[AIP Distinguished Lecture] Talk by Prof. Adi Shamir (Weizmann Institute of Science) on "Deep Neural Cryptography"
This talk will be held in a hybrid format, both in person at AIP Open Space of RIKEN AIP (Nihonbashi office) and online by Zoom. AIP Open Space: *only available to AIP researchers.
DATE & TIME
January 16, 2026: 10:30 am - 11:30 am (JST)
TITLE
Deep Neural Cryptography
SPEAKER
Prof. Adi Shamir (Weizmann Institute of Science)
ABSTRACT
The wide adoption of deep neural networks (DNNs) raises the question of how can we equip them with a desired cryptographic functionality (e.g, to decrypt an encrypted input, to verify that this input is authorized, or to hide a secure watermark in the output).
The problem is that cryptographic primitives are typically designed to run on digital computers that use Boolean gates to map sequences of bits to sequences of bits, whereas DNNs are a special type of analog computer that uses linear mappings and ReLUs to map vectors of real numbers to vectors of real numbers. This discrepancy between the discrete and continuous computational models raises the question of what is the best way to implement standard cryptographic primitives as DNNs, and whether DNN implementations of secure cryptosystems remain secure in the new setting, in which an attacker can ask the DNN to process a message whose ``bits'' are arbitrary real numbers. In this talk I will lay the foundations of this new theory, defining the meaning of correctness and security for implementations of cryptographic primitives as ReLU-based DNNs. I will then show that the natural implementations of block ciphers as DNNs can be broken in linear time by using such nonstandard inputs. We tested our attack in the case of full round AES-128, and had 100% success rate in finding 1000 randomly chosen keys. Finally, I will describe a new method for implementing any desired cryptographic functionality as a standard ReLU-based DNN in a provably secure and correct way. The new protective technique has very low overhead (a constant number of additional layers and a linear number of additional neurons), and is completely practical.
Joint work with David Gerault, Anna Hambitzer and Eyal Ronen.
