TEDL: A Text Encryption Method Based on Deep Learning

Recent years have seen an increasing emphasis on information security, and various encryption methods have been proposed. However, for symmetric encryption methods, the well-known encryption techniques still rely on the key space to guarantee security and suffer from frequent key updating. Aiming to solve those problems, this paper proposes a novel text encryption method based on deep learning called TEDL, where the secret key includes hyperparameters in deep learning model and the core step of encryption is transforming input data into weights trained under hyperparameters. Firstly, both communication parties establish a word vector table by training a deep learning model according to specified hyperparameters. Then, a self-update codebook is constructed on the word vector table with the SHA-256 function and other tricks. When communication starts, encryption and decryption are equivalent to indexing and inverted indexing on the codebook, respectively, thus achieving the transformation between plaintext and ciphertext. Results of experiments and relevant analyses show that TEDL performs well for security, efficiency, generality, and has a lower demand for the frequency of key redistribution. Especially, as a supplement to current encryption methods, the time-consuming process of constructing a codebook increases the difficulty of brute-force attacks while not degrade the communication efficiency.


Introduction
Today, more and more important data is transmitted in text format, whose security is guaranteed by various encryption methods. They include classic encryption algorithms (e.g., 3DES,AES,RSA) that have been widely used, as well as some innovative encryption algorithms (e.g., DNA algorithm [2,11], chaotic map algorithm [16]). Especially, AES, a representative of symmetric encryption, is rather popular and accepted as data encryption standard [31], due to its high speed and low space performance. Besides, another symmetric-key algorithm called one-time pad (OTP) [42,37] proves to be unbreakable. However, some defects still exist. Firsly, the strength of most symmetric-key algorithms relies on the key size [40,45]. It means that the security degrades proportionally as the key space gets smaller. One solution is to increase the complexity of the encryption algorithm. Then for the same size of key space, attackers need more time to crack. But it sacrifices efficiency, namely, both communication parties need to spend more time on encryption and decryption. It is a challenge to achieve a balance between security and efficiency. Moreover, for OTP, when a large amount of information needs to be transmitted, it suffers from the difficulty in key updating. The problem of secure key distribution makes it impractical for most applications [15]. Therefore, cryptologists are constantly designing more practical encryption methods to get close to OTP. The stream cipher is one of the alternatives, while it is vulnerable if used incorrectly [38].
Deep learning [21] has become a hot field in artificial intelligence. By training, the learning model can automatically learn the mapping from massive data to the labels. This process is controlled by some hyperparameters and generates a large number of unexplained parameters. Sometimes these parameters act as abstract representations of input data, although they do not seem to have any clear relations. When those hyperparameters are unknown or changed, or when the labels are altered, the exact parameters cannot be obtained. Therefore, a deep learning model embodies the nature of encryption. In other words, replacing meaningful data with corresponding parameters can be regarded as an encryption process [51]. A typical case is word embedding based on deep learning model [49,8], the cornerstone of Natural Language Processing (NLP). The most classic one is the Word2vec [29,30], which is improved by Glove [33], fast-Text [18], and so on. These models map words into distributed representations, which consist of parameters. Once we change the hyperparameters or corpus, the word representations (parameters) will change. In addition, deep learning training usually takes a long time, and the adjustment of each hyperparameter means a lot of time lapse. To some extent, this feature is useful to enhance security.
In this paper, we introduce the above characteristics of deep learning into text encryption and propose a novel symmetric encryption method for text encryption named TEDL. It adopts a public corpus as the original corpus, two copies of which are owned by both communication parties. They modify the copy at hand to obtain a synthetic corpus under the guidance of the key, respectively. The synthetic corpus owned by both should be confidential and consistent. After that, same word embedding models are used to train on the synthetic corpus under the hyperparameters specified by the key and construct word vector tables. Combined with the SHA-256 function [35], they are further processed to obtain time-varying codebooks, which is definitely consistent as well. The sender replaces the plaintext with a ciphertext based on the codebook and transmits it to the receiver. The receiver decrypts the ciphertext according to the codebook in turn. The contributions of our paper are as follows: • To the best of our knowledge, although there exists some work with respect to the combination of deep learning and information security [24,43,50], TEDL is the first to utilize the uninterpretability and time-consuming training features in deep learning to realize encryption. Moreover, it is the first time that the word embedding based on deep learning model is used for encryption.
• TEDL has time-varying and self-updating characteristics, which are greatly beneficial for reducing the frequency of key redistribution. The timevarying refers to the variation of codebook as information is transmitted. Consequently, for the identical word, its representation varies every time.
To some extent, it is close to the one-time pad. Besides, the concept of selfupdating means that both sender and receiver can reconstruct codebook by revising synthetic corpus, without changing the key.
• TEDL is sensitive to the change of corpus. We prove that the process of skip-gram hierarchical softmax (SGHS) is equal to implicit matrix decomposition, beneficial to the better understanding of the word embedding process. Moreover, it means that minor changes in the corpus can cause a wide range of adjustments in training results, just as changes in a small number of elements in a matrix lead to a wide variation in matrix decomposition results. It directly supports the feasibility of our method.
• TEDL has a two-stage structure: codebook construction stage and communication stage. The former needs a long time, and the brute-force crack is performed at this stage. The latter is always time-saving, for it only involves a search operation. And communication is mainly carried out at the second stage. In this way, both parties are able to achieve relatively high-speed communication while attackers still need more time to crack.
• TEDL performs well for security and high efficiency concluded by experiments and relevant analyses, which involve the recoverability, time cost for a brute-force attack, frequency analysis, correlation analysis, sensitivity analysis, efficiency, and generality.
The rest of the paper is organized as follows. In Section 2 and 3, we outline our method and give some preliminaries, respectively. In Section 4 we illustrate the key design. Section 5 details the encryption/decryption process. Section 6 introduces the self-updating mechanism in TEDL. We prove the feasibility of TEDL in Section 7 and the security analysis is shown in Section 8 with experiments in Section 9. Section 10 reveals the limitations of TEDL. Section 11 discusses the related work. Finally, Section 12 draws conclusions and further work.

