# Applications of Neural Network-Based AI in Cryptography

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Artificial Intelligence and Machine Learning

- Supervised learning algorithms. These use tuples (input vector; output vector, also called Label) to learn/approximate the output vector for an unseen given input vector.
- Unsupervised learning algorithms. These do not make use of the label and use the input vector only to learn/infer/approximate the output vector for an unseen given input vector.
- Reinforcement learning algorithms. This class progressively learns/infers/approximates the output vector for an unseen given input vector from the positive or negative feedback returned from the external world.

- Self-supervised learning algorithms. These algorithms mask parts of the input and try to learn it. In essence, these algorithms transform an unsupervised problem (i.e., a problem for which no labels exist) into a supervised problem by auto-generating the labels.
- Imitation learning algorithms. These are very recent. In essence, imitation learning algorithms reproduce others’ actions from observing the actions performed by other agents/machine learning algorithms [30].

#### Artificial Neural Networks (ANNs) as a Non-Linear Approximation Function

## 3. ANN Types and Their Domains of Application

#### 3.1. Convolutional Neural Networks (CNNs)

#### 3.2. Recurrent Neural Networks (RNNs)

#### 3.3. Autoencoders

#### 3.4. Long Short-Term Memory Networks (LSTMs)

#### 3.5. Generative Adversarial Networks (GANs)

#### 3.6. Transformers

## 4. Possible Applications of AI in Cryptography

#### 4.1. Areas of Application

- In cybersecurity: Cybersecurity can easily benefit from the applications of AI. By applying AI, it is possible to write and process software to detect and to defend a system against cyberattacks. The advantages of applying AI instead of traditional security systems is that AI provides fast solutions and better security.
- In blockchain: Blockchain is a new technology with various industrial and economic applications. It plays a prominent role in many sectors, such as banking, cryptocurrencies, and data management. It achieves a complete independence from any central authority and guarantees secure communications thanks to advanced cryptographic techniques. AI can be used to analyze the security and the efficiency of blockchain applications in order to improve their practicability, security, and profitability.
- In symmetric cryptography: AI can be deployed to analyze the security of a symmetric system defined by an S-box or a vectorial Boolean function by testing all possible cryptographic criteria, including bijectivity, nonlinearity, linear analysis, differential analysis, balancedness, correlation immunity, algebraic degree, side-channel analysis, strict avalanche criterion (SAC), bit independence criterion (BIC), and the NIST Statistical Test Suite [41], which is used to guarantee the quality of random number generators for cryptographic applications. Especially, the security of AES and Ascon can be much improved if tested with the help of AI.
- In asymmetric cryptography based on RSA: AI can be used to generate safe primes for the RSA modulus, and to generate safe public and private keys by running the known attacks such as factorization, small private key attacks, partial key exposure attacks, and side-channel attacks.
- In asymmetric cryptography based on LWE: Attacks on LWE and its variants are very limited because their security is based on the hardness of hard problems in lattices. Nevertheless, AI can be used to test the hardness of lattice problems with different parameters in order to guarantee the safety and the efficiency of the cryptosystem.

#### 4.2. Datasets

## 5. The Advanced Encryption Standard (AES)

#### 5.1. The Encryption Process of AES

- AddRoundKey: The subkey for the round is bitwise XORed with the state array computed in the previous step. In the first round, the state array is the input block, and in the last round, the resulting state array is the ciphertext (see Table 2).
- SubBytes: The SubBytes transformation is a byte substitution that operates on each byte of the state using a substitution table called S-box (see Table 3). Algebraically, each byte x is transformed into a list of 8 bits,$$\overline{x}=({x}_{1},{x}_{2},{x}_{3},{x}_{4},{x}_{5},{x}_{6},{x}_{7},{x}_{8}),$$$$T\left(\overline{x}\right)=\left\{\begin{array}{cc}c\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}x=0\hfill \\ M\left({\overline{x}}^{-1}\right)+c\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}x\ne 0,\hfill \end{array}\right.$$$$c=\left[\begin{array}{c}0\\ 1\\ 1\\ 0\\ 0\\ 0\\ 1\\ 1\end{array}\right],\phantom{\rule{2.em}{0ex}}M=\left[\begin{array}{cccccccc}1& 1& 1& 1& 1& 0& 0& 0\\ 0& 1& 1& 1& 1& 1& 0& 0\\ 0& 0& 1& 1& 1& 1& 1& 0\\ 0& 0& 0& 1& 1& 1& 1& 1\\ 1& 0& 0& 0& 1& 1& 1& 1\\ 1& 1& 0& 0& 0& 1& 1& 1\\ 1& 1& 1& 0& 0& 0& 1& 1\\ 1& 1& 1& 1& 0& 0& 0& 1\end{array}\right],$$
- ShiftRows: In this transformation, the bytes of the first row in the state array remain unchanged, and the bytes of rows 2, 3, and 4 are cyclically shifted left by 1, 2, and 3 cases, respectively (see Table 4).
- MixColumns: In this transformation, each column is multiplied by a fixed matrix, as in Table 5.In MixColumns, the operations are performed in ${\mathbb{F}}_{{2}^{8}}$ modulo the polynomial ${x}^{8}+{x}^{4}+{x}^{3}+x+1$.

#### 5.2. The Decryption Process in AES

- InvAddRoundKey: As in the AddRoundKey algorithm, the subkey for the round is bitwise XORed, with the state array computed in the previous step. In the first round, the state array is the ciphertext block, and in the last round, the resultant state array is the plaintext.
- InvSubBytes: In this operation, the inverse S-box replaces each byte of the state with another byte by a substitution method. Specifically, each byte y is transformed into a list of 8 bits,$$\overline{y}=({y}_{1},{y}_{2},{y}_{3},{y}_{4},{y}_{5},{y}_{6},{y}_{7},{y}_{8}),$$$${T}^{\prime}\left(\overline{y}\right)=\left\{\begin{array}{cc}0\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}y=c\hfill \\ \frac{1}{{M}^{-1}(y+c)}\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}y\ne c,\hfill \end{array}\right.$$$$c=\left[\begin{array}{c}0\\ 1\\ 1\\ 0\\ 0\\ 0\\ 1\\ 1\end{array}\right],\phantom{\rule{2.em}{0ex}}{M}^{-1}=\left[\begin{array}{cccccccc}0& 1& 0& 1& 0& 0& 1& 0\\ 0& 0& 1& 0& 1& 0& 0& 1\\ 1& 0& 0& 1& 0& 1& 0& 0\\ 0& 1& 0& 0& 1& 0& 1& 0\\ 0& 0& 1& 0& 0& 1& 0& 1\\ 1& 0& 0& 1& 0& 0& 1& 0\\ 0& 1& 0& 0& 1& 0& 0& 1\\ 1& 0& 1& 0& 0& 1& 0& 0\end{array}\right].$$The inverses are computed in the finite field ${\mathbb{F}}_{{2}^{8}}$ modulo the polynomial ${x}^{8}+{x}^{4}+{x}^{3}+x+1$.
- InvShiftRows: In this transformation, the bytes of the first row in the state array remain unchanged, and the bytes of rows 2, 3, and 4 are cyclically shifted right by 1, 2, and 3 cases, respectively (see Table 6).
- InvMixColumns: In this transformation, each column is multiplied by a fixed matrix, as in Table 7.In InvMixColumns, the operations are performed in ${\mathbb{F}}_{{2}^{8}}$ modulo the polynomial ${x}^{8}+{x}^{4}+{x}^{3}+x+1$.

