Learning Perfectly Secure Cryptography to Protect Communications with Adversarial Neural Cryptography

Researches in Artificial Intelligence (AI) have achieved many important breakthroughs, especially in recent years. In some cases, AI learns alone from scratch and performs human tasks faster and better than humans. With the recent advances in AI, it is natural to wonder whether Artificial Neural Networks will be used to successfully create or break cryptographic algorithms. Bibliographic review shows the main approach to this problem have been addressed throughout complex Neural Networks, but without understanding or proving the security of the generated model. This paper presents an analysis of the security of cryptographic algorithms generated by a new technique called Adversarial Neural Cryptography (ANC). Using the proposed network, we show limitations and directions to improve the current approach of ANC. Training the proposed Artificial Neural Network with the improved model of ANC, we show that artificially intelligent agents can learn the unbreakable One-Time Pad (OTP) algorithm, without human knowledge, to communicate securely through an insecure communication channel. This paper shows in which conditions an AI agent can learn a secure encryption scheme. However, it also shows that, without a stronger adversary, it is more likely to obtain an insecure one.


Introduction
A significant improvement in Artificial Intelligence (AI) has been achieved. Nowadays, several systems overcame human capabilities in human-like tasks as image recognition [1,2], speech recognition [3], driving cars [4] and playing intuitive games [5]. A natural question to be asked is whether AI will be, someday, better than humans to design or break cryptography.
There are some papers in the literature trying to use machine learning techniques to design new cryptographic algorithms. Most of these works proposed encryption schemes designed with Neural Networks (NN) as a tool to create non-linearity [6][7][8][9]. It could be argued that these proposals are not

Related Work
In this section, we review some works that used Neural Networks in Cryptography. More importantly, we explain how Adversarial Neural Cryptography works as proposed in [14].

Neural Cryptography
In 2002, Kanter et al. [6] proposed a new key exchange protocol between two parties using the notion of chaotic synchronization, which makes it possible for two weakly interacting chaotic systems to converge even though each one of them continues to move in a chaotic way. In Kanter's protocol, each party has a NN that starts in a random state and at each round it updates itself and then reveals one bit of information about its state to the other party. They also show in [6] that an attacker who uses an identical neural network with the same learning procedure is extremely unlikely to synchronize his network with the other parties. In the same year, however, Shamir et al. [10] broke the system using three different techniques.
Afterwards, several papers used chaotic NN to propose encryption and hash algorithms [7][8][9]. All these papers used the chaotic NN as a tool for randomness only, then we do not consider these works as AI. Nevertheless, all these algorithms were also broken [11][12][13].
NNs were also used to develop pseudo-random number generators (PRNG) [17][18][19]. In these works the parameters of the NNs were considered the seed of the PRNG and the randomness were tested with tools like the NIST random number generator test suit.

Adversarial Neural Cryptography
A recent work defined the concept of ANC [14]. Abadi and Andersen proposed a system in which 2 NNs named Alice and Bob tried to exchange a message while limiting what a third NN, named Eve, could learn from eavesdropping the communication.
In their work, they did not prescribe specific cryptographic algorithms to these neural networks. In fact, they showed that Alice and Bob could learn how to perform forms of encryption and decryption successfully denying Eve any information about the message. However, in their work, they did not show any solution learned by the networks. In this section, we describe their system to give a general understanding of the mechanics of ANC.

System Organization
The system of ANC is designed with the classical cryptographic scenario involving three parties (Alice, Bob and Eve) showed in Figure 1. Alice and Bob share a secret key K and wish to communicate the plaintext P securely. Eve is a passive attacker that wishes to eavesdrop on their communications trying to gain information about P through the ciphertext C.
In the ANC model, Alice, Bob, and Eve are all neural networks. As is common for neural networks, Alice, Bob, and Eve work over tuples of floating-point numbers, rather than sequences of bits. In other words, K, P, P Bob , P Eve , and C are all tuples of floating-point numbers.

