Applications of Neural Network-Based AI in Cryptography

Abstract

Artificial intelligence (AI) is a modern technology that allows plenty of advantages in daily life, such as predicting weather, finding directions, classifying images and videos, even automatically generating code, text, and videos. Other essential technologies such as blockchain and cybersecurity also benefit from AI. As a core component used in blockchain and cybersecurity, cryptography can benefit from AI in order to enhance the confidentiality and integrity of cyberspace. In this paper, we review the algorithms underlying four prominent cryptographic cryptosystems, namely the Advanced Encryption Standard, the Rivest–Shamir–Adleman, Learning with Errors, and the Ascon family of cryptographic algorithms for authenticated encryption. Where possible, we pinpoint areas where AI can be used to help improve their security.

1. Introduction

In 1991, Rivest [1] presented a talk about relationships between machine learning and cryptography. Surprisingly, while artificial intelligence (AI) is being extensively developed in a number of applications, a very limited number of research studies have been done in the area of using AI in cryptography.

AI is the set of tools, methodologies, and implementations deployed to enable a digital computer or a robot to perform tasks that are usually associated with human intelligence [2,3]. In the last few decades, AI has exponentially developed in many sectors, such as big data, Internet of Things, robotics, banking, finance, healthcare, e-commerce, meteorology, education, facial recognition, information systems, autonomous driving, data security, etc. Machine learning (ML) is a subset of AI that enables smart machines and computers to learn without human intervention and gives them the ability to imitate human behavior. The goal of ML is to design algorithms that extract information from data in order to build models capable of deriving predictions and patterns. ML covers a range of methodologies and applications, such as facial recognition, natural language, online chatbots, medical imaging, diagnostics, self-driving of vehicles, etc.

On the other hand, cybersecurity is the set of various methods and tools deployed to protect electronic devices, such as information systems, servers, computers, networks, and data centers, from all kind of threats, vulnerabilities, and attacks. Often, an attack on an electronic device has severe impacts on the regular operations, or even worse, can completely destroy the stored data. Therefore, the goal of cybersecurity is to detect any attack, handle it, and recover the system after the accident. Cybersecurity includes the use of cryptography and cryptographic protocols for protecting data in transit and in storage.

The aim of this paper is to present an overview of the applications of AI and ML in cryptography with a focus on four prominent cryptosystems, namely, AES, RSA, LWE, and Ascon. For this, we start by providing an overview of AI and ML techniques before embarking on presenting the above-referenced cryptosystems and explaining how AI and ML can be applied to improve their security for the benefit of cybersecurity.

Cryptography is concerned with protecting information and communications transferred over public communication channels in the presence of adversaries. It allows only the recipient of a message to view its contents and is used in all domains where the security is a concern. To transmit a message or electronic data, two families of cryptography can be used: symmetric and asymmetric cryptography. In symmetric cryptography, also called secret key cryptography, the same key is used for both encryption and decryption. Typically, a message is encrypted using a secret key, and both the encrypted message and the secret key are sent to the recipient for decryption. In asymmetric cryptography, invented by Diffie and Hellman [4] in 1976, and mostly known as public key cryptography, two keys are involved: one is public, and one is private. In general, the two keys are related by a mathematical process with the idea that it is computationally infeasible to determine one key given the other one. To encrypt and send a message, the sender uses the public key of the recipient. To decrypt, the recipient uses his or her private key.

Cryptanalysis is the study of cryptographic schemes for vulnerabilities. Specifically, there are mainly two methods of deploying cryptanalysis: mathematical and side-channel. Mathematical cryptanalysis, or algebraic cryptanalysis, consists of breaking cryptographic schemes by scrutinizing their mathematical properties, while side-channel cryptanalysis consists of studying and manipulating the implementations in order to collect information on the keys or on the plaintext itself.

In symmetric cryptography, the security of any scheme is based on the robustness of its S-box, a nonlinear operator that is often related to a vectorial Boolean function with very good cryptographic properties, such as resistance to differential cryptanalysis; linear cryptanalysis; boomerang cryptanalysis; and a variety of other cryptographic criteria [5]. Artificial intelligence can be used to design S-boxes from vectorial Boolean functions and to study their cryptographic properties in order to select the most efficient and the most secure schemes.

In asymmetric cryptography, security is often based on a hard mathematical problem such as the integer factorization problem, the discrete logarithm problem, the Shortest Vector Problem (SVP), and the Closest Vector Problem (CVP) in a lattice.

