How to Securely Implement Cryptography in Deep Neural Networks

Israeli cryptographer Adi Shamir at the Royal Society admissions day in London, July 2018
Photo Credit: 
By Duncan.Hull - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=76270992
Tuesday, April 22, 2025 - 4:15pm to 5:15pm
Refreshments: 
4:00 PM
Location: 
32-G449 (Kiva/Patil)
Speaker: 
Adi Shamir, Weizmann Institute of Science
Biography: 
https://en.wikipedia.org/wiki/Adi_Shamir

The wide adoption of deep neural networks (DNNs) raises the question of how can we equip them with a desired cryptographic functionality (e.g., to decrypt an encrypted input, to verify that this input is authorized, or to hide a secure watermark in the output). The problem is that cryptographic primitives are typically designed to run on digital computers that use Boolean gates to map sequences of bits to sequences of bits, whereas DNNs are a special type of analog computer that uses linear mappings and ReLUs to map vectors of real numbers to vectors of real numbers. In the past, this discrepancy between the discrete and continuous computational models had led to many interesting side channel attacks.

 

In this talk I will describe a new theory of security when digital cryptographic primitives are implemented as ReLU-based DNNs. I will first demonstrate the existence of a provable exponential gap between the complexities of solving a simple search problem in the two computational models. I will then show that the natural implementations of block ciphers as DNNs can be broken in linear time by using nonstandard inputs whose “bits” are real numbers. Finally, I will develop a new and completely practical method for implementing any desired cryptographic functionality as a standard ReLU-based DNN in a provably secure and correct way.