Alice
Bob P K P Eve P Bob

Methodology
As neural networks, Alice, Bob and Eve have parameters that will be denoted by θ A , θ B and θ E , respectively. Also, let's define E A (θ A , P, K) as Alice's output (maybe an encryption) on inputs P and K, D B (θ B , C, K) as Bob's output (decryption) on inputs C and K, and D E (θ E , C) as Eve's output on input C.
To measure the distance between the true plaintext and an estimated value, the L1 distance is used, the L1 distance is defined by: where N is the length of plaintexts. Eve's goal is simple: to reconstruct P accurately. To achieve this goal, Eve's loss function per-example is defined by Intuitively, L E (θ A , θ E , P, K) represents how much Eve is wrong when the plaintext is P and the key is K. The loss function for Eve over the distribution of plaintexts and keys is defined by taking an expected value: Thus, one can find the "optimal Eve" by minimizing the loss: Similarly, one can define the per-example loss for Bob and extend it to the distribution on plaintexts and keys: Alice and Bob want to communicate clearly, but they also want to hide their communication from Eve. Thus, it is useful to define a loss function for Alice and Bob by combining L B and the optimal value of L E : Finally, one can obtain the "optimal Alice and Bob" by minimizing L AB (θ A , θ B ):

Training
ANC is an unsupervised learning technique. Training begins with all NN (Alice, Bob and Eve) initialized randomly and without any data. For random examples of plaintexts P, Alice and Bob try to learn to communicate minimizing the error between the original plaintext P and the output from Bob's network P Bob and, at the same time, making Eve guesses as random as possible. Afterwards, fixing Alice and Bob networks, Eve tries to decrypt C without knowing the key K. This process is repeated thousands of times until, hopefully, Alice and Bob find a way to communicate without giving Eve any information.
When training Alice and Bob, one should not attempt to maximize Eve's reconstruction error. If Eve was completely wrong, then Eve could be completely right in the next iteration by simply flipping all output bits. A more realistic and useful goal for Alice and Bob is to make Eve produce answers indistinguishable from a random guess.
For more details on the ANC technique, please refer to the original paper [14].

Improvement to the ANC Methodology
In this section, we propose an improvement to the ANC methodology using the Chosen-Plaintext Attack (CPA) which we call CPA-ANC. Additionally, we present a simple NN capable of learning the One-Time Pad which will be used to test this new methodology against the traditional ANC.

Chosen-Plaintext Attack Adversarial Neural Cryptography
As we will see in the experiments of Section 4, the problem with the approach proposed in the original ANC work [14] is that Eve's job is too hard. It must decrypt a random message having access only to the ciphertext. The consequence is that, under this methodology, Alice and Bob learn to communicate with cryptosystems that are not truly secure. Therefore, one can conclude that Alice and Bob do not have to do much effort to protect themselves against Eve, leading in insecure cryptosystems.
It is possible to improve ANC considering a more robust model of security for Alice, Bob and Eve. Namely, we will let Eve to mount a CPA. Therefore, to be protected against Eve, Alice and Bob will have to find a system secure against the CPA.
In this new setup Eve will choose two messages P 0 and P 1 and send them to Alice. Alice will choose one of these messages randomly, encrypt it with the NN obtaining the ciphertext C and send it to Eve and Bob. As usual, Bob will decrypt the message with a NN. However, Eve will not try to decrypt C, but will only output 0 if it believes P 0 was encrypted or 1 if it believes P 1 was encrypted. We call this the CPA-ANC setup and it is illustrated in Figure 2. Figure 2. Alice, Bob, and Eve, and the CPA-ANC setup. Alice and Bob share a secret key K. Eve chooses two messages P 0 and P 1 . Alice randomly chooses one message to encrypt producing the ciphertext C. Bob uses the key K to decrypt C producing P Bob . Eve receives the ciphertext C and tries to guess which message was encrypted outputting 0 if believes P 0 was encrypted and 1 if believes P 1 was encrypted.
In this scenario of CPA-ANC, Alice and Bob will have to find a much better cryptosystem to communicate securely. In Section 4, we will show that this approach can really improve the quality of the solution and that a NN can, in fact, produce secure cryptosystems.