TEDL Overview
It seems that security and efficiency are usually contradictory. Increased encryption algorithm complexity probably means strengthened security and reduced efficiency, which motivates people to search for the best trade-off. In this paper, our TEDL method provides a novel way to deal with this problem. As Figure 1 shows, TEDL contains two stages: (1) communication preparation and (2) communication process.
At the first stage, both parties in the communication get copies of the public corpus and modify them under the instruction of the key, completing the construction of confidential synthetic corpora, respectively. And the synthetic corpora mastered by both parties are expected to be consistent. Afterward, the hyperparameters in the key instruct the training on the synthetic corpora. Hence word vector tables are established, followed by a further process on them with the SHA-256 function to obtain codebooks. So far, the first stage called communication preparation ends.
At the second stage, when a word requires transmitting, the sender refers to the codebook at hand and uses the plaintext as an index unit to obtain the corresponding ciphertext. And then the ciphertext is sent to the receiver. In turn, the receiver decrypts the ciphertext based on the mapping in the codebook, which is equivalently an inverted indexing operation. After completing the transmission of a word, both ends adjust the codebook in a certain way. Therefore, when the next word needs to be transmitted, it is encrypted based on the new codebook.

Preliminaries
We first give the symbols and fundamental definitions used throughout the paper as Table 1 lists. Here, we take an example illustrated in Figure 2 to explain some definitions. Given a corpus (Public corpus & Original corpus) such as selections from Shakespeare, we can generate word vectors with a word embedding model based on deep learning. As we add some additional text to the

Symbol
Definition  Figure 2: An example of using ISBN address to construct the synthetic corpus It could be the Bible, Wikipedia 1 , iWeb 2 and so on.
Definition 2 (Original corpus). Define C α as either a public corpus or an expired synthetic corpus, which is a synthetic corpus generated under the guidance of the last key.
Definition 3 (Synthetic corpus). Define C γ as a corpus obtained by revising the original corpus. Make sure the synthetic corpus contains words in the plaintext, otherwise, their corresponding ciphertext is not available.
Definition 4 (Initial address). It gives the location of textual information and is part of the key.
There exist various addresses, such as arXiv ID, uniform resource locator (URL), digital object identifier (DOI), International Standard Book Number (ISBN) and so on.
Definition 5 (Initial incremental corpus unit). Define v 0 j as the text obtained from the initial address.
Definition 6 (Incremental corpus unit). Define v i j as the text that has a relationship (e.g.,citation, context) to the initial incremental corpus unit.
Definition 7 (Initial incremental corpus graph). Define G ι as an abstract structure inside the initial incremental corpus. It is a directed graph.
The distance between adjacent vertices (e.g., v 0 1 and one of its references v 1 1 ) is 1. And the distance between the two nodes without a directed path is ∞.
Definition 10 (Radius of incremental corpus graph). Define R as a measure of the size of graph.
All the nodes, whose distance from the initial incremental corpus unit is not greater than a certain value R, are added to V ι , forming the V β . When R = 1, 3 vertices are included in V β in that example. Obviously, Definition 11 (Incremental corpus). Define C β as a set of incremental corpus units. Actually, Following definitions are relevant to cookbook update.
Definition 12 (Interval time). t δ defines the update cycle agreed upon by both parties at the algorithm level.
Definition 13 (Initial time). t ι defines the moment when communication preparation starts for the first time. Definition 17 (Current original corpus). C i α defines the original corpus used between t i β and t i+1 β .
Definition 18 (Current incremental corpus). C i β defines the valid incremental corpus between t i β and t i+1 β .
Definition 19 (Current synthetic corpus). C i γ defines the valid synthetic corpus between t i β and t i+1 β .

Key
The key used in TEDL includes the following components: The meanings of symbols are as follows: • X 1 : The X 1 -bit binary number N 1 indicates the initial address. It may be specific to the chapter number or even page number.
• X 2 : The X 2 -bit binary number N 2 is equal to R.
• X 3 : The X 3 -bit binary number N 3 is used to calculate the dimension D of a word vector. Considering that D is required to be a multiple of 5 in the subsequent process of dealing with them, which will be detailed later, the value range of D is • X 4 : The X 4 -bit binary number N 4 is equal to the seed used for initialization of word vectors. For example, the initial vectors for each word w are set with a hash of the concatenation of w and str (seed), where seed = N 4 .