#### 5.3. Main Attacks on AES

- Exhaustive search attack. Brute force attacks, or exhaustive attacks, consist of trying all possible keys to a ciphertext and checking whether the plaintext is recognizable. It is easy to prevent such attacks by using large keys. In AES, the key lengths are 128, 192, and 256 bits. This makes the total key combination of each key length ${2}^{128}$, ${2}^{192}$, and ${2}^{256}$, respectively, which is infeasible even for the fastest supercomputers today. On the other hand, with a computer with quantum technology, due to Grover’s algorithm [61], it is possible to perform an exhaustive search in the square root of the classical time, and the key lengths should be ${2}^{256}$.
- Linear attack. In 1993, Matsui [62] invented one of the most practical attacks on DES, known as linear cryptanalysis. It can be applicable to AES by approximating the nonlinear parts in the rounds by linear expressions. This makes the round a linear function where the input or the output is easy to compute.In the situation where the S-box of the system is constructed following a vectorial boolean function $F:{\mathbb{F}}_{{2}^{n}}\to {\mathbb{F}}_{{2}^{n}}$, the linear cryptanalysis is constructed on the value of its nonlinearity, which is defined by:$${\mathtt{N}\mathtt{L}}_{F}={2}^{n-1}-\frac{1}{2}\underset{a\ne 0,b\in {\mathbb{F}}_{{2}^{n}}}{max}\left|\sum _{x\in {\mathbb{F}}_{2}^{n}}{(-1)}^{b\xb7F\left(x\right)\oplus a\xb7x}\right|,$$In practice, the nonlinearity of the vectorial Boolean function F is studied via the linear probability table (LPT) defined for the entry $(a,b)\in {\mathbb{F}}_{{2}^{n}}^{2}$ by:$${\mathtt{L}\mathtt{P}\mathtt{T}}_{F}(a,b)={\left(\frac{\#\left\{x\in {\mathbb{F}}_{2}^{n}:a\xb7x+b\xb7F\left(x\right)=0\right\}}{{2}^{n-1}}-1\right)}^{2}.$$For AES, except for the first row and first column, all rows and columns of the LPT have the same distribution of values as given in Table 8.
- Differential attack. In 1991, Biham and Shamir [63] proposed differential cryptanalysis and applied it to DES. Differential cryptanalysis is a chosen-plaintext attack and works with two pairs of plaintext $({P}_{1},{P}_{2})$ with a fixed difference $a={P}_{1}+{P}_{2}$ and their corresponding ciphertext $({C}_{1},{C}_{2})$. The goal of the differential cryptanalysis is to study the behavior of the difference $b={P}_{1}+{P}_{2}$.For a vectorial Boolean function $F:{\mathbb{F}}_{{2}^{n}}\to {\mathbb{F}}_{{2}^{n}}$, the differential cryptanalysis is studied via the difference distribution table (DDT), which is defined for $(a,b)\in {\mathbb{F}}_{{2}^{n}}^{2}$ by:$${\mathtt{D}\mathtt{D}\mathtt{T}}_{F}(a,b)=\#\left\{x\in {\mathbb{F}}_{{2}^{n}}:F\left(x\right)+F(x+a)=b\right\}.$$The differential uniformity of F is defined by:$${\delta}_{F}=\underset{a\in {\mathbb{F}}_{{2}^{n}}^{*}}{max}{\mathtt{D}\mathtt{D}\mathtt{T}}_{F}(a,b).$$The differential cryptanalysis exploits the differential probability $D{P}_{F}$, specifically:$${\mathtt{D}\mathtt{P}}_{F}(a,b)=\frac{\#\left\{x\in {\mathbb{F}}_{{2}^{n}}:F\left(x\right)+F(a+x)=b\right\}}{{2}^{n}}.$$For a randomly chosen permutation and for any $a\in {\mathbb{F}}_{{2}^{n}}\backslash \left\{0\right\}$, the value $F\left(x\right)\phantom{\rule{3.33333pt}{0ex}}+\phantom{\rule{3.33333pt}{0ex}}F(a\phantom{\rule{3.33333pt}{0ex}}+\phantom{\rule{3.33333pt}{0ex}}x)$ is expected to be uniformly distributed with equiprobability. This makes ${\mathtt{D}\mathtt{D}\mathtt{T}}_{F}(a,b)$ a reliable and practical distinguisher if ${\mathtt{D}\mathtt{P}}_{F}(a,b)$ is sufficiently small.For the AES S-box, Table 9 shows the distribution of the ${\mathtt{D}\mathtt{P}}_{F}$ values and their frequencies.If ${x}_{0}$ is a solution to the equation $F\left(x\right)+F(a+x)=b$, then ${x}_{0}+a$ is also a solution. This implies that ${\mathtt{D}\mathtt{D}\mathtt{T}}_{F}(a,b)\ge 2$ for all $a\ne 0$ and, consequently, ${\delta}_{F}\ge 2$. Vectorial Boolean functions satisfying ${\delta}_{F}=2$ are called almost perfect nonlinear (APN) functions. As shown in Table 9, the differential uniformity of the AES S-box is 4. Hence, AES does not belong to the APN family; nevertheless, its differential uniformity is too small. This makes AES resistant to differential cryptanalysis.

#### 5.4. Applications of AI to Block Ciphers

- Resistance to side-channel attacks [64]: Side-channel attacks exploit the operations performed by a cryptographic system during encryption or decryption to gain information about the private key. The most used channel attacks are timing attacks, simple power attacks, differential power attacks, electromagnetic radiation attacks, correlation power attacks, etc. These attacks rely on collecting and interpreting observations in order to infer information about key size and bits. These inferences lend themselves naturally to ML and ANNs in general and to advanced ANNs/models in particular. As described earlier, some work has already been initiated in this direction [52].
- Resistance to fault attacks [65]: Fault attacks are deployed to disturb the normal functioning of a cryptosystem. They are injected by various techniques such as laser, light pulses, electromagnetic perturbations, tampering with the clock, etc. This enables the attacker to collect the erroneous result and to gain information about the private key. As with side-channel attacks, fault attacks can be overcome by testing implementations against an advanced ANN that tries to leverage the erroneous results to infer information about the key. AES cipher implementations need to be tested against an advanced ANN model that tries to leverage collected output to infer the key before deployment.
- Resistance to differential attacks [63]: This task can be performed by computing the difference distribution table of the S-box. As with linear attacks, ANNs as excellent function approximators can be used to model the differential properties of S-boxes, similarly to what has been done by [55] on the round-reduced Speck cipher and by [47] on the round function of GIFT.
- Resistance to truncated differentials [66]: This variant of the differential attack was presented by Knudson in 1994. This task can be processed by adapting the difference distribution table of the S-box under the truncated differentials criteria. As with differential attacks, ANNs as excellent function approximators can be used to model the truncated differential properties of S-boxes.
- Resistance to boomerang attacks [67]: The task of testing the boomerang cryptanalysis can be accomplished by studying the boomerang connectivity table (BCT) as defined by Cid et al. in 2018 [68]. The BCT of an invertible vectorial function $F:{\mathbb{F}}_{{2}^{n}}\to {\mathbb{F}}_{{2}^{n}}$ is defined at the entry $(a,b)\in {\mathbb{F}}_{{2}^{n}}$ by:$${\mathrm{BCT}}_{F}(a,b)=\#\left\{x\in {\mathbb{F}}_{{2}^{n}}\phantom{\rule{4pt}{0ex}}:\phantom{\rule{4pt}{0ex}}{F}^{-1}(F\left(x\right)+b)+{F}^{-1}(F(x+a)+b)=a\right\}.$$
- Algebraic immunity [69,70]: The algebraic immunity of a vectorial Boolean function F defined on ${F}_{{2}^{n}}$ is the lowest degree of all functions $G\ne 0$ satisfying $F\left(x\right)\xb7G\left(x\right)=0$ or $(1+F(x\left)\right)\xb7G\left(x\right)=0$, where $a\xb7b$ is the inner product of the vectors a and b. The underlying vectorial Boolean function of AES can be modeled and tested using advanced ANNs.
- Balancedness [71]: A vectorial Boolean function $F:{\mathbb{F}}_{{2}^{n}}\to {\mathbb{F}}_{{2}^{m}}$ is balanced if every value of ${\mathbb{F}}_{{2}^{m}}$ is the image of exactly ${2}^{n-m}$ values from ${\mathbb{F}}_{{2}^{n}}$. The task of verifying balancedness can be processed by studying the vectorial Boolean function that defines the S-box of AES.
- Resistance to other attacks: There are plenty of attacks and criteria that can be implemented with AI to test the security of block ciphers. This includes correlation immunity [72], strict avalanche criterion (SAC) [73], fixed points and opposite fixed points [59], algebraic degree [72], impossible differential [74], etc. A complete list of such attacks can be found in [5,75].

`SubBytes()`and

`MixColumns()`functions, and the AES cipher with its modes of operations and their implementations can be used to test against all former attacks and to propose useful and efficient solutions, such as the choice of the key space,

`MixColumns()`matrix polynomials, etc., that nullify/undermine the attacks.

## 6. The RSA Cryptosystem

#### 6.1. The RSA Encryption Scheme

- Key Generation: Given a parameter n,
- Select a random prime number p of bit size n.
- Select a random prime number q of bit size n with $p\ne q$.
- Compute $N=pq$ and $\varphi \left(N\right)=(p-1)(q-1)$.
- Select a number e such that $gcd(e,\varphi (N\left)\right)=1$.
- Compute a number d such that $ed\equiv 1\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}\varphi (N\left)\right)$.
- Publish the public key $(N,e)$.

- Encryption: Given a public key $(N,e)$ and a message $M\in \mathbb{Z}/N\mathbb{Z}$,
- Compute the ciphertext $C\equiv {M}^{e}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}N)$.

- Decryption: Given the private key $(N,d)$ and a ciphertext C,
- Compute $M\equiv {C}^{d}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}N)$.

#### 6.2. Attacks on RSA

- Factorization attacks. The most obvious attack on RSA is to factor its modulus N. Nevertheless, since N is the product of two balanced large prime numbers, no known method is efficient to factor RSA moduli of size 1024 bits or more. There are several algorithms devoted to factoring integers, such as the Number Field Sieve method [76], Pollard’s Rho method [77], the Elliptic Curve Method [78], and others, with different running times as presented in Table 10.