A Simple Neural Network Capable of Learning the One-Time Pad
In this section, we propose a NN complex enough to be able to learn some form of cryptography but simple enough to allow us to reason about its security. To do this, we used a continuous generalization for the operator XOR, which is a well-known binary and non-differentiable operation that happens to be used a lot in cryptography.
Thus, if we want a NN that can perform the XOR operation internally, we need a generalization of the operation. It is possible to generalize the XOR operation using the unit circle by mapping the bit 0 to the angle 0 and the bit 1 to the angle π. In this way, the XOR is equivalent to the sum of the angles.
Note, however, that the sum is a continuous operation. Thus, it is possible to work with angles different from 0 or π, generalizing bits to a continuous space. The following equation defines the mapping of a bit b into an angle: The inverse of f provides the mapping of an angle a to a "continuous bit": With this operator, we can introduce a small NN in Figure 3 for learning an OTP. We will refer to this NN as CryptoNet. Basically, CryptoNet receives as input the plaintext and the key and, for each bit received, applies the transformation defined in Equation (9), resulting in angles. The next step is a standard matrix multiplication followed by the inverse transformation defined in Equation (10) resulting in the ciphertext. Note that the ciphertext is not composed of bits but by floating number between 0 and 1.
Mathematically, the fully connected layer of CryptoNet, is doing the following operation: . . a n−1 a n . . .
where W 2n,n is a matrix of weights with 2n rows and n columns, a 0 , ..., a 2n−1 are angles obtained from the plaintext and the key, and h 0 , ..., h n−1 are hidden variables. Through the remainder of the paper, we will denote the CryptoNet mathematically as the function where W is the matrix of weights defined above and P, K, C are vectors of n bits of input, key and output, respectively. The CryptoNet can learn to combine the input in many ways. Since the input bits are mapped to the angles 0 or π, if all the weights (elements of W 2n,n ) of the connections are integers, the result would be equivalent to XOR operations of the input bits.
Therefore, it is possible to learn an OTP with this network. It should be noted, however, that it is very unlikely to find an OTP randomizing the weights as real numbers since the probability of such event tends to 0.
With this model, we can train the network using ANC and reason about the results. Our goal is to understand if a NN can learn an OTP by itself. Moreover, we want to study and define conditions on the ANC model that can lead to a secure cryptosystem consistently.

Results
In this section, we test whether the proposed NN can learn a secure encryption system under three different scenarios. First, we train Alice and Bob to communicate without any adversary, showing that they will learn to communicate properly but without any encryption scheme. Then, we train Alice and Bob to communicate under the ANC setup showing that they will learn to communicate with a weak encryption scheme. Finally, we train Alice and Bob under the proposed CPA-ANC setup showing that they learn to communicate securely with high probability using the One-Time Pad.

Method
In all our tests, we trained two agents, Alice and Bob, using the same CryptoNet. The goal for Alice and Bob, in this case, was to learn to communicate using a single network. Thus, suppose Alice use an encryption function E(B, K) and Bob use a decryption function D(B, K), we defined these functions as a single CryptoNet: Thus, Alice and Bob must work together to find a single CryptoNet such that its inverse is itself. Therefore, to communicate properly, it should be the case that where P is the plaintext and K is the key. In our tests, we initialized the weight matrix W randomly. The training, as in [14], relies on estimated values calculated over "minibatches" of hundreds or thousands of examples alternating the training of Eve with that of Alice and Bob. Since this process is intensive and time consuming for large keys, we trained the model with small plaintexts and keys: 4-bit (n = 4), 8-bit (n = 8) and 16-bit (n = 4).
Unlike the standard training process of NN, here we do not have a clear concept of convergence. This is because when Eve changes its network, then Alice and Bob objective function also change as consequence. Therefore, we used two stopping criteria: 1.
If the decryption error of Bob is very close to zero and Eve's attack are as bad as random guesses, then we stop. In this case, we say we had convergence or a success.