Synthetic corpus
Both parties build C γ based on the contents of the key (N 1 and N 2 ). For different kinds of addresses, the process is similar but slightly different. In the previous example, we have illustrated how ISBN serves as the initial address, which is relatively easy to comprehend. For a better understanding of C γ construction, we take a more complicated example, where arXiv ID is adopted as the address.
Assuming N 1 = 000111110000010011100111100101 2 and N 2 = 10 2 , we can find a paper according to arXiv ID arXiv:1301.03781, whose content is denoted as v 0 1 . Besides, it has 32 references denoted as v 1 1 , · · · , v 1 32 . So far R = 1, which does not satisfy N 2 = R. Given that each reference cites other. Therefore, we can enlarge the content due to further citations. Each of them is an incremental corpus unit v i j and all compose an incremental corpus C β . Finally, we add it to the C α to construct C γ , shown in Figure 3. It is worth mentioning that the language of C β does not require the same as C α , which may work sufficiently well for encryption since we do not need word vectors to have a good performance on the semantic representation.

Training
After obtaining C γ , both sides perform the training with deep learning model according to the hyperparameters determined by the N 3 and N 4 .
Firstly, we select a proper model to facilitate the discussion below. It should be qualified for the following Model Requirements: 1. Own at least a public training set.  2. The incremental training set (e.g. C β ) can be addressed with a key and should not be deliberately manufactured but ubiquitous or at least accessible to both parties. 3. The trained parameters should be sufficient and develop some relationship with the data objects. 4. It is more suitable for an unsupervised model or a semi-supervised model.
The supervisory part of the latter should be reflected in the public training set. As for a supervised learning model, it is acceptable if it meets Model Requirement 2 after both parties to communications negotiate additional conditions. For example, they agree on a uniform label for the incremental training set.
Obviously, the word embedding model meets those requirements.
Training is the core step in TEDL. In the following, we will discuss what kind of word embedding model is suitable and put forward some precautions in the training process.

Sparse word vectors and dense word vectors
Models for word embedding are divided into two categories, namely the sparse word embedding model (e.g.,VSMs [46]) and the dense word embedding model (e.g.,Word2vec [29,30]). In the sparse word embedding model, the wordcontext matrix is constructed, and its initial form is a matrix of frequencies.
Each element in a frequency matrix is determined by cooccurrence times of a certain word in a certain context. In practice, the process of matrix construction can be time-consuming when the corpus is large. The entire corpus needs to be scanned, in which each word and its corresponding frequency are recorded, and the results are finally placed in a matrix [17], denoted by F. The row vector of the i-th row of the word-context frequency matrix corresponds to the word w i , denoted as f (i:) , and the column vector of the j-th column corresponds to the context c j , denoted as f (:j) . The value of f ij is expressed as the frequency at which the i-th word co-occurs with the j-th context. This matrix has n r rows and n c columns.
Based on the initial matrix of frequencies, some adjustments are made to weight the elements in the matrix. [10] has proposed the Pointwise Mutual Information (PMI), which works well for word-context matrics. And the variation of PMI, Positive PMI (PPMI) [32], is also a powerful form for distributional representation of words.
When PPMI is applied to F, the new matrix, denoted by X, has the same size as F. The value of an element, denoted by x ij , is defined as follows [46]: In this definition, p ij is the probability of co-occurrence of the word w i and the context c i . Apparently, the matrix X is very sparse. And when C β is added to C α , the size of both matrix F and matrix X may change. However, most zeroes remain unchanged, causing the risk of crack increasing, especially when selecting a partial component of the word vector for encryption. For example, if the original vector of word is v = (0 0 0 0.5 0.5) and the new one is v = (0 0 0 0.25 0.75), it is extremely dangerous when the first 3 dimensions of the vector are used to replace the word for encryption. Such a sparse matrix is hence not available for our encryption method, due to the invariance of some elements. So we need to adopt dense word vectors.

De-randomization
For encryption methods, there are many requirements to be met, one of which is that the encryption results should be sufficiently random and unique, that is, the output should be consistent for the same input. Because of the random factors in some models (e.g., the negative sampling strategy [30]), it is possible to generate totally different word vectors under the same hyperparameters. For example, in the negative sampling strategy, only a sample of output vectors, selected by random methods (e.g., the roulette-wheel selection via stochastic acceptance), are updated instead of the whole output vectors, accelerating the training. Therefore, it is suitable for other applications but not for encryption.
Besides, note that for a fully deterministically-reproducible result of running, the model must be limited to a single worker thread, to eliminate ordering jitter from OS thread scheduling. There is no case where the word vectors derived by multi-process accelerated are consistent with ones derived by single-process training.
To sum up, it should be prevented that any random behavior results in different outcomes for the same input. Both sides of the communication cannot encrypt or decrypt when randomness exists. Similarly, when both sides carry out information transmission, the attacker cannot use tricks such as negative sampling and multi-process to speed up a brute-force crack. The reason is that, even if the attacker is currently trying the exact key, the derived codebook mastered by the attacker is inconsistent with the one used for communication. We hence choose the skip-gram hierarchical softmax (SGHS) model as an instance.