Algorithm | Running Time Complexity | Nature of the Factor p |
---|---|---|

Pollard’s Rho [77] | $O\left(\sqrt{p}\right)$ | largest prime factor |

Elliptic Curve Method [78] | $O\left({e}^{(1+o\left(1\right))\sqrt{2log\left(p\right)log(log(p\left)\right)}}\right)$ | smallest prime factor |

Number Field Sieve [76] | $O\left({e}^{1.923log{\left(n\right)}^{\frac{1}{3}}loglog{\left(n\right)}^{\frac{2}{3}}}\right)$ | any factor |

Quadratic Sieve [79] | $O\left({e}^{(1+o\left(1\right))\sqrt{log\left(n\right)log(log(n\left)\right)}}\right)$ | any factor |

- Despite the existence of such factorization algorithms, there is no known non-quantum-based method that can efficiently factor an RSA modulus of more than 1024 bits. The latest record for integer factorization was obtained in 2020 by Boudot et al. [80], who factored RSA-250, an RSA modulus with 829 bits.

- Algebraic attacks. Such attacks are based on the mathematical structure of the cryptosystem. Typically, for RSA, the algebraic attacks are related to the key equation $ed-k\varphi \left(N\right)=1$. In 1996, Coppersmith [81] proposed a method to solve certain polynomial equations and applied it to factor an RSA modulus if half of the bits of one of the prime factors were known. Since then, various generalizations of Coppersmith’s method have been proposed [7,8,9,10,82].In 1990, Wiener [83] showed that using RSA with a small private exponent is insecure. Using the key equation $ed-k\varphi \left(N\right)=1$ with $\varphi \left(N\right)=(p-1)(q-1)=N+1-(p+q)$$\approx N$, he showed that if p and q have the same bit size, and if $d<\frac{1}{3}{N}^{\frac{1}{4}}$, then:$$\left|\frac{e}{N}-\frac{k}{d}\right|<\frac{1}{2{d}^{2}},$$
- Side-channel attacks. The modular exponentiation is a crucial operation in RSA and must be implemented securely to prevent side-channel attacks. The application of side-channel attacks against RSA started in 1996 with the work of Kocher [24]. Since then, numerous studies have been conducted to make side-channel attacks infeasible against RSA [85,86,87,88].For the RSA cryptosystem, the running time during the decryption process can leak information about the private key. This method is known as a timing attack and is one of the most popular side-channel attacks. In RSA, the timing attack concerns the modular exponentiation if the square-and-multiply method is used. To compute ${m}^{d}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}N)$, the square-and-multiply method consists of expanding $d={({d}_{r-1}{d}_{r-2}\cdots {d}_{0})}_{2}$ in base 2, taking $a=1$, and then, for i from $r-1$ down to 0, computing $a\equiv {a}^{2}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}N)$; additionally, if ${d}_{i}=1$, $a\equiv am\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}N)$. The drawback of this method is that the computation time is not the same when ${d}_{i}=1$ and ${d}_{i}=0$. This can be exploited to guess the binary decomposition of d and then to compute d. To ovoid timing attacks, there are various implementations of the modular exponentiation, such as square-always exponentiation [89].

#### 6.3. Applications of AI to RSA

- Resistance to side-channel attacks [24]: RSA is vulnerable to side-channel attacks depending on its arithmetic operations, especially during the decryption process. Numerous studies have been proposed to protect it from side-channel attacks [87,88,90]. As with side-channel attacks on AES, advanced ANNs can be used to test the RSA cryptosystem and its implementations against the side-channel attacks before deployment. Some work has already been done in this direction. Ref. [57] used deep learning in side-channel attacks against a secure implementation of the RSA algorithm.
- Resistance to fault attacks [91]: In addition to side-channel attacks, RSA is vulnerable to fault attacks [92,93]. There are many techniques to force faults, such as variations in the clock, laser, X-rays, voltage, etc. These attacks also lend themselves to the use of advanced ANNs to infer key bits or plaintext from the collected output resulting from the faults.
- Resistance to factorization attacks: The security of RSA is partly based on the difficulty of factoring its modulus N. Obviously, the bit size of N is crucial against factoring algorithms, such as the Number Field Sieve and the Elliptic Curve method. The current recommendation for the size of the RSA modulus is at least 3000 bits [94]. Some initial work has been conducted in this direction by [95,96], but more is needed in order to strengthen the choice of primes p and q.
- Resistance to Fermat’s factoring method [97]: This method is based on solving the equation $N={x}^{2}-{y}^{2}=(x-y)(x+y)$, which leads to $p=\frac{x+y}{2}$, $q=\frac{x-y}{2}$. If the difference $|p-q|$ is too small relative to N, then y is too small, and $\sqrt{N}$ is an approximation of x. This can be exploited to retrieve x, y, and the prime factors from p and q. The method works efficiently when $|p-q|<{N}^{\frac{1}{4}}$. AI can be used to learn x and y for different Ns and to eliminate the RSA prime factors p and q that are vulnerable to Fermat’s factoring method during the generation phase. Furthermore, biases in the distribution of consecutive primes [98] can be learned using an advanced ANN to help reduce the search space in factorization and Fermat’s factoring attacks.
- RSA with existing modulus: If ${N}_{1}={p}_{1}{q}_{1}$ is the RSA modulus of two independent entities, then both entities know the prime factors and can decrypt the encrypted messages of each other. Unfortunately, AI cannot help guard against this scenario. Luckily, the likelihood that two organizations generate the same primes p and q is extremely slim, knowing that p and q are on the order of ${2}^{1024}$.
- RSA moduli with common factors: If ${N}_{1}=p{q}_{1}$ and ${N}_{2}=p{q}_{2}$ are two RSA moduli, then an attacker can compute $p=gcd({N}_{1},{N}_{2})$, ${q}_{1}=\frac{{N}_{1}}{p}$, and ${q}_{2}=\frac{{N}_{2}}{p}$. This factors the two moduli. To generate a safe RSA modulus N, testing whether N is coprime to every modulus in the list of collected moduli can be efficiently performed by using the method of Bernstein [99,100] without the need for AI.
- RSA moduli with primes sharing most, middle, or least significant bits: If ${N}_{1}={p}_{1}{q}_{1}$ and ${N}_{2}={p}_{2}{q}_{2}$ are two RSA moduli, where ${p}_{1}\approx {p}_{2}$ share an amount of their least, middle, or most significant bits, then one can apply the method of May and Ritzenhofen [101] or the method of Faugère et al. [102] to factor ${N}_{1}$ and ${N}_{2}$. Here too, the factorization problem can be posed as an approximation function implemented using ANNs, leading to the elimination of the prime factors that share a significant number of their least significant bits.
- Resistance to small private exponents: The private exponent in RSA with a modulus $N=pq$ and a public exponent e is the integer d satisfying $ed-k(p-1)(q-1)=1$. Because of the attack of Wiener [83], and the attack of Boneh–Durfee [84], it is required that d be larger than $\sqrt{N}$. Nevertheless, in many instances, one can find the value d even if d is arbitrarily large [103,104]. AI can be used to build an approximation function using advanced ANNs for solving the equation above and using it to test the resistance of a generated RSA modulus to such attacks.
- Resistance to partial key exposure attacks: When a fraction of the most significant or the least significant bits of the private exponent d is guessed by an attacker, then Coppersmith’s method can be used to retrieve d entirely [105,106,107]. An ANN approximator for learning d from its fractions and known ciphertext plaintext pairs can be used to test any generated private key d against such attacks before using it for practical applications.

## 7. Learning with Errors

#### 7.1. Description of Learning with Errors

- Search LWE can be summarized as follows. Let $\chi $ be a probability distribution over ${\mathbb{Z}}_{q}$. Given a matrix $A\in {\mathbb{Z}}_{q}^{m\times n}$ and a vector $b\in {\mathbb{Z}}_{q}^{m}$ whose entries are chosen uniformly, find a vector $s\in {\mathbb{Z}}_{q}^{n}$ such that $As+e=b$, where $e\in {\mathbb{Z}}_{q}^{m}$ is a vector generated by $\chi $.
- Decision LWE can be summarized as follows. Given a matrix $A\in {\mathbb{Z}}_{q}^{m\times n}$ and a vector $b\in {\mathbb{Z}}_{q}^{m}$, determine whether $(A,b)\in {L}_{1}$ or $(A,b)\in {L}_{2}$, where ${L}_{1}$ is the set of all tuples $(A,b)\in {\mathbb{Z}}_{q}^{m\times n}\times {\mathbb{Z}}_{q}^{m}$ generated by uniformly random distribution and ${L}_{2}$ is the set of all tuples $(A,b)\in {\mathbb{Z}}_{q}^{m\times n}\times {\mathbb{Z}}_{q}^{m}$, such that $b=As+e$ for a vector $s\in {\mathbb{Z}}_{q}^{n}$, uniformly distributed, and $e\in {\mathbb{Z}}_{q}^{m}$, generated by $\chi $.