2.
If the first stop criterion is not reached in 100.000 rounds, we stop. Here a round is completed when Alice and Bob are trained and then Eve is trained. If this happens we say we did not have convergence or a failure.
We trained this model using Tensorflow [20], a machine learning framework in python. Also, we used Adam optimizer [21] with a learning rate of 0.0002. We chose the learning rate and other hyperparameters adjusting the values empirically to avoid overfitting and underfitting as explained in the textbook [22]., which was defined empirically.
To obtain a meaningful solution in terms of XOR operations, we define Algorithm 1: if ζ n (W round , ζ n (W round , P, K), K) = P then 5 return Failure 6 return Success

Training without an Adversary
Our first approach was to train two agents, Alice and Bob, to communicate without an adversary. In other words, we want Alice to communicate with Bob without considering Eve. Note that, in this case, we are not using the ANC technique, just a straight forward communication. In where the function d is the L1 distance defined by We tested several models using Algorithm 1, the results are presented in Table 1. All the trials were successful since Alice and Bob were able to communicate without errors. However, all the trials resulted in an insecure algorithm. As an example, the following algorithm was found in one of the trials: where P = [p 0 , p 1 , ..., p 7 ] and K = [k 0 , k 1 , ..., k 7 ]. Clearly, this solution respects Equation (14). Note that the key was not used in the learned algorithm of Equation (17). None of the trials resulted in a secure cryptosystem. Naturally, as Alice and Bob were trained to learn to communicate through a CryptoNet, without any safety concerns, there were no expectations that the resulting function would have been secure. In the next section, we will introduce CryptoNet in the context of ANC to understand if Eve can help Alice and Bob to define a secure system to communicate. Table 1. 10 networks were learned and tested using Algorithm 1 for each key size. All the trials were successful since Alice and Bob were able to communicate without errors. However, all the trials resulted in an insecure algorithm.

Training the network with Adversarial Neural Cryptography
In Section 4.2, we demonstrated that Alice and Bob could not find a secure network to communicate without any notion of what security means. One way to give Alice and Bob this kind of notion is to introduce an adversary, named Eve, who wants to gain knowledge about the communication over the channel. To do this we use the ANC model.
We will not define Eve explicitly here because it can be any sufficiently complex NN (for example, the one proposed in [14]), as we will show in the results. Alice and Bob will communicate through a single CryptoNet, see Equation (13). Eve will try to learn a NN in which receives as input the ciphertext C and outputs the plaintext P: where d is given in Equation (16). Note that in the ANC method, Eve uses the plaintext as a measure of performance when training the NN. However, Eve's NN does not receive the plaintext as input. Therefore, Eve is applying a ciphertext-only attack.
Alice and Bob want to minimize Eve's knowledge about the plaintext P. In practice, Alice and Bob will learn by minimizing the loss where L AB is given in Equation (15), L E is given in Equation (19) and γ is a hyperparameter. The minimum function is used to guarantee that Alice and Bob would not try to maximize Eve's error, since, in this case, Eve could just flip all bits in the next round, achieving a correct guess. If Eve is just guessing the plaintext, it would be expected to get about half of the bits right, resulting in an average error of 0.5. As in Section 4.2, we train the networks with M random examples of plaintexts [P (0) , P (1) , ..., P (M−1) ] and keys [K (0) , K (1) , ..., K (M−1) ]. In our tests, we used a "minibatch" of M = 128 entries. We used γ = 5 in Equation (20) (intuitively this means that is more important to keep Eve's error high than to reduce Bob's decryption error). Also, we used the L2 regularization with α = 0.1 (4-bits), α = 0.05 (8-bits) and α = 0.01 (16-bits) (see [22]). All these hyperparameters were determined empirically.
Training alternates between five minibatches for Alice and Bob and 10 minibatches for Eve. The purpose of this ratio is to give a computational edge to Eve without training it so much that it becomes excessively specific to the exact current parameters of Alice and Bob. One example of this process can be seen in Figure 4.  After the training was completed, we used Algorithm 1 to test the learned CryptoNet. Unlike in [14], we did not trained Eve again when the training of Alice and Bob was finished. This is because the CryptoNet obtained is simple enough, so we can easily reason about its security without the aid of a NN. Table 2 shows a summary of the results. For each trial, the learned model was considered successful if Alice and Bob could communicate without errors when executing Algorithm 1. A learned CryptoNet was considered secure if it learned the OTP. For example, the following CryptoNet was learned by Alice and Bob: This CryptoNet was considered a success since Alice and Bob can communicate without errors. Naturally, this encryption in not secure since several plaintext bits were encrypted with the same key bit. However, this CryptoNet is secure against Eve. Obviously, any adversary with Eve's knowledge (any human or NN) cannot recover the plaintext since the plaintext itself was generated randomly. For example, suppose that c 1 = c 3 = 0, then Eve could learn that c 1 ⊕ c 3 = p 1 ⊕ p 3 and infer that p 1 = p 3 . However, since the plaintext is random, the best Eve could do is to guess p 1 and p 3 with the same value but, with this strategy, Eve would get both bits right in 50% of the time and get both bits wrong 50% of the time. Thus, Eve's output is not better than random, on average. This demonstrates that the standard ANC technique proposed in [14] is not good enough because it usually does not lead to a secure cryptosystem even using a very simple NN designed to allow a perfectly secure solution. In the next section, we will use the proposed CPA-ANC giving Eve a lot more power forcing Alice and Bob to a better cryptosystem.