Word vector table
After training, the word vector table is generated, where the word serves as an index unit whose corresponding value is a D-dimensional real vector. The word vector table based on C α is represented as T α , and one based on C γ is denoted as T γ . For a certain word w, the corresponding vectors in T α and T γ are v α | w and v γ | w , respectively.
Let v α | w and v γ | w be row vectors. If T γ is not subsequently processed but directly used for encryption, the similarity between v α | w and v γ | w should be low enough, otherwise, it is dangerous. The similarity can be measured by the cosine similarity, which is defined as The first condition to ensure security is: sim xx (w) < limit xx , 0 < limit xx < 1 (10) where limit xx is a parameter, determined by the security requirements related to the specific application scenario. In addition, in T α , there exist words with high similarity to w. They are usually synonyms of w or words closely related to it. Rank them as w 1 , w 2 , w 3 , · · · according to the similarity with w. The similarity between w i and w is defined as Obviously, the following relationship is true.
Then we give the second condition for ensuring security.
sim xx (w) < sim xy (w, w n ) , n = limit xy ∈ N where limit xy is a parameter. If the sim xx (w) is too large, or even greater than sim xy (w, w 1 ), the attacker can easily conclude that the plaintext corresponding to the ciphertext v γ | w is exactly w. Therefore, limit xy should also be set properly according to the security requirements.
In the case where hyperparameters are identical, sim xx (w) is actually determined by the ratio of C β to C α . To meet both requirements for sim xx (w), make sure a proper size of C β .
Obviously, if the word vector table (T γ ) is directly used for encryption, the above conditions are not enough for security, and it is hard to determine the selection criteria about limit xx and limit xy , thus calling for more careful and sophisticated design.

Time-varying codebook
Here we adopt a relatively more trustworthy way: process T γ with SHA-256 function, for its avalanche effect and irreversibility. Figure 4 shows the transformation for a vector of word w i . Next, we detail the process and explain the corresponding motivation. Since Sigmoid function σ (x) = 1 1+e −x is used in the SGHS model, the derived real vectors are irrational vectors, precisely. In theory, irrational numbers are infinitely long but limited by the computational accuracy of a computer, the results are finite and should be kept as a few effective numbers. To simplify the discussion, double-precision floating-point numbers are specified in the program, which means that the real numbers in T γ are truncated to 16-digit precision or 53-bit precision.
To send the word vector to SHA-256 function, a simple method is to convert the first 16 significant digits of each dimension into a 16-digit integer. For example, 0.0006421631111111111 10 ⇒ 6421631111111111 10 If the dimension D = 200, all 16-digit integers are spliced to obtain a 3200-digit integer, feeding SHA-256. However, it is extremely time-consuming, degrading the encryption efficiency. Conversely, feeding a short integer string causes a significant waste of space. For a 32-digit integer, at most 10 32 different results can be generated, far less than 2 256 , the space of the message digest generated by SHA-256. Therefore, we consider connecting five 16-digit integers together, the space of which is 10 80 ≈ 864 × 2 256 .
As information is transmitted, the primary process of communication is shown in Figure 5, where D = 200, h 0 i,j denotes the j-dimensional in the vector shown as the fourth line in Figure 4. Its corresponding word is w i . In essence, it is similar to the polyalphabetic cipher [4] for resistance to frequency analysis. In other words, in the case where the same word is used multiple times, the corresponding hash, always the first component in a hash vector, is indexed from a different vector table each time.
However, it is not safe enough due to the relatively limited vector tables. Thus we design the manner of codebook usage, shown in Figure 6. We divide the D -dimensional vector into two parts, a (N 3 + 1)-dimensional vector and a 1-dimensional vector, which are named loop vector and reserved vector, respectively. h k i,j denotes a value in loop vectors while rh i denotes a value in reserved vectors.
where || stands for concatenating. The concatenation of two 256-bit values results in a 512-bit number. hash denotes the SHA-256 function. If h k i,0 has been used, h k+1 i,0 is computed and then placed in the last dimension in the loop vector, while h k i,0 is discarded. Other hashes in the loop vector shift left. Each time only the first dimension hash acts as ciphertext. The difference lies in that as the information interacts, the hash vector table keeps changing. Therefore, it is namely a time-varying codebook. Such a design can greatly extend the replacement table. Ideally, since the space of the hash is 2 256 , there are 2 256 alternatives to the same word.

Self-updating Codebook
The self-updating codebook updates itself periodically without changing the key. To some extent, the time-varying characteristic is a self-renewing mechanism, which is one of the self-update mechanisms of TEDL.
This section explores another self-updating mechanism in TEDL. Considering that the codebook is obtained through a series of steps from C γ , the update of the codebook can be achieved by updating C γ , or by regulating the hyperparameters (e.g., the seed).

Synthetic corpus update
From definition 12 to 19, i = 0, 1, · · · , and it denotes the i-th validity period of the codebook. We make the following reasonable assumptions: • The time when one gets the key is known to the other. • From the beginning of constructing C β to the completion of building C γ , the content of C β being acquired is static and unchanged.
• Both sender and receiver will not exchange information during the period from the start of the construction of C β to the completion of the codebook update, that is, the communication needs to be aborted from t i β to max t i s , t i r .
The variables defined above have the following relationship: Note that, except for C 0 α , C i α cannot be made public because it is the synthetic corpus C i−1 γ in the previous period. The update process is illustrated as Figure 7. At t 0 β , both parties begin to construct C 0 β , adding it to C 0 α to form C 0 γ . At t 1 β , C 0 γ is renamed to C 1 α , which can be further updated to C 1 γ . Two ways to renew C β are provided here, the choice on which can be negotiated at the algorithm level: Since there is information transfer between both ends, if the amount of data delivered is sufficiently large, it can act as In theory, infinite rounds of corpus update can be implemented without changing the key. Nevertheless, if the partial deletion is not adopted, the corpus will become larger and larger. Especially, in case of the first way, C β will grow exponentially. If the initial radius R of G β is set to 0, it changes as Figure 8.
To meet the conditions suggested in Section 5.3, C β is required correspondingly more. Therefore, it is recommended to agree at the algorithm level that restoration is performed every x times. It means the next version of C x−1 α should be C 0 α instead of C x α , so Eq.(18) is corrected to be In addition to restoration, the split operation is also optional. Assuming that two articles are enough to satisfy the conditions in Section 5.3, we may divide 32 articles into 16 incremental corpora, which are used at t 1 β , t 2 β , · · · ,t 16 β in turn. In this way, C γ is controlled to a certain scale by the restore operation and the split operation.