- Key Generation: Given the parameters m, n, q, and $\chi $,
- Select a matrix $A\in {\mathbb{Z}}_{q}^{m\times n}$ at random.
- Select a secret vector $s\in {\mathbb{Z}}_{q}^{n}$.
- Select a private vector $e\in {\mathbb{Z}}_{q}^{m}$ according to a probability distribution $\chi $ over ${\mathbb{Z}}_{q}$.
- Compute $b\in {\mathbb{Z}}_{q}^{m}$, such that $b=As+e$, and publish the public key $(A,b)$.

- Encryption: Given the parameters m, n, q, $\chi $, a public key $(A,b)$, and a message $M\in \{0,1\}$,
- Select a vector $r\in {\mathbb{Z}}_{q}^{m}$ at random.
- Compute the ciphertext $({C}_{1},{C}_{2})$, where ${C}_{1}={r}^{t}A\in {\mathbb{Z}}_{q}^{n}$ and ${C}_{2}={r}^{t}b+\u230a\frac{q}{2}\u230bM\in {\mathbb{Z}}_{q}$. Here, ${x}^{t}$ represents the transpose of x.

- Decryption: Given the parameters m, n, q, $\chi $, a ciphertext $({C}_{1},{C}_{2})$, and a secret key s,
- Compute $u={C}_{2}-{C}_{1}s\in {\mathbb{Z}}_{q}$.
- If $\left|u\right|\le \frac{q}{4}$, then the decryption is 0, else the decryption is 1.

#### 7.2. Hardness of LWE

- Shortest Vector Problem (SVP): Let $\mathcal{L}$ be a lattice with a basis B. Find the shortest nonzero lattice vector $u\in \mathcal{L}$ with $\parallel u\parallel ={\lambda}_{1}\left(\mathcal{L}\right)$.
- Closest Vector Problem (CVP): Let $\mathcal{L}$ be a lattice with a basis B and $v\notin \mathcal{L}$ be a vector. Find a lattice vector $u\in \mathcal{L}$ such that $\parallel u-v\parallel \le {\lambda}_{1}\left(\mathcal{L}\right)$.

- Decisional Approximate SVP (${\mathtt{G}\mathtt{a}\mathtt{p}\mathtt{S}\mathtt{V}\mathtt{P}}_{\gamma}$): Let $\mathcal{L}$ be a lattice with a basis B and $r>0$ be a real number. Decide whether ${\lambda}_{1}\left(\mathcal{L}\right)\le r$ or ${\lambda}_{1}\left(\mathcal{L}\right)>\gamma r$.
- Approximate Shortest Independent Vectors Problem (${\mathtt{S}\mathtt{I}\mathtt{V}\mathtt{P}}_{\gamma}$): Let $\mathcal{L}$ be a full-rank lattice with dimension n and a basis B. Find n linearly independent vectors ${v}_{i}\in \mathcal{L}$ such that $\parallel {v}_{i}\parallel \le \gamma {\lambda}_{n}\left(\mathcal{L}\right)$, where ${\lambda}_{n}\left(\mathcal{L}\right)$ is the n-th successive minimum of the lattice.

#### 7.3. Applications of AI to LWE

## 8. The Ascon Family of Ciphers

#### 8.1. Description of Ascon

#### 8.2. Ascon Encryption

- A key $K\in {\{0,1\}}^{k}$ with $k\le 160$;
- A nonce $N\in {\{0,1\}}^{128}$;
- Associated data $A\in {\{0,1\}}^{*}$;
- A plaintext $P\in {\{0,1\}}^{*}$.

- Initialization: The 320-bit initial state in Ascon is built by the concatenation of an initial vector $IV$, a secret k-bit key K, and a 128-bit nonce N; that is:$$S=IV\parallel K\parallel N.$$The initial vector $IV$ has the form:$$IV=k\parallel r\parallel a\parallel b\parallel {0}^{160-k},$$$$S\leftarrow {p}^{a}\left(S\right)\oplus \left({0}^{320-k}\parallel K\right).$$
- Processing Associated Data: If associated data $A\in {\{0,1\}}^{*}$ is provided and not null, they are appended with a single 1 and $r-1-\left(\right|A\left|\phantom{\rule{4.44443pt}{0ex}}\right(mod\phantom{\rule{0.277778em}{0ex}}r\left)\right)$ 0s, then split into s blocks of size r so that:$$A\leftarrow A\parallel 1\parallel {0}^{r-1-\left(\right|A\left|\phantom{\rule{10.0pt}{0ex}}\right(mod\phantom{\rule{0.277778em}{0ex}}r\left)\right)}={A}_{1}\parallel {A}_{2}\parallel \cdots \parallel {A}_{s}.$$If A is empty, then $s=0$. For each $i=1,\cdots ,s$, the following calculation is performed:$$S\leftarrow {p}^{b}(({S}_{r}\oplus {A}_{i})\parallel {S}_{c}).$$After all calculations, the state is transformed as:$$S\leftarrow S\oplus \left({0}^{319}\parallel 1\right).$$
- Plaintext Processing: The plaintext $P\in {\{0,1\}}^{*}$ is also appended with a single 1 and $r-1-\left(\right|P\left|\phantom{\rule{4.44443pt}{0ex}}\right(mod\phantom{\rule{0.277778em}{0ex}}r\left)\right)$ 0s, and then is split into t blocks of size r, so that:$$P\leftarrow P\parallel 1\parallel {0}^{r-1-\left(\right|P\left|\phantom{\rule{10.0pt}{0ex}}\right(mod\phantom{\rule{0.277778em}{0ex}}r\left)\right)}={P}_{1}\parallel {P}_{2}\parallel \cdots \parallel {P}_{t}.$$Then, for $i=1,\cdots ,t$, the following calculations are performed:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& {C}_{i}\leftarrow {S}_{r}\oplus {P}_{i},\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& S\leftarrow \left\{\begin{array}{cc}{p}^{b}({C}_{i}\parallel {S}_{c})\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}1\le i<t,\hfill \\ {C}_{i}\parallel {S}_{c}\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}i=t.\hfill \end{array}\right.\hfill \end{array}$$After processing ${C}_{t}$, the value ${\tilde{C}}_{t}={\u230a{S}_{r}\oplus {P}_{t}\u230b}_{\left|P\right|\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}r)}$ is calculated, where ${\u230ax\u230b}_{k}$ is the bitstring x truncated to the most significant k bits.
- Finalization: In this phase, the following values are calculated:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& S\leftarrow {p}^{a}\left(S\oplus \left({0}^{r}\parallel K\parallel {0}^{320-r-k}\right)\right),\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& T\leftarrow {\u2308S\u2309}^{128}\oplus {\u2308K\u2309}^{128},\hfill \end{array}$$$$C={C}_{1}\parallel \cdots \parallel {C}_{t-1}\parallel {\tilde{C}}_{t},$$

#### 8.3. Ascon Decryption

- The key $K\in {\{0,1\}}^{k}$ with $k\le 160$;
- The nonce $N\in {\{0,1\}}^{128}$;
- The associated data $A\in {\{0,1\}}^{*}$;
- The ciphertext $C\in {\{0,1\}}^{*}$;
- The tag $T\in {\{0,1\}}^{128}$.