Currently, the most widely used asymmetric cryptosystem is RSA, invented in 1978 by Rivest, Shamir, and Adleman [6]. RSA is used for encryption, signatures, and key distribution, and is a powerful tool to provide privacy and to ensure authenticity of emails, digital data, and payment systems. The mathematics behind RSA are based on the ring $\mathbb{Z}/N\mathbb{Z}$, where $N=pq$ is the product of two large prime numbers. In RSA, the public key is an integer e satisfying $gcd(e,(p-1\left)\right(q-1\left)\right)=1$, and the private key is the integer d satisfying $ed\equiv 1(mod(p-1\left)\right(q-1\left)\right)$. To encrypt a message $1<m<N$, one computes $c\equiv m^e(modN)$, and to decrypt it, one computes $m\equiv c^d(modN)$. Since its invention, RSA has been intensively analyzed for vulnerabilities [7,8,9,10].

A promising family of asymmetric cryptography has appeared with the Learning With Error (LWE) problem and its variants. LWE was proposed by Regev [11] in 2005. Several homomorphic encryption libraries, public key encryptions, and digital signature systems are based on LWE or on one of its variants [12]. In 2016, NIST initiated a process to select and standardize post-quantum cryptography standardization [13], and in 2022, it selected CRYSTALS–Kyber [14] for public-key encryption and CRYSTALS–Dilithium [15], Falcon [16], and SPHINCS+ [17] for digital signatures. Among the four selected algorithms for standardization, three are based on hard problems in lattices, namely CRYSTALS–Kyber, CRYSTALS–Dilithium, and Falcon. There are several variants of LWE, such as Polynomial-LWE [18], Ring-LWE [19], Module-LWE [20], and Continuous LWE [21]. The goal in LWE is to find a secret vector $s\in {\mathbb{Z}}_q^n$ given $m\ge n$ samples of the form $(a_i,\langle a_i,s\rangle +e_i)$, where $a_i\in {\mathbb{Z}}_q^n$ is uniformly generated, $e_i\in {\mathbb{Z}}_q^m$ is a small vector chosen according to a probability density, and $\langle a_i,s\rangle$ is the inner product of $a_i$ and s. The security of LWE is based on several hard problems in lattices, specifically the Gap Shortest Vector Problem (GapSVP) and the Shortest Independent Vectors Problem (SIVP).

The explosion of the Internet of Things (IoT), characterized by low-energy and low-computation power devices, has prompted the need for efficient and strong lightweight ciphers for protecting the privacy and authenticity of data transmitted by these devices. The U.S. government’s National Institute of Standards and Technology (NIST) recently selected the Ascon family of lightweight symmetric ciphers for authenticated encryption [22,23] to be used by IoT devices. The Ascon family ensures 128-bit security and uses a 320-bit permutation internally.

Common attacks on both symmetric and asymmetric cryptography are side-channel attacks, introduced by Kocher [24] in 1996. Side-channel attacks are used to retrieve private keys from electronic devices. There are various types of possible side-channel attacks depending on the cryptosystem and the device. This includes timing execution [24], power consumption [25], electromagnetic radiation [26], fault injection [27], and acoustic attack [28].

In symmetric and asymmetric cryptography, a plaintext M is encrypted by a nonlinear trapdoor function F together with a secret or a private key K so that $C=F(M,K)$. An algebraic attack consists of finding the plaintext M or the key K using publicly accessible $Cs$ and, eventually, finding their known corresponding $Ms$. Moreover, for symmetric ciphers, an algebraic attack can be used to approximate the hole or a partial (reduced-round) encryption process by a linear function, which makes the cipher vulnerable.

The rest of this paper is organized as follows. In Section 2, we review the main facts of artificial intelligence (AI) and machine learning (ML). In Section 3, we discuss the differences between AI and ML. In Section 4, we provide a list of possible applications of AI in cryptography. In Section 5, Section 6, Section 7 and Section 8, we review the four prominent cryptosystems, namely AES, RSA, LWE, and Ascon, and present possible applications of AI to test and enhance their security. We conclude the paper in Section 9.

2. Artificial Intelligence and Machine Learning

Artificial intelligence (AI) is a subarea of computer science that concerns itself with building rational agents, i.e., agents that sense the world (i.e., read a percept), map the percept to some internal representation, and identify the best action to take among a set of possible actions given the percept. The selected action is the one that minimizes the agent’s objective function, then enacts the action and updates the internal representation of the world as a consequence of the action. There exist various types of agents: search agents, adversarial search agents, planning agents, logical agents, probabilistic agents, and learning agents. The latter are data-driven and use machine learning algorithms to predict the action to take as a function of the input percept from a collection of tuples (percept, action) [29].