Seed update
It is also possible to update the codebook by periodically changing the value of the training parameter seed and assign it a value from reserved hashes. Two reasons support for choosing a reserved vector: 1. The value of the reserved vector is constant throughout the encryption and decryption process. 2. The reserved vector merely serves as partial input of SHA-256 and never exposed. Due to the irreversibility of SHA-256, the attacker cannot derive the value of the reserved vector from the ciphertext.

Interpretable word embedding by matrix decomposition
Given that the feasibility of TEDL is based on the fact that the distributed representations of all the words change after adding a small amount of incremental corpus to the original corpus, it is necessary to understand why the training process can achieve the desired effect.
As discribed in Section 5.2, the distributed representations refer to dense word vectors. Two Densification Methods are offered here to generate them instead of sparse vectors.
1. Apply truncated SVD to the sparse matrix derived from a sparse word embedding model. 2. Use a dense word embedding model.
As for Densification Method 1, since the matrix X calculated after adding a small amount of corpus can be regarded as the original matrix X is locally perturbed. If the location of the disturbance is appropriate, the effect is global and each component of word vectors change under finite precision conditions.
As for Densification Method 2, actually, training can be interpreted as matrix decomposition. It has been proved that the embedding process of skip-gram negative sampling (SGNS) and noise-contrastive estimation (NCE) is an implicit matrix decomposition [22], while GloVe [33] is an explicit matrix decomposition [23]. And Rong derived and explained the parameter update equations of the Word2vec models [36]. Now, we give a theorem about the essence of the process of skip-gram hierarchical softmax. Proof. In a corpus, words w ∈ V w and their contexts c ∈ V c , where V w and V c are the word and context vocabularies. The vector representation for word w i is v wi , while for c i is v ci . For word w i , the contexts are the words surrounding it in an L-sized window w i−L , · · · , w i−1 , w i+1 , · · · , w i+L , one of which is c i . We denote the collection of observed word-context pairs as S. We use # (w i , c i ) to denote the number of times the pair (w i , c i ) appears in S. Similarly, # (w i ) is the number of times w i in S and # (c i ) shows the number of times c i occurred in S. They are defined as: Consider a word-context pair (w i , c i ). In the hierarchical softmax model, no output vector representation exists for context words. In other words, the vector v ci is untrained. Instead, there is an an output vector v n(ci,j) , which is trained during the training process, for each of the |V c | − 1 inner units. And the probability of a word being context c i , the output word, is defined as where L (c i ) denotes the length of path, n (c i , j) means the j-th unit on the path from root w i to the word c i ,ch (n) is the left child of unit n, v n(ci,j) is the output vector of n (c i , j), v wi is the distribution representation of w i , as well as the output value of the hidden layer, [[x]] is a specially defined function expressed as Obviously, the following equation is true.
The probability of going left at an inner unit (including the root unit) n is defined as which is determined by both the output vector of the inner unit and the hidden layer. Similarly, the probability of going from unit n to right is The parameter update process is derived in the following part. For simplicity, we consider the situation of one-word context models, which are easily extended to skip-gram models. We simplify some notations without introducing ambiguity first: The global objective is trained using stochastic gradient updates over the observed pairs in S, defined as For a training instance, the local objective is defined as In SGHS, it is the vectors of the inner units and a hidden layer that are trained. On the path from w i to c i , for each inner unit, [[·]] is either 1 or -1. And for each w i , there exist # (w i ) paths (including cases where the same path is repeatedly counted). Assume that a total of k paths pass through n, there must be k l paths through the left child nodes of n, while k r paths walk via its right child, obtaining: The global objective hence is rewritten as where V n denotes the collection of inner units n. We take the derivative of E with regard to v n T v wi , obtaining We compare the derivative to zero, arriving at Finally, we can describe the matrix M of |V w | rows and |V n | columns that SGHS is factorizing: Therefore, the embedding process of SGHS also performs an implicit matrix decomposition.
Subtle modification to the original corpus is equivalent to perturbation on the implicit matrix, which can eventually lead to radical change in the training results.
However, just matrix decomposition, whether explicit or implicit, cannot ensure that every dimension of each word vector changes. Very few individual components of the word vector may remain unchanged, which is a fatal weakness for encryption. From this perspective, Densification Method 1 is not secure enough. Instead, Densification Method 2 can solve this problem by increasing the number of iteration epoch. In particular, as long as it is greater than one round, the effect of local disturbances will be comprehensive, resulting in changes in all word vectors, which is confirmed by related experiments.