#### 8.4. Security of Ascon

#### 8.5. Applications of AI to Ascon

## 9. Conclusions

## Author Contributions

## Funding

## Data Availability Statement

## Conflicts of Interest

## Abbreviations

AES | Advanced Encryption Standard |

AI | Artificial Intelligence |

ANN | Artificial Neural Network |

CNN | Convolutional Neural Networks |

LWE | Learning With Errors |

ML | Machine Learning |

NIST | National Institute of Standards and Technology |

RNN | Recurrent Neural Network |

RSA | Rivest, Shamir, and Adleman |

## References

- Rivest, R.L. Cryptography and machine learning. In Advances in Cryptology—ASIACRYPT’91, Proceedings of the ASIACRYPT 1991, Fujiyoshida, Japan, 11–14 November 1991; Lecture Notes in Computer Science; Imai, H., Rivest, R.L., Matsumoto, T., Eds.; Springer: Berlin/Heidelberg, Germany, 1991; Volume 739. [Google Scholar]
- Ertel, W. Introduction to Artificial Intelligence, 2nd ed.; Undergraduate Topics in Computer Science; Springer: Cham, Switzerland, 2017. [Google Scholar]
- Tencent Research Institute; CAICT; Tencent AI Lab; Tencent Open Platform (Eds.) Artificial Intelligence, A National Strategy; Palgrave Macmillan: Singapore, 2021. [Google Scholar] [CrossRef]
- Diffie, W.; Hellman, M. New directions in cryptography. IEEE Trans. Inf. Theory
**1976**, 22, 644–654. [Google Scholar] [CrossRef] [Green Version] - Picek, S.; Batina, L.; Jakobović, D.; Ege, B.; Golub, M. S-box, SET, Match: A Toolbox for S-box Analysis. In Information Security Theory and Practice: Securing the Internet of Things, Proceedings of the WISTP, Heraklion, Crete, Greece, 30 June–2 July 2014; Lecture Notes in Computer Science; Naccache, D., Sauveron, D., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8501. [Google Scholar]
- Rivest, R.; Shamir, A.; Adleman, L. A Method for obtaining digital signatures and public-key cryptosystems. Commun. ACM
**1978**, 21, 120–126. [Google Scholar] [CrossRef] [Green Version] - Boneh, D. Twenty years of attacks on the RSA cryptosystem. N. Am. Math. Soc.
**1999**, 46, 203–213. [Google Scholar] - Hinek, M.J. Cryptanalysis of RSA and Its Variants; Chapman & Hall/CRC Cryptography and Network Security; CRC Press: Boca Raton, FL, USA, 2009. [Google Scholar]
- Nitaj, A. The Mathematical Cryptography of the RSA Cryptosystem. In Cryptography: Protocols, Design and Applications; Lek, K., Rajapakse, N., Eds.; Nova Science Publishers: Hauppauge, NY, USA, 2012. [Google Scholar]
- Mumtaz, M.; Ping, L. Forty years of attacks on the RSA cryptosystem. J. Discret. Math. Sci. Cryptogr.
**2019**, 22, 9–29. [Google Scholar] [CrossRef] - Regev, O. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th ACM Symposium on Theory of Computing (STOC), Baltimore, MD, USA, 22–24 May 2005; pp. 84–93. [Google Scholar]
- Peikert, C. A decade of lattice cryptography. Found. Trends Theor. Comput. Sci.
**2016**, 10, 283–424. [Google Scholar] [CrossRef] - National Institute of Standards and Technology. Post-Quantum Cryptography. Available online: https://csrc.nist.gov/projects/post-quantum-cryptography (accessed on 30 June 2023).
- Bos, J.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.M.; Schwabe, P.; Seiler, G.; Stehlé, D. CRYSTALS—Kyber: A CCA-Secure Module-Lattice-Based KEM. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P), London, UK, 24 April 2018; pp. 353–367. [Google Scholar]
- Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schwabe, P.; Seiler, G.; Stehlé, D. CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst.
**2018**, 238–268. [Google Scholar] [CrossRef] - Prest, T.; Fouque, P.-A.; Hoffstein, J.; Kirchner, P.; Lyubashevsky, V.; Pornin, T.; Ricosset, T.; Seiler, G.; Whyte, W.; Zhang, Z. FALCON. National Institute of Standards and Technology. 2020. Available online: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions (accessed on 30 June 2023).
- Bernstein, D.J.; Hülsing, A.; Kölbl, S.; Niederhagen, R.; Rijneveld, J.; Schwabe, P. The SPHINCS+ Signature Framework. Cryptology ePrint Archive, Paper 2019/1086. 2019. Available online: https://eprint.iacr.org/2019/1086 (accessed on 30 June 2023).
- Stehlé, D.; Steinfeld, R.; Tanaka, K.; Xagawa, K. Efficient public key encryption based on ideal lattices. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, 6–10 December 2009; pp. 617–635. [Google Scholar]
- Lyubashevsky, V.; Peikert, C.; Regev, O. On ideal lattices and learning with errors over rings. In Proceedings of the Advances in Cryptology—EUROCRYPT, French Riviera, French, 30 May–3 June 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 1–23. [Google Scholar]
- Langlois, A.; Stehlé, D. Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr.
**2015**, 75, 565–599. [Google Scholar] [CrossRef] - Bruna, J.; Regev, O.; Song, M.J.; Tang, Y. Continuous LWE. arXiv
**2020**, arXiv:2005.09595. [Google Scholar] - Dobraunig, C.; Eichlseder, M.; Mendel, F.; Schläffer, M. ASCON v1.2: Lightweight Authenticated Encryption and Hashing. J. Cryptol.
**2021**, 34, 33. [Google Scholar] [CrossRef] - Bernstein, D.J. The CAESAR Committee Secretary. Caesar: Competition for Authenticated Encryption: Security, Applicability, and Robustness. 2014. Available online: https://competitions.cr.yp.to/caesar.html (accessed on 30 June 2023).
- Kocher, P. Timing attacks on implementations of Diffie-Hellmann, RSA, DSS, and other systems. In Proceedings of the CRYPTO’96, Santa Barbara, CA, USA, 18–22 August 1996; Volume 1109, pp. 104–113. [Google Scholar]
- Kocher, P.C.; Jaffe, J.; Jun, B.; Rohatgi, P. Introduction to differential power analysis. J. Cryptogr. Eng.
**2011**, 1, 5–27. [Google Scholar] [CrossRef] [Green Version] - van Eck, W. Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk. Comput. Secur.
**1985**, 4, 269–286. [Google Scholar] [CrossRef] [Green Version] - Biham, E.; Shamir, A. Differential fault analysis of secret key cryptosystems. In Advances in Cryptology—CRYPTO’97, Proceedings of the CRYPTO, Santa Barbara, CA, USA, 17–21 August 1997; Lecture Notes in Computer Science; Kaliski, B.S., Ed.; Springer: Berlin/Heidelberg, Germany, 1997; Volume 1294. [Google Scholar]
- Genkin, D.; Shamir, A.; Tromer, E. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis. Cryptology ePrint Archive, Paper 2013/857. 2013. Available online: https://eprint.iacr.org/2013/857 (accessed on 30 June 2023).
- Russell, S.; Norvig, P. Artificial Intelligence: A Modern Approach, 4th ed.; Prentice Hall: Hoboken, NJ, USA, 2020. [Google Scholar]
- Zheng, B.; Verma, S.; Zhou, J.; Tsang, I.W.; Chen, F. Imitation Learning: Progress, Taxonomies and Challenges. IEEE Trans. Neural Netw. Learn. Syst.
**2021**, 1–16. [Google Scholar] [CrossRef] [PubMed] - Mukhamediev, R.I.; Popova, Y. Review of Artificial Intelligence and Machine Learning Technologies: Classification, Restrictions, Opportunities and Challenges. Mathematics
**2022**, 10, 2552. [Google Scholar] [CrossRef] - Li, J.; Cheng, J.; Shi, J.; Huang, F. Brief Introduction of Back Propagation (BP) Neural Network Algorithm and Its Improvement. In Advances in Computer Science and Information Engineering; Advances in Intelligent and Soft Computing; Jin, D., Lin, S., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 169. [Google Scholar]
- Cybenko, G. Approximation by Superpositions of Sigmoidal Function. Math. Control. Signals Syst.
**1989**, 2, 303–314. [Google Scholar] [CrossRef] - CS231n: Deep Learning for Computer Vision, Convolutional Neural Networks for Visual Cognition. Available online: https://cs231n.github.io/neural-networks-1 (accessed on 30 June 2023).
- Goldman, S. Foundation Models: 2022’s AI Paradigm Shift. VentureBeat. Available online: https://venturebeat.com/ai/foundation-models-2022s-ai-paradigm-shift/ (accessed on 30 June 2023).
- Wolpert, D.; Macready, W. No free lunch theorems for optimization. IEEE Trans. Evol. Comput.
**1997**, 1, 67–82. [Google Scholar] [CrossRef] [Green Version] - Fernández-Delgado, M.; Cernadas, E.; Barro, S.; Amorim, D. Do we need hundreds of classifiers to solve real world classification problems? J. Mach. Learn. Res.
**2014**, 15, 3133–3181. [Google Scholar] - Goodfellow, I.; Pouget-Abadie, J.; Mirza, M.; Xu, B.; Warde-Farley, D.; Ozair, S.; Courville, A.; Bengio, Y. Generative adversarial nets. Adv. Neural Inf. Process. Syst.
**2014**, 27, 2672–2680. [Google Scholar] - Vaswani, A.; Shazeer, N.M.; Parmar, N.; Uszkoreit, J.; Jones, L.; Gomez, A.N.; Kaiser, L.; Polosukhin, I. Attention is all you need. In Proceedings of the Advances in Neural Information Processing Systems 30 (NIPS 2017), Long Beach, CA, USA, 4–9 December 2017; Volume 30, pp. 5998–6008. [Google Scholar]
- The LLM Index. Available online: https://sapling.ai/llm/index (accessed on 30 June 2023).