Learning the One-Time Pad
To test the proposed CPA-ANC setup, as in previous sections, we considered Alice and Bob sharing a single CryptoNet (presented in Figure 3) to encrypt and decrypt. On the other hand, Eve's network changed a lot. Now Eve is a classifier, receiving P 0 , P 1 and C as input and classifying C as 0 if it believes C was derived from P 0 and 1 if it believes C was derived from P 1 .
We designed Eve with a similar structure as the CryptoNet. It receives two plaintexts P 0 and P 1 , the ciphertext C, and transforms the bits into angles through Equation (9). A fully connected layer, combines the angles into a total of R rules. Each rule is composed by generalized XOR operations and are transformed back into continuous bits through Equation (10). A second fully connected layer combines the results into logits going through a softmax layer resulting in a probability π 0 of C being a ciphertext of P 0 and a probability π 1 of C being a ciphertext of P 1 . Finally, the network outputs 0 if π 0 > π 1 or outputs 1 otherwise. We call this network CPA-CryptoNet and it is represented in Figure 5. We where t j , and t (i) j = 0 otherwise. Thus, Eve learns by minimizing L E while Alice and Bob learn by minimizing L given by where L AB is given in Equation (15), Err is Eve's classification error and γ is a hyperparameter.
To train the networks, we used a "minibatch" of M = 128 entries. We used γ = 7 in Equation (23). Also, we used the L2 regularization (see [22]) with α = 0.1 for 4-bit (n = 4) and 8-bit (n = 8) key lengths and α = 0.015 for 16-bit (n = 16) key length. Also, for Eve's network, we defined the number of rules R (see Figure 5) as R = 4 × n. The number of rules defines the number of linear combinations that Eve can analyze together to attack. Eve should need more equations as the key size grows. Therefore, we set it proportionally to the number of bits of the key. We grew the number of linear combinations until reaching a value in which Eve had great power to break the kind of cryptograms learned by Alice and Bob through the Cryptonet reaching the value of 4 × n rules.We chose all these parameters empirically.
Training alternates between the NN of Alice and Bob and the NN of Eve, with Alice and Bob training for 3 "minibatches", and then Eve training for 60 "minibatches". The purpose of this ratio is to give a computational advantage to Eve. One example of this process can be seen in Figure 6.
.. a n−1 a n ... . Another fully connected layer brings the hidden variables to logits through a softmax layer resulting in a probability π 0 of C being a ciphertext of P 0 and a probability π 1 of C being a ciphertext of P 1 . Table 3 shows a summary of the results. For each trial, the learned model was considered successful if Alice and Bob could communicate without errors when executing Algorithm 1. The model was considered a failure otherwise. A learned CryptoNet was considered secure against Eve, if Eve could not extract any information from the ciphertext. For example, the following crypto systems were learned by Alice and Bob: Note that the learned cryptosystems of Equations (24) are secure, namely, the OTP. In our tests, just one model was a failure as Alice and Bob could not communicate. Almost all successful models trained under the proposed CPA-ANC methodology learned an OTP cryptosystem. Moreover, comparing the results of Tables 2 and 3, one can note an increased number of successful trials. A plausible reason is that the original ANC methodology leads to a weaker adversary, and because of that, Alice and Bob have too much degrees of freedom with many possible solutions. This may lead to a more complex objective function with many local solutions. With CPA-ANC methodology and with the neural networks used, the only hope for Alice and Bob is to find an OTP solution. Therefore, it is likely that the objective function has a better behavior than the one obtained with the original ANC model. Steps Eve's classification rate 0 5000 10000 15000 Figure 6. The challenge of Alice and Bob against Eve. Eve tries to maximize its classification rate while Alice and Bob try to minimize Eve's classification rate and minimize Bob's decryption error. In the figure on the left, Bob's decryption error decreases over time in blue color. Also, on the right, one can see that Eve increases its classification rate in red color, however, when Alice and Bob learn a secure cryptosystem, in this case the OTP, Eve's classification rate becomes no better than random. The number of steps denote the number of "minibatches" on training phase. In black, we have a smooth version of the red curve.