Machine learning (ML) is a subarea of AI that concerns itself with learning agents and algorithms. There exist three (3) major classes of learning agents/algorithms:

• Supervised learning algorithms. These use tuples (input  vector; output vector, also called Label) to learn/approximate the output vector for an unseen given input vector.
• Unsupervised learning algorithms. These do not make use of the label and use the input vector only to learn/infer/approximate the output vector for an unseen given input vector.
• Reinforcement learning algorithms. This class progressively learns/infers/approximates the output vector for an unseen given input vector from the positive or negative feedback returned from the external world.

Recently, two more subclasses have come to light. These are:

• Self-supervised learning algorithms. These algorithms mask parts of the input and try to learn it. In essence, these algorithms transform an unsupervised problem (i.e., a problem for which no labels exist) into a supervised problem by auto-generating the labels.
• Imitation learning algorithms. These are very recent. In essence, imitation learning algorithms reproduce others’ actions from observing the actions performed by other agents/machine learning algorithms [30].

A comprehensive review and taxonomy of artificial intelligence and machine learning techniques together with their disadvantages and challenges can be found in [31].

Artificial neural networks (ANNs) in particular have proven to be more powerful than others in many applications, including computer vision (CV), natural language processing (NLP), and autonomous driving (AD).

Artificial Neural Networks (ANNs) as a Non-Linear Approximation Function

Artificial neural network models are mainly characterized by their architecture, the number of densely connected hidden layers, the number of cells/perceptrons (see Figure 1) per layer, activation functions used in the neurons for firing, and the cost function used to train the network (or, similarly, to find the weights of the interconnections between layers) using gradient descent and back propagation for computing the gradient of the cost function in the weight space [32] (see Figure 2). ANNs can be divided into three major categories: those that perform input classification, sequence learning, or function approximation.

Thanks to nonlinear activation functions such as the Sigmoid, Tanh or RELU functions, ANNs are great at approximating arbitrary nonlinear functions (often as piece-wise linear approximations).

In fact, an ANN with at least one hidden layer is a universal approximator, i.e., it can represent any function [33]. However, one hidden layer might need an exponential number of neurons, so often an architecture with many fully connected hidden layers (deep neural network) is preferred, as it is more compact. Arguably, the performance of the network increases with more hidden units and more hidden layers (see Figure 3).

Although there is no universal method to approximate any arbitrary given function, there are development procedures that consistently lead to successful approximations of nonlinear functions within a specific field. There is wealth of literature for such applications in all fields, including bioengineering, mechanics, agriculture, digital design, and, last but not least, intrusion detection and cybersecurity.

As arbitrary function approximators, ANNs lend themselves naturally to cryptanalysis techniques, such as known and chosen plaintext attacks, linear, nonlinear, and differential attacks. Furthermore, the feed-forward of the data process through multiple layers of the neural networks has functional resemblance to multiple-round operations in a symmetric cipher, i.e., linear permutations, followed by nonlinear transformations. This also invites the attempt to leverage ANNs for the design of ciphers.

3. ANN Types and Their Domains of Application

  Due to numerous advantages over other ML techniques, such as the ability to learn hierarchical features, the ability to handle multiple output, and the ability to deal with nonlinear data, which is clearly highlighted by the rapid development of foundation models (FMs) [35], ANN-based learning agents have overshadowed other types of intelligent agents, including the ones that use other machine learning techniques. They have become a synonym for AI. This said, and despite the aforementioned advantages, it is not guaranteed that, because deep ANNs demonstrate excellent performance for domain problems dealing with language, images, and videos, they will necessarily outperform other ML techniques in cryptography [36,37]. Unless otherwise specified, we will use the term AI to designate agents that use ANNs.

There are many types of neural networks, such as auto-encoders, convolutional neural networks (CNNs), long short-term memory networks (LSTMs), recurrent neural networks (RNNs), generative adversarial networks (GANs), and transformers. They stand apart from one other through the type of processing attached to individual layers and the architecture used to connect the hidden layers, among other things, as well as whether a cell uses its own output from previous excitation or not.

