions you're giving him some benefit and he will he will gain So minimizing the variance in your moves turns out to be a good intuitive Strategy so I won't give you the details of the proof Those are some of the notions So adaptive play So Adaptive play is hard. All right, this this is a A tough game for that Because we saw periodic Periodic play isn't very effective That learning Adversary you can just learn, you know what your period is in your phase and and defeat you so If you're going to play against an adaptive adversary, what should what should you do? Well, if both players are adaptive It's not hard to at least intuitively see that we've got a Game that's at least as complicated as iterated prisoner's dilemma there, right if you've got a situation Where both players can learn what the other player is doing they can Compete in interesting ways. They can also cooperate in interesting ways Prisoners dilemma is the classic game where players can Cooperate or defect And and if you play prisoners Limited iterated way the axle rod had a nice book talking about strategies for playing iterated prisoners dilemma You can do tit for tat or you where you play the same way that you cooperate or defect the Previous round so here you can view it as being Very similar with slow and fast being very much like Cooperate and defect right so if you have a choice between say playing slow at rate 0.1 say playing on the average once every 10 Moves and fast where you're playing 0.2 you're playing once every five And the the attacker and the defenders got the same choices and If they were playing periodically say just restricting it to those two strategies So here's the payoffs for the defender 0.4 and 0.55 in the case of the attackers playing slow Your bet the defenders better off playing faster. He'll increase his gain from 0.4 to 0.5 And similarly if the attackers playing fast, uh, the Defender is still better playing off fast himself. So he's Goes from minus 0.1 to 0.3. So From the defender's point of view, it's always better to play fast. That's a dominant strategy And it's symmetric here. I've got the cost being the same for both players So from the attacker's point of view, he's better off playing fast The first row better off playing fast in the second second row. So this is a classic prisoner's dilemma kind of two by two matrix and You have all the the richness and complexity than of iterators They can cooperate. They can decide Both to play slowly Right. So you're doing an adaptive game. They can say well, you know, I'll let the adversary Take over my machine on weekends when I don't care anyway, and then I'll take it off or whatever they can cooperate in various ways So It's complex nonetheless As a as a defender, you can say well, how do I deal with an adaptive adversary I've got a attacker who's going to try to figure out what I'm doing You know, I'm sending the sentries out. He's going to be watching them What kind of pattern should I send those sentries out on he's going to try to figure out the The pattern of play So exponential is a Pretty good strategy for this in this case, right? So exponential means you're acting in a you're the defender. You're acting in a Memoryless manner. So there's nothing really for the opponent to learn except your average rate of play so If you're playing an exponential strategy Then as we saw earlier the optimum strategy for the attacker is to Play periodically Or not not to play at all So Adaptivity doesn't help if you're playing with an exponential strategy because there's nothing to learn Except your rate of play and that's fixed so there's no more so graphically The situation looks Like this All right, you've the defender here You give you give up something by playing exponentially, but maybe not that much All right, so here's a graph that shows the defender. You're the defender. You're playing at rate 0.25 say So you're committed to spending at that rate just to make the graph two-dimensional so we've got a your your rate is fixed and Let's start off with the case where the attacker is playing periodically With a rate the very so here we've got the independent variable, which is the attacker's rate. So this is alpha one not alpha zero So as the attacker plays faster Your net benefit you're the defender this beta zero is your net benefit your net benefit goes from about three quarters down to zero You're right. So as he plays faster, you're gaining less and less of course and eventually you'll you'll drop out at this point as we saw so That's a non-adaptive attacker right as he plays faster you're doing worse According to this curve if You see that and I think green's okay. So if he's adaptive You say, oh goodness. I've got an adaptive attacker. What do I do? Well, I can play exponentially I can have a memoryless attack at the same rate Memoryless strategy at the same rate and now my benefit curve starts looking like this. I pay the penalty by becoming adaptive right so I've got a curve that starts off at the same point here, but There's a gap But he can't do any better than this This is something I can guarantee even with the best adaptive attacker independent of complexity theoretic assumptions or anything else You know, I just the uncertainty in my moving means that I can guarantee benefit at this rate for for myself No matter how the how the attacker plays So I paid a penalty because he's become adaptive. I've become exponential and One of the big open questions here is is there a better defender right what what can be argued? Is there an optimum defense strategy? I think there's got to be things that are better. I don't know how to prove them yet But it seems like There should be curves in between these two. So given a fully adaptive attacker that can do whatever he likes the exponential Defender has a lot of variance in his moves. It's memoryless Which makes it easy to argue that the adaptive strategy isn't going to help much But it's also got a lot of variance in the moves and as you Want to move towards the periodic Rate of gain here you think cutting the variance down so using other kinds of variables Maybe gamma distributions or or something else Maybe waiting a bit and then just doing a little normal curve or something. So you've got It's a bit like periodic, but a little more variance in periodic. So it's unpredictable And how do you trade those two off the predictability? You know variance trade off here is the important one So we've got two two end two extremes the periodic defender and the exponential defender There's got to be interesting things in the middle that should be analyzable That's an open question so Lessons and open questions So I think You know, we we can't just stick with imagine online philosophy In this community. We really got to be prepared to to deal with total loss of key material Repeatedly You know, I think I think that The world has shown us that you know Labeling something as a secret key isn't Sufficient and that just because you've labeled this as a secret key and you've given it to the systems guys and said, you know Keep that secret that doesn't mean it's going to work very well And we've seen lots of cases where You know secrets can get compromised repeatedly so I'm not Sure How we as cryptographers can help that much Well, we have to be prepared for dealing with that assumption in particular as being a particularly weak one I think our other assumptions of computational complexity. I think are much stronger, but The ability to keep secrets is one that We should Think harder about and be better prepared