Comparison with Related Work
As aforementioned, several NN cryptosystems were broken. This work reconstructs the technique ANC showing the cryptosystems generated by it. In addition, some of these cryptosystems are indeed Vigenère like ciphers, which can be broken. Furthermore, we show that the learning process from previous work probably will not generate a secure cryptosystem. Moreover, we improved the learning process by means of a stronger adversary, i.e., CPA-ANC and the same NN became able to learn an unbreakable cryptosystem with high probability, namely the OTP. Certainly, a cryptosystem is secure under the OTP assumptions, namely the one-time keys should be truly random and never leaked. The CryptoNet learned how to use the key. Table 4 summarizes the comparison. Table 4. Comparison with related work.
Normally, the cryptosystem result from ANC is a type of Vigenère cipher and from CPA-ANC is OTP. We do not need to compare their complexity like in [23], because both cryptosystems require only XOR and have equivalent performance.
Research in the intersection between Security and Artificial Intelligence has a lot of challenges. To clarify our contribution, this work presents the first Artificial Neural Network able to learn an unbreakable cryptographic technique, namely OTP. Even with the advent of quantum computers or any other computing technology [24], we cannot break the OTP. Machines just learned how to use it.

Conclusions
In this paper, we have shown that a neural network can learn a perfectly secure cryptosystem in the right circumstances. In addition, we have shown that the original ANC methodology is not good enough to achieve this goal. Moreover, we have presented a new CPA-ANC methodology capable of improving the objective function and the learned model.
In our experiments, we used simple neural networks to better understand the learned model. Using the original ANC methodology, very few of the learned models were truly secure. However, using the proposed CPA-ANC almost all the learned models were an OTP, which is secure. The main message here is that the adversary must be very powerful to force the solution into a strong cryptosystem. In other words, the proposed CPA-ANC methodology alone is not enough to guarantee security, the design of a very strong adversarial capable of breaking cryptosystems is key. In our minimalistic model, this was possible to achieve, however, in general, this is a hard open problem.
For further work, the research will continue to conduct more tests to evaluate more parameters than the current tests. It is necessary to implement a parallel code to increase performance and test the proposed model with larger keys. Additionally, it remains an open problem whether a neural network can learn a secure cryptosystem in which a small key is used to encrypt a very long message, like a block or stream cipher would do.
Of course, we do not recommend using neural networks in real systems. This paper shows that is very likely to get a weak encryption scheme using neural networks. There is a long path ahead to understand in which conditions a complex neural network will learn a secure cryptosystem consistently. Eventually, neural networks might break current cryptosystems and create others more secure. It is a long journey to transform this theoretical result to a practical one.