3.1. Convolutional Neural Networks (CNNs)

In addition to hidden layers, a CNN contains multiple convolution layers, which are responsible for the extraction of important features, such as images, from spatial data. The earlier layers are responsible for low-level details, and the later layers are responsible for more high-level features. As such, CNNs are well-suited for applications such as facial recognition, medical analysis, and image classification.

3.2. Recurrent Neural Networks (RNNs)

RNNs are used to predict the next item in sequential data, which can be videos or text. In RNNs, a neuron in a layer also receives a time-delayed input from its own previous instance prediction. This instance prediction is stored in the RNN cell, which is a second input for every prediction. RNNs are typically used in tasks such as text or speech generation, text translation, and sentiment analysis.

3.3. Autoencoders

An autoencoder is a type of artificial neural network used to learn efficient coding of unlabeled data (unsupervised learning). An autoencoder learns two functions: an encoding function that transforms the input data into a low-dimension latent space representation, and a decoding function that recreates the input data from the latent space representation. Autoencoders are used in dimensionality reduction, image compression, image denoising, feature extraction, image generation using generative adversarial networks (GANs), sequence-to-sequence predictions, and recommendation systems.

3.4. Long Short-Term Memory Networks (LSTMs)

LSTMs use gates to control which output should be used or forgotten, including: input gate, output gate, and forget gate. LSTMs are best applied in speech recognition and text prediction.

3.5. Generative Adversarial Networks (GANs)

GANs learn to create new data instances that resemble the training data. For example, GANs can create images that look like photographs of human faces, even though the faces do not belong to any real person [38].

3.6. Transformers

The transformer model architecture drops recurrence and convolutions and uses an attention mechanism to connect an encoder network with a decoder network. Applications of this model include machine translation [39].

All of these variants of ANNs are mainly characterized by their architecture, the number of parameters/weights that make up the model and that have to be learned, and the training corpora used (Common Crawl, The Pile, MassiveText, Wikipedia, GitHub, books, articles, logs, etc.). As this paper is being written, the Megatron-Turing Natural Language Generation (MT-NLG), a transformer-based language generation model, uses 530 billion parameters, more than 7 times the average number of neurons in the adult human brain. These are also called foundation/base models since they can be adapted/fine-tuned for different tasks/contexts. Head-to-head comparison of existing (commercial and open source) large models (LMs) can be found in [40]. It is worth noting that the size of a model depends largely on the nature of the problem at hand. In many engineering domains, the models used are not as big as foundation models.

4. Possible Applications of AI in Cryptography

  The combination of cryptography with artificial intelligence will be beneficial for the security of several applications. One of the goals of applying AI is to identify potential vulnerabilities of a cryptographic system.

4.1. Areas of Application

• In cybersecurity: Cybersecurity can easily benefit from the applications of AI. By applying AI, it is possible to write and process software to detect and to defend a system against cyberattacks. The advantages of applying AI instead of traditional security systems is that AI provides fast solutions and better security.
• In blockchain: Blockchain is a new technology with various industrial and economic applications. It plays a prominent role in many sectors, such as banking, cryptocurrencies, and data management. It achieves a complete independence from any central authority and guarantees secure communications thanks to advanced cryptographic techniques. AI can be used to analyze the security and the efficiency of blockchain applications in order to improve their practicability, security, and profitability.
• In symmetric cryptography: AI can be deployed to analyze the security of a symmetric system defined by an S-box or a vectorial Boolean function by testing all possible cryptographic criteria, including bijectivity, nonlinearity, linear analysis, differential analysis, balancedness, correlation immunity, algebraic degree, side-channel analysis, strict avalanche criterion (SAC), bit independence criterion (BIC), and the NIST Statistical Test Suite [41], which is used to guarantee the quality of random number generators for cryptographic applications. Especially, the security of AES and Ascon can be much improved if tested with the help of AI.
• In asymmetric cryptography based on RSA: AI can be used to generate safe primes for the RSA modulus, and to generate safe public and private keys by running the known attacks such as factorization, small private key attacks, partial key exposure attacks, and side-channel attacks.
• In asymmetric cryptography based on LWE: Attacks on LWE and its variants are very limited because their security is based on the hardness of hard problems in lattices. Nevertheless, AI can be used to test the hardness of lattice problems with different parameters in order to guarantee the safety and the efficiency of the cryptosystem.

This said, AI itself can benefit from modern cryptographic techniques, such as homomorphic encryption, to resolve the privacy issue related to data used in learning without disclosing it [42].