Security Analysis
According to the Kerckhoff guidelines, a good encryption method should have a large enough key space. The key space of TEDL is 2 X . Considering the example with arXiv address, set X 1 = 30, X 2 = 2, X 3 = 8, X 4 = 256. In theory, X 4 can be infinite, but given that the space of hash is 2 256 , we assign that X 4 = 256. Otherwise, referring to the drawer principle, there must be two different hashes colliding. See Table 2 for a comparison of the key space.
For the same key space, the time required to complete encryption for each key differs. There may be doubts here: for the attacker, the longer time for trying each key, the more time will be spent on the crack, but in turn, does the time required for the communication parties to normally transmit information increase dramatically? It is not the case for TEDL, owing to the two-stage structure. The brute-force crack is mainly performed at the first stage while the communication between the two parties is mainly carried out at the second stage. Therefore, it improves safety while ensuring efficiency.
In addition, TEDL does not directly use the key in the encryption. Instead, the key is the instructor during the encryption and decryption process. Therefore, techniques that involve ciphertexts analysis, such as Differential Cryptanalysis [7], Linear Cryptanalysis [27], Truncated Differentials [20], Boomerang Attacks [48], Impossible Differentials [19] and others [12,13], are not effective since these ciphertexts involve limited knowledge about keys, making it infeasible for attackers to predict keys.
Besides, TEDL bases the security on the difficulty in parameter interpretation in deep learning, which is another hard problem. Not only the parameters themselves are uninterpretable, but the trend of their variation is also unexplained, which is core challenge, as described in [1].
Furthermore, the application of SHA-256 makes TEDL more secure. In cryptography, the avalanche effect refers to an ideal property: when the input makes the slightest change (for example, inverting a binary bit), an indistinguishable change in the output occurs (there is a 50% probability that each binary bit in the output is inverted). The ideal state of nonlinear diffusivity is the avalanche effect. [28] shows that SHA-256 has excellent nonlinear diffusivity. Therefore, even if word vectors are similar, the outputs are quite different. Moreover, because of the irreversibility of the secure hash function, the relation between ciphertext and plaintext is extremely weak and intractable. It is hard for an attacker to decrypt. Finally, other related security analyses will be illustrated with experimental results.

Experiments and Performance Analysis
This section presents the experiments and corresponding analysis of TEDL, showing that it achieves a balance between security and efficiency, which make it suitable for transmission of a large amount of data. All the experiments are performed on an identical platform with system configuration of i7 processor @ 2.50GHz and 8 GB Ram, and evaluated on two datasets in different languages, one is Chinese Wikipedia corpus (about 1.3GB) 3 and the other is a subset of the English Wikipedia corpus (about 600MB) 4 . Relative codes are available on GitHub 5 .
Our experiments focus on following issues: • Recovery. It verifies that the ciphertext is decrypted successfully, even if the ciphertext is tampered with in an insecure channel.
• Consumed time for brute force. It measures the ability of encryption methods to resist brute force attacks.
• Frequency analysis. It is about the frequency distribution of cipher symbols, characterizes the confusion.
• Correlation. It refers to the correlation analysis between encrypted data and original data.
• Sensitivity analysis. It also measures the strength of encryption methods against cracking and hacking threats. For plaintext sensitivity or key sensitivity, it is high when changing a small number of bits in plaintext or key results in a large variance in ciphertext. As for ciphertext sensitivity, it is embodied when a natural error or intentional tampering in the ciphertext is remarkable [26].
• Efficiency analysis. It measures encryption speed.
• Generality analysis. It studies whether a method is suitable for multiple models.

Recovery
As described in Section 5.4, both parties only send and receive the firstdimension hash in the time-varying codebook. The hash that can be restored to a word is called a valid hash. Obviously, the number of valid hashes is equal to the total number of word keys in the codebook, far less than 2 256 . When the ciphertext is partially tampered with, the valid hash that has the most overlap with it is selected from all the hashes of the first dimension, the plaintext hence can be restored with a high probability. We define the recovery accuracy rate (RACR) to measure the anti-interference and recoverability of TEDL.
where n t denotes the total number of tampered hashes, n c stands for the count of tampered hashes which are successfully restored to correct words. We randomly select 1000 words as samples, whose corresponding hashes are tampered with. To test the recovery rate under different conditions, we set the total number of tampered bits from 0 to 256 bits, and randomly choose the tampering location. Experiments repeat to calculate RACR and we plot it versus the number of tampered bits as Figure 9.
It shows that an invalid hash is recoverable if the count of tampered bits is less than 85, otherwise, the original word is not able to be restored.

Frequency analysis
For English text, we explore texts of 2MB, 20MB, and 200MB respectively, which are extracted from corpus 6 , and plot frequency distribution histograms with respect to both plaintext and ciphertext, which are shown in Figure 11a. For text in Chinese, 2MB, 20MB and 200MB texts are encrypted accordingly, and the frequency histogram is shown in Figure 11b. Obviously, TEDL completely dissipated the original distribution instead by a fairly uniform distribution. It has a remarkable ability to resist against the statistical attack, especially frequency analysis, and works in any language.

Correlation
The original data is instinctively considered words, while the encrypted data is either word vectors or 256-bit hashes. It is hard to calculate the correlation. Therefore, we need to redefine original data and encrypted data.
1. In the case of directly using the original word vector table, original data is denoted by v α | w , which is generated after embedding training on the public corpus under certain parameters, while encrypted data is v γ | w . 2. In the case of using a time-varying codebook, h α represents original data and h γ denotes encrypted data. Both is obtained by further processing described as Section 5.4, and they are corresponding to v α | w and v γ | w respectively.
We carry out experiments in both cases mentioned above.