- Rukhin, A.; Soto, J.; Nechvatal, J.; Smid, M.; Barker, E.; Leigh, S.; Levenson, M.; Vangel, M.; Banks, D.; Heckert, A.; et al. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. NIST Special Publication 800-22 (May 2001). Available online: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf (accessed on 30 June 2023).
- Lee, J.; Kang, H.; Lee, Y.; Choi, W.I.; Eom, J.; Deryabin, M.A.; Lee, E.; Lee, J.; Yoo, D.; Kim, Y.; et al. Privacy-Preserving Machine Learning With Fully Homomorphic Encryption for Deep Neural Network. IEEE Access
**2021**, 10, 30039–30054. [Google Scholar] [CrossRef] - Levina, A.; Bolozovskii, R. Application of Neural Networks to Power Analysis. Eng. Proc.
**2023**, 33, 27. [Google Scholar] [CrossRef] - Karras, D.A.; Zorkadis, V. Improving pseudo random bit sequence generation and evaluation for secure internet communication using neural network techniques. In Proceedings of the International Joint Conference on Neural Networks (IJCNN 2003), Portland, OR, USA, 20–24 July 2003; Volume 2, pp. 1367–1372. [Google Scholar]
- Hu, X.; Zhao, Y. Research on Plaintext Restoration of AES Based on Neural Network. Secur. Commun. Netw.
**2018**, 2018, 6868506. [Google Scholar] [CrossRef] - Xiao, Y.; Hao, Q.; Yao, D.D. Neural Cryptanalysis: Metrics, Methodology, and Applications in CPS Ciphers. In Proceedings of the IEEE Conference on Dependable and Secure Computing (DSC), Hangzhou, China, 23 December 2019; pp. 1–8. [Google Scholar]
- Sun, L.; Gérault, D.; Benamira, A.; Peyrin, T. NeuroGIFT: Using a Machine Learning Based Sat Solver for Cryptanalysis. In Proceedings of the International Conference on Cyber Security Cryptography and Machine Learning 2020, Beer Sheva, Israel, 2–3 July 2020; Springer International Publishing: Cham, Switzerland, 2020; pp. 62–84. [Google Scholar]
- Albassal, A.; Wahdan, A. Neural network based cryptanalysis of a feistel type block cipher. In Proceedings of the International Conference on Electrical, Electronic and Computer Engineering (ICEEC’04), Cairo, Egypt, 5–7 September 2004; pp. 231–237. [Google Scholar]
- Alani, M.M. Neuro-Cryptanalysis of DES and Triple-DES. In Proceedings of the International Conference on Neural Information Processing, Doha, Qatar, 12–15 November 2012; Springer: Cham, Switzerland, 2012; pp. 637–646. [Google Scholar]
- Yee, L.P.; de Silva, L. Application of MultiLayer Perceptron Network as a one-way hash function. In Proceedings of the 2002 International Joint Conference on Neural Networks (IJCNN’02 (Cat. No.02CH37290)), Honolulu, HI, USA, 12–17 May 2002; Volume 2, pp. 1459–1462. [Google Scholar]
- Arvandi, M.; Wu, S.; Sadeghian, A. On the use of recurrent neural networks to design symmetric ciphers. IEEE Comput. Intell. Mag.
**2008**, 3, 42–53. [Google Scholar] [CrossRef] - Maghrebi, H.; Portigliatti, T.; Prouff, E. Breaking Cryptographic Implementations Using Deep Learning Techniques. IACR Cryptology ePrint Archive, Paper 2016/921. Available online: https://eprint.iacr.org/2016/921 (accessed on 30 June 2023).
- Hou, B.; Li, Y.; Zhao, H.; Wu, B. Linear Attack on Round-Reduced DES Using Deep Learning. In Proceedings of the European Symposium on Research in Computer Security, Guildford, UK, 14–18 September 2020. [Google Scholar]
- Gomez, A.N.; Huang, S.; Zhang, I.; Li, B.M.; Osama, M.; Kaiser, L. Unsupervised Cipher Cracking Using Discrete GANs. arXiv
**2018**, arXiv:1801.04883. [Google Scholar] - Gohr, A. Improving Attacks on Round-Reduced Speck32/64 Using Deep Learning. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 18–22 August 2019. [Google Scholar]
- Perusheska, M.G.; Trpceska, H.M.; Dimitrova, V. Deep Learning-Based Cryptanalysis of Different AES Modes of Operation. In Advances in Information and Communication, Proceedings of the FICC 2022, San Francisco, USA, 3–4 March 2022; Lecture Notes in Networks and Systems; Arai, K., Ed.; Springer: Cham, Switzerland, 2022; Volume 439. [Google Scholar]
- Carbone, M.; Conin, V.; Cornélie, M.-A.; Dassance, F.; Dufresne, G.; Dumas, C.; Prouff, E.; Venelli, A. Deep Learning to Evaluate Secure RSA Implementations. IACR Trans. Cryptogr. Hardw. Embed. Syst.
**2019**, 132–161. [Google Scholar] [CrossRef] - National Institute of Standards and Technology. Federal Information Processing Standards Publication 197: Announcing the Advanced Encryption Standard (AES). Available online: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf (accessed on 30 June 2023).
- Daemen, J.; Rijmen, V. The Design of Rijndael: AES—The Advanced Encryption Standard; Information Security and Cryptography; Springer: Berlin/Heidelberg, Germany, 2002. [Google Scholar]
- NBS FIPS PUB 46; Data Encryption Standard. National Bureau of Standards: Gaithersburg, MD, USA; U.S. Department of Commerce: Washington, DC, USA, 1977.
- Grover, L.K. A fast quantum mechanical algorithm for database search. arXiv
**1996**, arXiv:quant-ph/9605043v3. [Google Scholar] - Matsui, M. Linear Cryptanalysis Method for DES Cipher. In Advances in Cryptology—EUROCRYPT’93, Proceedings of the EUROCRYPT, Lofthus, Norway, 23–27 May 1993; Lecture Notes in Computer Science; Helleseth, T., Ed.; Springer: Berlin/Heidelberg, Germany, 1993; Volume 765, pp. 386–397. [Google Scholar]
- Biham, E.; Shamir, A. Differential cryptanalysis of DES-like cryptosystems. J. Cryptol.
**1991**, 4, 3–72. [Google Scholar] [CrossRef] - Koeune, F.; Standaert, F.X. A Tutorial on Physical Security and Side-Channel Attacks. In Foundations of Security Analysis and Design III; FOSAD 2005, FOSAD 2004; Lecture Notes in Computer Science; Aldini, A., Gorrieri, R., Martinelli, F., Eds.; Springer: Berlin/Heidelberg, Garmany, 2005; Volume 3655. [Google Scholar] [CrossRef]
- Piret, G.; Quisquater, J.J. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. In Cryptographic Hardware and Embedded Systems—CHES 2003; Lecture Notes in Computer Science; Walter, C.D., Koç, Ç.K., Paar, C., Eds.; Springer: Berlin/Heidelberg, Garmany, 2003; Volume 2779, pp. 77–88. [Google Scholar] [CrossRef] [Green Version]
- Knudsen, L.R. Truncated and higher order differentials. In Fast Software Encryption; FSE 1994; Lecture Notes in Computer Science; Preneel, B., Ed.; Springer: Berlin/Heidelberg, Germany, 1995; Volume 1008, pp. 196–211. [Google Scholar] [CrossRef] [Green Version]
- Wagner, D. The boomerang attack. In Fast Software Encryption; FSE 1999; Lecture Notes in Computer Science; Knudsen, L., Ed.; Springer: Berlin/Heidelberg, Germany, 1999; Volume 1636, pp. 156–170. [Google Scholar] [CrossRef] [Green Version]
- Cid, C.; Huang, T.; Peyrin, T.; Sasaki, Y.; Song, L. Boomerang connectivity table: A New cryptanalysis tool. In Advances in Cryptology—EUROCRYPT 2018; Lecture Notes in Computer Science; Nielsen, J., Rijmen, V., Eds.; Springer: Cham, Switzerlands, 2018; Volume 10821, pp. 683–714. [Google Scholar] [CrossRef]
- Courtois, N.T.; Meier, W. Algebraic attacks on stream ciphers with linear feedback. In Advances in Cryptology—EUROCRYPT 2003; Lecture Notes in Computer Science; Biham, E., Ed.; Springe: Berlin/Heidelberg, Germany, 2003; Volume 2656, pp. 345–359. [Google Scholar] [CrossRef] [Green Version]
- Meier, W.; Pasalic, E.; Carlet, C. Algebraic Attacks and Decomposition of Boolean Functions. In Advances in Cryptology—EUROCRYPT 2004; Lecture Notes in Computer Science; Cachin, C., Camenisch, J.L., Eds.; Springer: Berlin/Heidelberg, Germany, 2004; Volume 3027, pp. 474–491. [Google Scholar] [CrossRef] [Green Version]
- Carlet, C. Boolean Functions for Cryptography and Coding Theory; Cambridge University Press: Cambridge, UK, 2021. [Google Scholar]
- Braeken, A. Cryptographic Properties of Boolean Functions and S-Boxes. Ph.D. Thesis, Katholieke Universiteit Leuven, Leuven, Belgium, March 2006. [Google Scholar]
- Webster, A.F.; Tavares, S.E. On the design of S-boxes. In Advances in Cryptology—CRYPTO’85; Lecture Notes in Computer Science; Williams, H.C., Ed.; Springer: Berlin/Heidelberg, Germany, 1986; Volume 218, pp. 523–534. [Google Scholar] [CrossRef] [Green Version]
- Biham, E.; Biryukov, A.; Shamir, A. Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. In Advances in Cryptology—EUROCRYPT ’99, Proceedings of the EUROCRYPT, Prague, Czech Republic, 2–6 May 1999; Lecture Notes in Computer Science; Stern, J., Ed.; Springer: Berlin/Heidelberg, Germany, 1999; Volume 1592. [Google Scholar]