Without much surprise, vanilla ANNs were applied very early in all areas of cryptology, including side-channel attacks [43], random number generation [44], recovery of plaintext [45], generation of ciphertext without the key [46], cryptanalysis of symmetric ciphers [47,48,49], and hash and message authentication functions [50]. Attempts have also be made to implement ciphers as ANNs [51].

The application of advanced ANNs such as deep, convolutional, and generative adversarial neural networks is also gaining in momentum. In this regard, Ref. [52] deployed a deep network for side-channel attacks on masked and unprotected AES implementations. Ref. [53] deployed a linear attack on round-reduced DES using deep learning with plain-cipher pairs. Ref. [54] posed the cryptanalysis of a cipher as a language translation problem to be solved using a GAN, which was adapted to handle discrete data. The GAN is trained to learn the mapping between plain and cipher text distributions without supervision. Ref. [55] used deep convolutional neural networks to exploit differential properties of round-reduced Speck cipher to perform a differential distinguishing attack that did not involve key search. Ref. [56] used a deep neural network to perform the known-plaintext attack on AES and its modes of operation to restore different bit lengths with probabilities. Ref. [57] used deep learning in side-channel attacks against a secure implementation of the RSA algorithm. Surprisingly, the applications of advanced ANNs to asymmetric encryption has yet to begin. Therefore, in this article, we attempt to pinpoint stages in prominent encryption algorithms, namely AES, RSA, and LWE, where the applications of advanced ANNs can help increase their security.

4.2. Datasets

Datasets are structured collections of data used to train a model for the nonlinear trapdoor function $C=F(K,M)$. They consist of pairs of collected $(M,C)$ that are generated synthetically at the design phases of F. Typically, all combinations of $Ms$ and their differences are generated and fed to F to obtain $Cs$, leading to a balanced dataset of pairs $(M,C)$.

5. The Advanced Encryption Standard (AES)

  The Advanced Encryption Standard [58], also known as the Rijndael algorithm, is a symmetric block cipher that was designed by Daemen and Rijmen [59] in 1999. It was adopted by the U.S. National Institute of Standards and Technology (NIST) in 2001 to supersede the Data Encryption Standard (DES) [60]. AES allows key lengths of size 128, 192, or 256 bits, with a block length of 128 bits. In AES, the encryption performs 10 rounds for a 128-bit key, 12 rounds for a 192-bit key, and 14 rounds for a 256-bit key.

The encryption and the decryption in the AES algorithm start with two parameters: a block B of length 128 bits, and a key K of length 128, 192, or 256 bits (see

Table 1. Representation of the block and the subkey with bytes.

B0	B1	B2	B3	,	K0	K1	K2	K3	.
B4	B5	B6	B7		K4	K5	K6	K7
B8	B9	B10	B11		K8	K9	K10	K11
B12	B13	B14	B15		K12	K13	K14	K15

). In all steps of the encryption and decryption in AES, the blocks $B=\{B_0,\dots ,B_{15}\}$ are represented by $4\times 4$ square matrices of bytes called state arrays.

5.1. The Encryption Process of AES

At the beginning of the encryption, each key K is expanded into $n+1$ subkeys by an algorithm called key expansion, where $n\in \{10,12,14\}$ is the number of rounds. The encryption phase starts with the initial round by XORing the plaintext with the first subkey. Then, the rounds are composed of four algorithms, namely AddRoundKey, SubBytes, ShiftRows, and MixColumns, so that a round $R_i$ with $0\le i\le n$ is in the form:

$$R_i=\left\{\begin{array}{cc}\mathtt{A}\mathtt{d}\mathtt{d}\mathtt{R}\mathtt{o}\mathtt{u}\mathtt{n}\mathtt{d}\mathtt{K}\mathtt{e}\mathtt{y}(\mathrm{plaintext},{\mathrm{subkey}}_0)\hfill & \mathrm{if}i=0,\hfill \\ \mathtt{A}\mathtt{d}\mathtt{d}\mathtt{R}\mathtt{o}\mathtt{u}\mathtt{n}\mathtt{d}\mathtt{K}\mathtt{e}\mathtt{y}\circ \mathtt{M}\mathtt{i}\mathtt{x}\mathtt{C}\mathtt{o}\mathtt{l}\mathtt{u}\mathtt{m}\mathtt{n}\mathtt{s}\circ \mathtt{S}\mathtt{h}\mathtt{i}\mathtt{f}\mathtt{t}\mathtt{R}\mathtt{o}\mathtt{w}\mathtt{s}\circ \mathtt{S}\mathtt{u}\mathtt{b}\mathtt{B}\mathtt{y}\mathtt{t}\mathtt{e}\mathtt{s}\hfill & \mathrm{if}0<i<n,\hfill \\ \mathtt{A}\mathtt{d}\mathtt{d}\mathtt{R}\mathtt{o}\mathtt{u}\mathtt{n}\mathtt{d}\mathtt{K}\mathtt{e}\mathtt{y}\circ \mathtt{S}\mathtt{h}\mathtt{i}\mathtt{f}\mathtt{t}\mathtt{R}\mathtt{o}\mathtt{w}\mathtt{s}\circ \mathtt{S}\mathtt{u}\mathtt{b}\mathtt{B}\mathtt{y}\mathtt{t}\mathtt{e}\mathtt{s}\hfill & \mathrm{if}i=n.\hfill \end{array}\right.$$