Directly using word vector table
In case 1, the correlation between the encrypted data and the original data is measured by the cosine similarity defined by Eq.(9), rewritten as follows: We explore the effects of different training conditions, including the number of iterations (epoch), the vector dimension (D), the ratio of C β to C α (C ratio) and the size of window (window), which indicates the maximum distance between the current and predicted word within a sentence in the word embedding model. For other parameters, we set C ratio = 1 : 10000, seed = 1, window = 5. We sort the sim of each word from small to large and draw as Figure 12. Obviously, as D and epoch increase, the correlation between the original data and the encrypted data decreases. Note that in the case where epoch = 1, regardless of the word vector dimension, there is a phenomenon that the correlation is 100%. On the other hand, as long as epoch is greater than 1, this phenomenon no longer exists. In addition, considering that as epoch increases, the training process converges, which means word vectors update slightly. Therefore, the setting of epoch is not included in the key but should be agreed at the algorithm level.
Changing C ratio. For other parameters, epoch = 2, D = 200, seed = 1, window = 5 and we test the correlation at a ratio of 1 : 10000, 1 : 1000, 1 : 100. The results are shown in Figure 13a. As C ratio increases, the sim decreases, which is in line with expectations. However, the result relies on language consistency in C β and C α . If not, will the encryption effect drop?
We answer this question in the next experiment. If not specified, subsequent experiments also proceed under the conditions mentioned above.  Language inconsistency exists. Unlike previous experiments, pure Chinese corpus serves as C β . And we change the C ratio to observe trends in correlation, pictured as Figure 13b. Obviously, the encryption effect is not much different from the last result, which indicates the impact of language inconsistency is negligible.
Changing window. Apart from the default conditions, we set C ratio = 1 : 10000 and depict the result as Figure 14a. We can conclude that window is also related to correlation. However, it does not mean that the variation of window directly changes the representation of the same word significantly, while it is evident when changing D. Therefore, it is necessary to verify this, under the condition that no C β is added to C α , as well as the default conditions. The Eq.(43) is revised as where v α and v α is trained on the same C α but with a different parameter window. Figure 14b shows the result. We can see the size of window directly

Using time-varying codebook
In this case, each word is encrypted to a 256-bit hash h γ . We conduct experiments on both English and Chinese corpus. As described in [3], the correlation is measured by where ⊕ denotes XORing, h α ⊕ h γ generates a binary string, count (string) is the count of '0' in the string, length (h α ) represents the length of string h α , which is considered the original data. As can be seen from the experimental results in Section 9.4.1, as long as epoch > 1, each word vector definitely changes. Without losing the generality of test, we confine epoch = 2 and test r xy by changing D, depicting the frequency distribution histogram (hist) and frequency distribution function (pdf ) of r xy as Figure 15.
The horizontal coordinate represents r xy , and the vertical coordinate denotes the corresponding frequency. Obviously, r xy is concentrated around 0.5, which

Sensitivity analysis
To measuring sensitivity of plaintext and key, the operation is to make a slight change to either and calculate the change rate of ciphertext (CRC), defined as where h γ is the original ciphertext, h γ is the ciphertext as minor modifications occur to plaintext or key, Dif h γ , h γ is the count of distinct symbols in h γ and h γ . For ciphertext sensitivity, we disturb several bits of ciphertext to observe whether it is still in the valid hash collection H v , which contains all valid hashes at the moment. The ciphertext change sensitivity (CCS) is defined as where n t denotes the total number of invalid hashes, n co stands for the number of tampered hashes still in valid hash collection.

Key sensitivity
For a given key, we choose a key that differs by only one bit, which can be located at any component of the key, and juxtapose ciphertexts for the same word. Given that components N 2 and N 3 are related to the C ratio and D, respectively, which have already been considered, only N 1 and N 4 remain to be altered for further experiments. Modifying N 1 . We transform N 1 = 000111110000010011100111100101 2 to N 1 = 000111110000010011100111100111 2 in the example using arXiv ID, which means the address is converted to arXiv:1301.03783. Therefore, another paper serves as the whole C β if N 2 = 0. Obviously, as N 2 grows, disturbing N 1 causes a greater impact. For all the words in C α , the changes in their representations are presented in Figure 16a.
Modifying N 4 . Once N 4 , related to the seed, is altered, the whole initial word vectors will experience the earthquake, resulting in entirely distinct representations. When the seed is changed from 1 to 2, the result is shown in Figure  16b.
From the above two subsections, we know a bit of interference in the key can cause a huge difference in representations. Almost 50% bits in ciphertext reverse, close to the avalanche effect.

Plaintext sensitivity
For the word embedding model, words here are atomic. A slight change in plaintext can be interpreted as replacing a primitive word with a synonym or a morphologically similar word. Collins dictionary 7 is used for searching synonyms.
We select six groups of more common words to experiment, namely "people", "male", "female", "beautiful", "good", "look" and their synonyms, partially shown in Table 3. For each word in the first column, we compare the representations of themselves and ones of their synonyms and calculate the CRC. The frequency distribution of which is shown in Figure 17. Obviously, the distribution of CRC is still concentrated around 50%, that is, it characterizes good sensitivity.

