Paper 2025/288

How to Securely Implement Cryptography in Deep Neural Networks

David Gerault, Technology Innovation Institute
Anna Hambitzer, Technology Innovation Institute
Eyal Ronen, Tel Aviv University
Adi Shamir, Weizmann Institute of Science
Abstract

The wide adoption of deep neural networks (DNNs) raises the question of how can we equip them with a desired cryptographic functionality (e.g, to decrypt an encrypted input, to verify that this input is authorized, or to hide a secure watermark in the output). The problem is that cryptographic primitives are typically designed to run on digital computers that use Boolean gates to map sequences of bits to sequences of bits, whereas DNNs are a special type of analog computer that uses linear mappings and ReLUs to map vectors of real numbers to vectors of real numbers. This discrepancy between the discrete and continuous computational models raises the question of what is the best way to implement standard cryptographic primitives as DNNs, and whether DNN implementations of secure cryptosystems remain secure in the new setting, in which an attacker can ask the DNN to process a message whose "bits" are arbitrary real numbers. In this paper we lay the foundations of this new theory, defining the meaning of correctness and security for implementations of cryptographic primitives as ReLU-based DNNs. We then show that the natural implementations of block ciphers as DNNs can be broken in linear time by using such nonstandard inputs. We tested our attack in the case of full round AES-128, and had success rate in finding randomly chosen keys. Finally, we develop a new method for implementing any desired cryptographic functionality as a standard ReLU-based DNN in a provably secure and correct way. Our protective technique has very low overhead (a constant number of additional layers and a linear number of additional neurons), and is completely practical.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Deep learningDNNcryptographycryptanalysisdomain extensionsecure implementation
Contact author(s)
david gerault @ tii ae
anna hambitzer @ tii ae
eyalronen @ tauex tau ac il
adi shamir @ weizmann ac il
History
2025-02-20: approved
2025-02-19: received
See all versions
Short URL
https://ia.cr/2025/288
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/288,
      author = {David Gerault and Anna Hambitzer and Eyal Ronen and Adi Shamir},
      title = {How to Securely Implement Cryptography in Deep Neural Networks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/288},
      year = {2025},
      url = {https://eprint.iacr.org/2025/288}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.