The four algorithms can be summarized as follows:

• AddRoundKey: The subkey for the round is bitwise XORed with the state array computed in the previous step. In the first round, the state array is the input block, and in the last round, the resulting state array is the ciphertext (see

  Table 2. AddRoundKey operation Xors state with key.

  S0

  S1

  S2

  S3

  ⊕

  K0

  K1

  K2

  K3

  =

  $S_0^{\prime }$

  $S_1^{\prime }$

  $S_2^{\prime }$

  $S_3^{\prime }$

  .

  S4

  S5

  S6

  S7

  K4

  K5

  K6

  K7

  $S_4^{\prime }$

  $S_5^{\prime }$

  $S_6^{\prime }$

  $S_7^{\prime }$

  S8

  S9

  S10

  S11

  K8

  K9

  K10

  K11

  $S_8^{\prime }$

  $S_9^{\prime }$

  $S_{10}^{\prime }$

  $S_{11}^{\prime }$

  S12

  S13

  S14

  S15

  K12

  K13

  K14

  K15

  $S_{12}^{\prime }$

  $S_{13}^{\prime }$

  $S_{14}^{\prime }$

  $S_{15}^{\prime }$

  ).
• SubBytes: The SubBytes transformation is a byte substitution that operates on each byte of the state using a substitution table called S-box (see

  Table 3. SubBytes operation yielding a new state vector.

  Transformation T on	S0	S1	S2	S3	=	$S_0^{\prime }$	$S_1^{\prime }$	$S_2^{\prime }$	$S_3^{\prime }$	.
  	S4	S5	S6	S7		$S_4^{\prime }$	$S_5^{\prime }$	$S_6^{\prime }$	$S_7^{\prime }$
  	S8	S9	S10	S11		$S_8^{\prime }$	$S_9^{\prime }$	$S_{10}^{\prime }$	$S_{11}^{\prime }$
  	S12	S13	S14	S15		$S_{12}^{\prime }$	$S_{13}^{\prime }$	$S_{14}^{\prime }$	$S_{15}^{\prime }$

  ). Algebraically, each byte x is transformed into a list of 8 bits,

  $$\overline{x}=(x_1,x_2,x_3,x_4,x_5,x_6,x_7,x_8),$$

  and is transformed via the rule T,

  $$T\left(\overline{x}\right)=\left\{\begin{array}{cc}c\hfill & \mathrm{if}x=0\hfill \\ M\left({\overline{x}}^{-1}\right)+c\hfill & \mathrm{if}x\ne 0,\hfill \end{array}\right.$$

  where

  $$c=\left[\begin{array}{c}0\\ 1\\ 1\\ 0\\ 0\\ 0\\ 1\\ 1\end{array}\right],M=\left[\begin{array}{cccccccc}1& 1& 1& 1& 1& 0& 0& 0\\ 0& 1& 1& 1& 1& 1& 0& 0\\ 0& 0& 1& 1& 1& 1& 1& 0\\ 0& 0& 0& 1& 1& 1& 1& 1\\ 1& 0& 0& 0& 1& 1& 1& 1\\ 1& 1& 0& 0& 0& 1& 1& 1\\ 1& 1& 1& 0& 0& 0& 1& 1\\ 1& 1& 1& 1& 0& 0& 0& 1\end{array}\right],$$

  and ${\overline{x}}^{-1}$ is the inverse of $\overline{x}$ in the finite field ${\mathbb{F}}_{2^8}$ modulo the polynomial $x^8+x^4+x^3+x+1$.
• ShiftRows: In this transformation, the bytes of the first row in the state array remain unchanged, and the bytes of rows 2, 3, and 4 are cyclically shifted left by 1, 2, and 3 cases, respectively (see

  Table 4. ShiftRows operation yielding a new state.