Ciphertext sensitivity
The experimental setup is similar to Section 9.1. We randomly select 1000 words as samples for the experiment, whose corresponding hashes are tampered with. To test CCS under different conditions, we set the total number of tampered bits from 0 to 256 bits, randomly choose the tampering location, and As described in Section 5.4, although each word may have 2 256 representations, at a certain moment during the communication, the size of the valid hash collection is equal to the number of different words in C γ . The probability is expressed by Assuming |V w | = 10 8 , P (tamper (h γ ) ∈ H v ) is approximately equal to 1, which is in accordance with the experimental result.

Efficiency analysis
The comparison of efficiency among TEDL and some popular cryptosystems is depicted as Figure 18. It shows that our method is efficient.

Generality analysis
Multiple word embedding models can be applied in TEDL. In addition to the Word2vec used in previous sections, NNLM [5], fastText [18], and GloVe [33] are applied in this section.
Different models have different parameter settings. For example, as for fast-Text, most parameters function the same with those in Word2vec. These parameters are set as the default conditions mentioned above, that is epoch = 2,  : Generality about models to be applied D = 200, seed = 1, window = 5 and C ratio = 1 : 10000. Besides, there exist some unique parameters in fastText due to using enriches word vectors with subword(n-grams) information (e.g., the max length of char ngrams as well as the minimum. Here we set them to 5 and 3, respectively). The parameters in other models are set according to the characteristics of the model. But make sure to de-randomize the training process. The correlation defined as Eq. (45) serves as a representative indicator to measure the effect of encryption, which is shown in Figure 19. It shows that multiple models can be used to encryption, and they behave similarly.

Limitations
Though novel it is, TEDL suffers from some drawbacks. Firstly, security has not been theoretically proved, since it is hard to interpret the variation of parameters in deep learning model. Secondly, the choices on the kind of initial address are limited, for the sake of key sensitivity. Thirdly, the efficiency of encryption and decryption is negatively correlated to the number of entries in the codebook, for the process mainly involves lookup operations. In addition, in spite of almost impossible, two different words may map to the same hash, which means the results of inverted indexing may be more than one. Under this case, the decryption should depend on the context to select the correct plaintext. Besides, the first stage takes too long, during which the communication must suspend, bringing inconvenience. Moreover, some requirements to models should be met, which is detailed in Section 5.2. Especially, models must completely eliminate randomization. Finally, the self-updating mechanism in this paper remains to be improved.

Related Work
With the development of deep learning and increasing attention to information security, the application of deep learning in the field of information security has developed and extended. Although it is the first time to apply deep learning model, especially word embedding directly to encryption, prior to this, word embedding has been combined with other information security technologies, which mainly utilize the similarity between word vectors. For example, in [52], word vector is used on encrypted cloud data to achieve lightweight efficient multikeyword ranked search by finding the most similar query vector and document vector. Besides, in [25], the original keyword is substituted by a similar keyword in case the text retrieval fails. This replacement is achieved by finding word vectors with high similarity. Instead, our method acts in a diametrically opposite way, where achieving low similarity between the representations of the same word is expected.
Although neural network-based generative sequence models unconsciously memorize secret information, as described in [44,9], that is, given models and data, there is a way to determine whether the data is used as part of the training data set, resulting in the disclosure of secret data. It is not the case for our method, where any word possibly used is definitely contained in training corpus but it is hard to determine whether the word is the corresponding plaintext. In contrast, we just take advantage of the characteristic, that is, the subtle changes in the corpus can be memorized, assisting encryption.
In addition to [36,22,23,41] mentioned in Section 7, many papers also aim to issue the interpretability of model, such as [47,6,14]. Accordingly, some evaluation methods for interpretation have also been proposed [39]. However, these are not enough. Research on interpretability is important for both improving and cracking TEDL. In turn, the exploration of TEDL can promote the development of model interpretability.

Conclusion and Future Work
In this paper, we propose a new text encryption method based on deep learning named TEDL. It is the first time to directly apply deep learning model to encryption, mainly utilizing the uninterpretability and time-consuming training features. The time-varying and self-updating characteristics of TEDL deal with the problem of key redistribution and the two-stage structure makes it hard to carry out brute-force attack and makes it efficient for communication. Moreover, TEDL bears other superior properties such as anti-interference, diffusion and confusion, high sensitivity, generality and so on, all of which have been confirmed through experiments.
It is worth mentioning that both encrypted objects and models are expandable. Objects in various forms, such as binary numbers, texts, images, videos, or even multimodal information, can be encrypted with TEDL. For example, assuming TEDL adopts word embedding model and aims to encrypt binary numbers, a binary library can be constructed serving as public corpus while additional text in either original or binary form acts as an incremental corpus, then training performs on the synthetic corpus. Inspired by the fact that more and more objects can be embedded (e.g., the network [34]), it is natural that those objects can be encrypted by TEDL with embedding model, for which we might as well name as embedding encryption.
As for the extensibility of models, all the models that satisfy the Model Requirements in Section 5.2 can be employed by TEDL, and it is easy to meet those requirements. For example, nearly all deep learning models own public training set and it is easy to get whether texts, images or videos on the Internet as long as their corresponding addresses exist, meeting Model Requirements 1 and 2. Besides, considerable models, such as CNN and LSTM, own a large number of parameters, satisfying Model Requirement 3. Moreover, as for supervisory models, they are still available, as long as labels are preconcerted without the necessity of secret, thus satisfying Model Requirement 4. Finally but not least, TEDL can not only use for encryption. From the perspective of generating a key stream, such a large number of parameters in the deep learning model may be utilized, which is also worth exploring.