- Lim, J.; Ng, D.; Ng, R. SoK: Security Evaluation of SBox-Based Block Ciphers. Cryptology ePrint Archive, Paper 2022/1098. 2022. Available online: https://eprint.iacr.org/2022/1098 (accessed on 3 July 2023).
- Lenstra, A.K.; Lenstra, H.W., Jr. (Eds.) The Development of the Number Field Sieve; Lecture Notes in Mathematics; Springer: Berlin/Heidelberg, Germany, 1993; Volume 1554. [Google Scholar]
- Pollard, J.M. A Monte Carlo method for factorization. BIT Numer. Math.
**1975**, 15, 331–334. [Google Scholar] [CrossRef] - Lenstra, H.W., Jr. Factoring integers with elliptic curves. Ann. Math.
**1987**, 126, 649–673. [Google Scholar] [CrossRef] [Green Version] - Pomerance, C. Analysis and Comparison of Some Integer Factoring Algorithms. In Computational Methods in Number Theory, Part I; Mathematical Centre Tracts; Lenstra, H.W., Jr., Tijdeman, R., Eds.; Mathematisch Centrum: Amsterdam, The Netherlands, 1982; Volume 154, pp. 89–139. [Google Scholar]
- Boudot, F.; Gaudry, P.; Guillevic, A.; Heninger, N.; Thomé, E.; Zimmermann, P. Comparing the Difficulty of Factorization and Discrete Logarithm: A 240-Digit Experiment. Cryptology ePrint Archive, Paper 2020/697. 2020. Available online: https://eprint.iacr.org/2020/697 (accessed on 6 July 2023).
- Coppersmith, D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol.
**1997**, 10, 233–260. [Google Scholar] [CrossRef] [Green Version] - May, A. Using LLL-Reduction for Solving RSA and Factorization Problems. In The LLL Algorithm; Information Security and Cryptography; Nguyen, P., Vallée, B., Eds.; Springer: Berlin/Heidelberg, Germany, 2009; pp. 315–348. [Google Scholar]
- Wiener, M. Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory
**1990**, 36, 553–558. [Google Scholar] [CrossRef] [Green Version] - Boneh, D.; Durfee, G. Cryptanalysis of RSA with private key d less than N
^{0.292}. In Proceedings of the Advances in Cryptology—Eurocrypt’99, Prague, Czech Republic, 2–6 May 1999; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 1999; Volume 1592, pp. 1–11. [Google Scholar] - Clavier, C.; Joye, M. Universal Exponentiation Algorithm A First Step towards Provable SPA-Resistance. In Cryptographic Hardware and Embedded Systems—CHES 2001, Proceedings of the CHES, Paris, France, 14–16 May 2001; Lecture Notes in Computer Science; Koç, Ç.K., Naccache, D., Paar, C., Eds.; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2162. [Google Scholar]
- Chevallier-Mames, B.; Ciet, M.; Joye, M. Low-cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity. IEEE Trans. Comput.
**2004**, 53, 760–768. [Google Scholar] [CrossRef] - Giraud, C. An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis. IEEE Trans. Comput.
**2006**, 55, 1116–1120. [Google Scholar] [CrossRef] - Moreno, C.; Hasan, M.A. SPA-Resistant Binary Exponentiation with Optimal Execution Time. J. Cryptogr. Eng.
**2011**, 1, 87–99. [Google Scholar] [CrossRef] [Green Version] - Clavier, C.; Feix, B.; Gagnerot, G.; Roussellet, M.; Verneuil, V. Square Always Exponentiation. In Progress in Cryptology—INDOCRYPT 2011, Proceedings of the INDOCRYPT, Chennai, India, 11–14 December 2011; Lecture Notes in Computer Science; Bernstein, D.J., Chatterjee, S., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; Volume 7107. [Google Scholar]
- Bauer, A.; Jaulmes, E.; Lomné, V.; Prouff, E.; Roche, T. Side-Channel Attack against RSA Key Generation Algorithms. In Cryptographic Hardware and Embedded Systems—CHES 2014, Proceedings of the CHES, Busan, Republic of Korea, 23–26 September 2014; Lecture Notes in Computer Science; Batina, L., Robshaw, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8731. [Google Scholar]
- Boneh, D.; DeMillo, R.A.; Lipton, R.J. On the Importance of Checking Cryptographic Protocols for Faults. In Advances in Cryptology—EUROCRYPT’97, Proceedings of EUROCRYPT, Konstanz, Germany, 11–15 May 1997; Lecture Notes in Computer Science; Fumy, W., Ed.; Springer: Berlin/Heidelberg, Germany, 1997; Volume 1233. [Google Scholar]
- Vigilant, D. RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES, Washington, DC, USA, 10–13 August 2008; Lecture Notes in Computer Science. Oswald, E., Rohatgi, P., Eds.; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5154, pp. 130–145. [Google Scholar]
- Boscher, A.; Naciri, R.; Prouff, E. CRT RSA Algorithm Protected Against Fault Attacks. In Information Security Theory and Practices. Smart Cards, Mobile and Ubiquitous Computing Systems, Proceedings of the WISTP, Heraklion, Crete, Greece, 9–11 May 2007; Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.J., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2007; Volume 4462. [Google Scholar]
- BSI—Technical Guideline, Cryptographic Mechanisms: Recommendations and Key Lengths, BSI TR-02102-1. 9 January 2023. Available online: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile (accessed on 7 July 2023).
- Jansen, B.; Nakayama, K. Neural networks following a binary approach applied to the integer prime-factorization problem. In Proceedings of the 2005 IEEE International Joint Conference on Neural Networks, Montreal, QC, Canada, 31 July–4 August 2005; Volume 4, pp. 2577–2582. [Google Scholar]
- Murat, B.; Kadyrov, S.; Tabarek, R. Integer Prime Factorization with Deep Learning. Adv. Interdiscip. Sci.
**2021**, 2, 1–5. [Google Scholar] - de Weger, B. Cryptanalysis of RSA with small prime difference. Appl. Algebra Eng. Commun. Comput.
**2002**, 13, 17–28. [Google Scholar] [CrossRef] [Green Version] - Lemke Oliver, R.J.; Soundararajan, K. Unexpected biases in the distribution of consecutive primes. Proc. Natl. Acad. Sci. USA
**2016**, 113, E4446–E4454. [Google Scholar] [CrossRef] - Bernstein, D.J. How to Find the Smooth Parts of Integers. Available online: http://cr.yp.to/factorization/smoothparts-20040510.pdf (accessed on 1 July 2023).
- Nemec, M.; Sýs, M.; Svenda, P.; Klinec, D.; Matyás, V. The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017. [Google Scholar]
- May, A.; Ritzenhofen, M. Implicit Factoring: On Polynomial Time Factoring Given Only an Implicit Hint. In Public Key Cryptography—PKC 2009, Proceedings of the PKC, Irvine, CA, USA, 18–20 March 2009; Lecture Notes in Computer Science; Jarecki, S., Tsudik, G., Eds.; Springer: Berlin/Heidelberg, Germany, 2009; Volume 5443. [Google Scholar]
- Faugère, J.-C.; Marinier, R.; Renault, G. Implicit factoring with shared most significant and middle bits. In Proceedings of the PKC, Paris, France, 26–28 May 2010; LNCS. Nguyen, P.Q., Pointcheval, D., Eds.; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6056, pp. 70–87. [Google Scholar]
- Blömer, J.; May, A. A generalized Wiener attack on RSA. In Proceedings of the Public Key Cryptography—PKC, Singapore, 1–4 March 2004; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2004; Volume 2947, pp. 1–13. [Google Scholar]
- Nitaj, A. Another Generalization of Wiener’s Attack on RSA. In Progress in Cryptology—AFRICACRYPT 2008, Proceedings of the AFRICACRYPT, Casablanca, Morocco, 11–14 June 2008; Lecture Notes in Computer Science; Vaudenay, S., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5023. [Google Scholar]
- Ernst, M.; Jochemsz, E.; May, A.; de Weger, B. Partial Key Exposure Attacks on RSA up to Full Size Exponents. In Advances in Cryptology—EUROCRYPT 2005, Proceedings of the EUROCRYPT, Aarhus, Denmark, 22–26 May 2005; Lecture Notes in Computer Science; Cramer, R., Ed.; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3494. [Google Scholar]
- Blömer, J.; May, A. New Partial Key Exposure Attacks on RSA. In Advances in Cryptology—CRYPTO 2003, Proceedings of the CRYPTO, Santa Barbara, CA, USA, 17–21 August 2003; Lecture Notes in Computer Science; Boneh, D., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2729. [Google Scholar]
- Takayasu, A.; Kunihiro, N. Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound. In Selected Areas in Cryptography—SAC 2014; Lecture Notes in Computer Science; Joux, A., Youssef, A., Eds.; Springer: Cham, Switzerland, 2014; Volume 8781, pp. 345–362. [Google Scholar] [CrossRef] [Green Version]
- Peikert, C. Public-key cryptosystems from the worst-case shortest vector problem. In Proceedings of the STOC 2009, Washington, DC, USA, 31 May 2009; pp. 333–342. [Google Scholar]
- Brakerski, Z.; Langlois, A.; Peikert, C.; Regev, O.; Stehlé, D. Classical Hardness of Learning with Errors. arXiv
**2013**, arXiv:1306.0281. [Google Scholar] - Phillips, P.; Hahn, C.; Fontana, P.; Yates, A.; Greene, K.; Broniatowski, D.; Przybocki, M. Four Principles of Explainable Artificial Intelligence. 29 September 2021. Available online: https://doi:10.6028/nist.ir.8312 (accessed on 30 June 2023).