  S0	S1	S2	S3	→	S0	S1	S2	S3	.
  S4	S5	S6	S7		S5	S6	S7	S4
  S8	S9	S10	S11		S10	S11	S8	S9
  S12	S13	S14	S15		S15	S12	S13	S14

  ).
• MixColumns: In this transformation, each column is multiplied by a fixed matrix, as in

  Table 5. MixColumns operation yielding a new state.

  02

  03

  01

  01

  ×

  S0

  S1

  S2

  S3

  =

  $S_0^{\prime }$

  $S_1^{\prime }$

  $S_2^{\prime }$

  $S_3^{\prime }$

  .

  01

  02

  03

  01

  S4

  S5

  S6

  S7

  $S_4^{\prime }$

  $S_5^{\prime }$

  $S_6^{\prime }$

  $S_7^{\prime }$

  01

  01

  02

  03

  S8

  S9

  S10

  S11

  $S_8^{\prime }$

  $S_9^{\prime }$

  $S_{10}^{\prime }$

  $S_{11}^{\prime }$

  03

  01

  01

  02

  S12

  S13

  S14

  S15

  $S_{12}^{\prime }$

  $S_{13}^{\prime }$

  $S_{14}^{\prime }$

  $S_{15}^{\prime }$

  .
  In MixColumns, the operations are performed in ${\mathbb{F}}_{2^8}$ modulo the polynomial $x^8+x^4+x^3+x+1$.

5.2. The Decryption Process in AES

The decryption process in AES is performed by applying the inverse of the algorithms used in the encryption process. If n is the number of rounds in the encryption process, then there are $m=n$ rounds in the decryption process. The decryption starts by XORing the ciphertext with the last subkey of the key expansion. For $0\le i\le m$, the the inverse round $Inv{R}_i$ is composed of four algorithms as follows:

$$\begin{array}{c}\hfill \begin{array}{cc}& Inv{R}_i=\hfill \\ & \left\{\begin{array}{cc}\mathtt{I}\mathtt{n}\mathtt{v}\mathtt{A}\mathtt{d}\mathtt{d}\mathtt{R}\mathtt{o}\mathtt{u}\mathtt{n}\mathtt{d}\mathtt{K}\mathtt{e}\mathtt{y}(\mathrm{ciphertext},{\mathrm{subkey}}_m)\hfill & \mathrm{if}i=0,\hfill \\ \mathtt{I}\mathtt{n}\mathtt{v}\mathtt{M}\mathtt{i}\mathtt{x}\mathtt{C}\mathtt{o}\mathtt{l}\mathtt{u}\mathtt{m}\mathtt{n}\mathtt{s}\circ \mathtt{I}\mathtt{n}\mathtt{v}\mathtt{A}\mathtt{d}\mathtt{d}\mathtt{R}\mathtt{o}\mathtt{u}\mathtt{n}\mathtt{d}\mathtt{K}\mathtt{e}\mathtt{y}\circ \mathtt{I}\mathtt{n}\mathtt{v}\mathtt{S}\mathtt{u}\mathtt{b}\mathtt{B}\mathtt{y}\mathtt{t}\mathtt{e}\mathtt{s}\hfill \\ \circ \mathtt{I}\mathtt{n}\mathtt{v}\mathtt{S}\mathtt{h}\mathtt{i}\mathtt{f}\mathtt{t}\mathtt{R}\mathtt{o}\mathtt{w}\mathtt{s}\hfill & \mathrm{if}0<i<m,\hfill \\ \mathtt{I}\mathtt{n}\mathtt{v}\mathtt{A}\mathtt{d}\mathtt{d}\mathtt{R}\mathtt{o}\mathtt{u}\mathtt{n}\mathtt{d}\mathtt{K}\mathtt{e}\mathtt{y}\circ \mathtt{I}\mathtt{n}\mathtt{v}\mathtt{S}\mathtt{u}\mathtt{b}\mathtt{B}\mathtt{y}\mathtt{t}\mathtt{e}\mathtt{s}\circ \mathtt{I}\mathtt{n}\mathtt{v}\mathtt{S}\mathtt{h}\mathtt{i}\mathtt{f}\mathtt{t}\mathtt{R}\mathtt{o}\mathtt{w}\mathtt{s}\hfill & \mathrm{if}i=m.\hfill \end{array}\right.\hfill \end{array}\end{array}$$

The algorithms can be summarized as follows.