to deal with with models like this or others Play fast, right? So if you're in this kind of situation you want to Play quickly you want to force the other player to drop out if possible So change your passwords frequently reboot your server frequently That's good play on your part In the sense that it makes it harder for the adversary and he may drop out You may I mean there's optimizations to do of course, too and one of the big Lessons here. I think the big morals for me anyway is We should be paying more attention to these the costs of these moves Right because the costs are going to be driving everything So what's the cost of changing your password? What's the cost of putting your System into a clean state You want to arrange the game so that your costs are a lot less than the other players costs All right, so these are system kinds of questions And we're seeing progress in that direction the use of virtual machines to give you a clean a fresh image of your system Easily and quickly Means you as a defender have a low Move cost because when you when your Costs are cheaper than the opponent's cost you could move more quickly than they can you can force them to drop out And get essentially full benefit So this is a moral maybe not so much for Us as cryptographers, but for the system security folks to say, you know, how do we think harder about Getting the system back to a good state cheaply That's the key operation here So some open questions So we proved that the optimal renewal strategy against a renewal strategy is periodic It's not quite the same as proving that the optimal non adaptive strategy against a Renewal strategy is periodic, right? So renewal is a subclass of non adaptive, right? And there may be non adaptive strategies that aren't renewal strategies that do better against a renewal strategy, but there's A gap there what we were able to show so we only analyzed renewal strategies against Renewal strategies. What's the best non adaptive strategy against an arbitrary Renewal strategy and the conjecture is that that's also periodic What's the optimal renewal strategy against say maybe an adaptive? Rate limited adversary, so you assume there's a bound on how fast the adversary can move Say and then you want to say what's the best way to Move yourself given that he's adaptive. He can learn what you're doing. And again, this gets back to the Interpolating between those two curves trying to find a way of balancing the Predictability of having a periodic play which is nice because it's got small variance And unpredictability with higher variance, but then gives more gaps for the adversary to fit into so Gamma distribution variables gamma variables is the sum of a number of exponential variables seems to have the nice class of properties that I would conjecture would maybe be a good answer here, but they're hard to analyze because Once you get away from the memory list property then adaptive what's the best adaptive play against such a strategy It's not easy to think about If you play a fixed renewal strategy like some combination of exponential and something else maybe What's the best? Can you can you lower bound how well an adaptive adversary can do against a question of analysis? How do you analyze? Best possible adaptive play against a given strategy that you're announcing. So I'd like to adopt the strategy of Half the time moving in Three steps and half the time moving in five or something like that. How do you analyze what the adversary can do against that? What learning theory algorithms? So, you know, how do we develop good adaptive strategies? I think there's a lot a lot of room to be done here some of the reinforcement learning literature yields Strategies which may be applicable here time delay TD learning and some of these other ones look like they might apply to this sort of game a bit Depending on the strategy that you're playing is with a renewal strategy Other open questions the game generalized in lots of ways you could have multiple players, of course Mountain pass could be controlled by any one of three players You hear of software that malware that boots out the other malware and then takes over the machine Malware one malware two and then you as a defender Other feedback models. So the game Here is it was the simplest possible one you you play you take control and you learn everything about the game there But you could have other feedback models You could have a model that says You just learn whether you had whether it was a flip or a flop when you move for example We're a low-cost check, right? I mean One that's here you could have a second kind of movie of one that takes control and you reflash your system But you could have a a virus check that says, you know, is it in fact that what's the state? Is a good state or bad state? So maybe that's cheap and it cost you a lot more to This makes the game Harder to think about of course, but maybe a little more realistic How to structure a PKI when anybody can get hacked. I think this is an interesting direction to go in, right? So we've got pki's right now that assume there's there's Trusted third parties that don't get hacked And maybe that's right. Maybe they don't get hacked. They put a lot of effort into To managing The security of their root keys and so on, but it's interesting to think about a world in which Anybody can get hacked and any key can be Compromised and you want to have a Move and which refreshes it reestablishes its good character And how do you build a public key infrastructure in such a world? And this might be a way to come up with a much more robust pki. I mean right now the ones we have Feel somewhat fragile and brittle and maybe one where you're constantly changing your keys actually is a way to having a more Lively and secure and robust kind of system So there may be a interactive version of this game the folks at rsa. We're working on some Implementation. It's not ready yet. The paper will be posted on this stuff at the site as well But be a fun game for an app. I think you have two little smartphones and you're pushing your buttons to take control Right, I think anybody who wants to implement that let me know if you They may have them So that's it basically that's what I wanted to cover a little bit early, but so I hope you found The theme is interesting. I think there's a Set of questions that we're not asking in this community about dealing with total key loss And I hope that this will stimulate you to think about these directions. Thank you very much for your attention Thank you Any questions for Ron? Thanks, Ron. This this is fascinating and it really feels like the beginning of a whole new line of research And it it seems like it can be taken in so many different directions One that I wonder if you've thought about is the possibility of the attacker and defender having different goals An example might be where my goal is to get my banking done And the attacker's goal is to just run a botnet for as long as possible So I might run a malware scan right before my banking Knowing that the attacker will own my machine most of the time and we're both relatively happy under those circumstances Good question. I hadn't we hadn't thought about that kind of thing But we're trying to keep it the first model as simple as possible but The question is what are the what are the simple next steps for the for modeling? And that's one direction we hadn't thought about Thanks any other questions So I guess we're all hungry. So let's thank Ron again for a very interesting and popular talking talk