**Figure 2.**A multi-layer perceptron forming a 4-layer neural net with 3 input units, 5 units in the first hidden layer, 4 units in the second hidden layer, and 2 output units.

**Figure 3.**Learning the nonlinear line that separates the green dots from the red dots using 2 hidden layers with 20 neurons each. Figure generated using [34].

B_{0} | B_{1} | B_{2} | B_{3} | , | K_{0} | K_{1} | K_{2} | K_{3} | . |

B_{4} | B_{5} | B_{6} | B_{7} | K_{4} | K_{5} | K_{6} | K_{7} | ||

B_{8} | B_{9} | B_{10} | B_{11} | K_{8} | K_{9} | K_{10} | K_{11} | ||

B_{12} | B_{13} | B_{14} | B_{15} | K_{12} | K_{13} | K_{14} | K_{15} |

S_{0} | S_{1} | S_{2} | S_{3} | ⊕ | K_{0} | K_{1} | K_{2} | K_{3} | = | ${S}_{0}^{\prime}$ | ${S}_{1}^{\prime}$ | ${S}_{2}^{\prime}$ | ${S}_{3}^{\prime}$ | . |

S_{4} | S_{5} | S_{6} | S_{7} | K_{4} | K_{5} | K_{6} | K_{7} | ${S}_{4}^{\prime}$ | ${S}_{5}^{\prime}$ | ${S}_{6}^{\prime}$ | ${S}_{7}^{\prime}$ | |||

S_{8} | S_{9} | S_{10} | S_{11} | K_{8} | K_{9} | K_{10} | K_{11} | ${S}_{8}^{\prime}$ | ${S}_{9}^{\prime}$ | ${S}_{10}^{\prime}$ | ${S}_{11}^{\prime}$ | |||

S_{12} | S_{13} | S_{14} | S_{15} | K_{12} | K_{13} | K_{14} | K_{15} | ${S}_{12}^{\prime}$ | ${S}_{13}^{\prime}$ | ${S}_{14}^{\prime}$ | ${S}_{15}^{\prime}$ |

Transformation T on | S_{0} | S_{1} | S_{2} | S_{3} | = | ${S}_{0}^{\prime}$ | ${S}_{1}^{\prime}$ | ${S}_{2}^{\prime}$ | ${S}_{3}^{\prime}$ | . |

S_{4} | S_{5} | S_{6} | S_{7} | ${S}_{4}^{\prime}$ | ${S}_{5}^{\prime}$ | ${S}_{6}^{\prime}$ | ${S}_{7}^{\prime}$ | |||

S_{8} | S_{9} | S_{10} | S_{11} | ${S}_{8}^{\prime}$ | ${S}_{9}^{\prime}$ | ${S}_{10}^{\prime}$ | ${S}_{11}^{\prime}$ | |||

S_{12} | S_{13} | S_{14} | S_{15} | ${S}_{12}^{\prime}$ | ${S}_{13}^{\prime}$ | ${S}_{14}^{\prime}$ | ${S}_{15}^{\prime}$ |

S_{0} | S_{1} | S_{2} | S_{3} | → | S_{0} | S_{1} | S_{2} | S_{3} | . |

S_{4} | S_{5} | S_{6} | S_{7} | S_{5} | S_{6} | S_{7} | S_{4} | ||

S_{8} | S_{9} | S_{10} | S_{11} | S_{10} | S_{11} | S_{8} | S_{9} | ||

S_{12} | S_{13} | S_{14} | S_{15} | S_{15} | S_{12} | S_{13} | S_{14} |

02 | 03 | 01 | 01 | × | S_{0} | S_{1} | S_{2} | S_{3} | = | ${S}_{0}^{\prime}$ | ${S}_{1}^{\prime}$ | ${S}_{2}^{\prime}$ | ${S}_{3}^{\prime}$ | . |

01 | 02 | 03 | 01 | S_{4} | S_{5} | S_{6} | S_{7} | ${S}_{4}^{\prime}$ | ${S}_{5}^{\prime}$ | ${S}_{6}^{\prime}$ | ${S}_{7}^{\prime}$ | |||

01 | 01 | 02 | 03 | S_{8} | S_{9} | S_{10} | S_{11} | ${S}_{8}^{\prime}$ | ${S}_{9}^{\prime}$ | ${S}_{10}^{\prime}$ | ${S}_{11}^{\prime}$ | |||

03 | 01 | 01 | 02 | S_{12} | S_{13} | S_{14} | S_{15} | ${S}_{12}^{\prime}$ | ${S}_{13}^{\prime}$ | ${S}_{14}^{\prime}$ | ${S}_{15}^{\prime}$ |

S_{0} | S_{1} | S_{2} | S_{3} | → | S_{0} | S_{1} | S_{2} | S_{3} | . |

S_{4} | S_{5} | S_{6} | S_{7} | S_{7} | S_{4} | S_{5} | S_{6} | ||

S_{8} | S_{9} | S_{10} | S_{11} | S_{10} | S_{11} | S_{8} | S_{9} | ||

S_{12} | S_{13} | S_{14} | S_{15} | S_{13} | S_{14} | S_{15} | S_{12} |

0e | 0b | 0d | 09 | × | S_{0} | S_{1} | S_{2} | S_{3} | = | ${S}_{0}^{\prime}$ | ${S}_{1}^{\prime}$ | ${S}_{2}^{\prime}$ | ${S}_{3}^{\prime}$ | . |

09 | 0e | 0b | 0d | S_{4} | S_{5} | S_{6} | S_{7} | ${S}_{4}^{\prime}$ | ${S}_{5}^{\prime}$ | ${S}_{6}^{\prime}$ | ${S}_{7}^{\prime}$ | |||

0d | 09 | 0e | 0b | S_{8} | S_{9} | S_{10} | S_{11} | ${S}_{8}^{\prime}$ | ${S}_{9}^{\prime}$ | ${S}_{10}^{\prime}$ | ${S}_{11}^{\prime}$ | |||

0b | 0d | 09 | 0e | S_{12} | S_{13} | S_{14} | S_{15} | ${S}_{12}^{\prime}$ | ${S}_{13}^{\prime}$ | ${S}_{14}^{\prime}$ | ${S}_{15}^{\prime}$ |

Value | 0 | ${\left(\frac{1}{64}\right)}^{2}$ | ${\left(\frac{2}{64}\right)}^{2}$ | ${\left(\frac{3}{64}\right)}^{2}$ | ${\left(\frac{4}{64}\right)}^{2}$ | ${\left(\frac{5}{64}\right)}^{2}$ | ${\left(\frac{6}{64}\right)}^{2}$ | ${\left(\frac{7}{64}\right)}^{2}$ | ${\left(\frac{8}{64}\right)}^{2}$ |
---|---|---|---|---|---|---|---|---|---|

Frequency | 17 | 48 | 36 | 40 | 34 | 24 | 36 | 16 | 5 |

Value | 0 | $\frac{2}{256}$ | $\frac{4}{256}$ | 1 |
---|---|---|---|---|

Frequency | 33,150 | 32,130 | 255 | 1 |

Algorithm | Key | Nonce | Tag | Data | a | b | Rate r |
---|---|---|---|---|---|---|---|

Ascon-128 | 128 | 128 | 128 | 64 | 12 | 6 | 64 |

Ascon-128a | 128 | 128 | 128 | 128 | 12 | 8 | 128 |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Nitaj, A.; Rachidi, T.
Applications of Neural Network-Based AI in Cryptography. *Cryptography* **2023**, *7*, 39.
https://doi.org/10.3390/cryptography7030039

**AMA Style**

Nitaj A, Rachidi T.
Applications of Neural Network-Based AI in Cryptography. *Cryptography*. 2023; 7(3):39.
https://doi.org/10.3390/cryptography7030039

**Chicago/Turabian Style**

Nitaj, Abderrahmane, and Tajjeeddine Rachidi.
2023. "Applications of Neural Network-Based AI in Cryptography" *Cryptography* 7, no. 3: 39.
https://doi.org/10.3390/cryptography7030039