• InvAddRoundKey: As in the AddRoundKey algorithm, the subkey for the round is bitwise XORed, with the state array computed in the previous step. In the first round, the state array is the ciphertext block, and in the last round, the resultant state array is the plaintext.
• InvSubBytes: In this operation, the inverse S-box replaces each byte of the state with another byte by a substitution method. Specifically, each byte y is transformed into a list of 8 bits,

  $$\overline{y}=(y_1,y_2,y_3,y_4,y_5,y_6,y_7,y_8),$$

  and is transformed via the rule $T^{\prime }$,

  $$T^{\prime }\left(\overline{y}\right)=\left\{\begin{array}{cc}0\hfill & \mathrm{if}y=c\hfill \\ \frac{1}{M^{-1}(y+c)}\hfill & \mathrm{if}y\ne c,\hfill \end{array}\right.$$

  where

  $$c=\left[\begin{array}{c}0\\ 1\\ 1\\ 0\\ 0\\ 0\\ 1\\ 1\end{array}\right],M^{-1}=\left[\begin{array}{cccccccc}0& 1& 0& 1& 0& 0& 1& 0\\ 0& 0& 1& 0& 1& 0& 0& 1\\ 1& 0& 0& 1& 0& 1& 0& 0\\ 0& 1& 0& 0& 1& 0& 1& 0\\ 0& 0& 1& 0& 0& 1& 0& 1\\ 1& 0& 0& 1& 0& 0& 1& 0\\ 0& 1& 0& 0& 1& 0& 0& 1\\ 1& 0& 1& 0& 0& 1& 0& 0\end{array}\right].$$
  The inverses are computed in the finite field ${\mathbb{F}}_{2^8}$ modulo the polynomial $x^8+x^4+x^3+x+1$.
• InvShiftRows: In this transformation, the bytes of the first row in the state array remain unchanged, and the bytes of rows 2, 3, and 4 are cyclically shifted right by 1, 2, and 3 cases, respectively (see

  Table 6. InvShiftRows transforms the state on the left to the state on the right.

  S0	S1	S2	S3	→	S0	S1	S2	S3	.
  S4	S5	S6	S7		S7	S4	S5	S6
  S8	S9	S10	S11		S10	S11	S8	S9
  S12	S13	S14	S15		S13	S14	S15	S12

  ).
• InvMixColumns: In this transformation, each column is multiplied by a fixed matrix, as in

  Table 7. InvMixColumns multiplies the state with the given matrix.

  0e

  0b

  0d

  09

  ×

  S0

  S1

  S2

  S3

  =

  $S_0^{\prime }$

  $S_1^{\prime }$

  $S_2^{\prime }$

  $S_3^{\prime }$

  .

  09

  0e

  0b

  0d

  S4

  S5

  S6

  S7

  $S_4^{\prime }$

  $S_5^{\prime }$

  $S_6^{\prime }$

  $S_7^{\prime }$

  0d

  09

  0e

  0b

  S8

  S9

  S10

  S11

  $S_8^{\prime }$

  $S_9^{\prime }$

  $S_{10}^{\prime }$

  $S_{11}^{\prime }$

  0b

  0d

  09

  0e

  S12

  S13

  S14

  S15

  $S_{12}^{\prime }$

  $S_{13}^{\prime }$

  $S_{14}^{\prime }$

  $S_{15}^{\prime }$

  .
  In InvMixColumns, the operations are performed in ${\mathbb{F}}_{2^8}$ modulo the polynomial $x^8+x^4+x^3+x+1$.

5.3. Main Attacks on AES

The goal of the attacks on an asymmetric cryptosystem is to find good properties inside the cipher that allow for retrieval of partial or total information on the secret key. In addition to the exhaustive attack, the two prominent attacks are the linear cryptanalysis and the differential cryptanalysis.

• Exhaustive search attack. Brute force attacks, or exhaustive attacks, consist of trying all possible keys to a ciphertext and checking whether the plaintext is recognizable. It is easy to prevent such attacks by using large keys. In AES, the key lengths are 128, 192, and 256 bits. This makes the total key combination of each key length $2^{128}$, $2^{192}$, and $2^{256}$, respectively, which is infeasible even for the fastest supercomputers today. On the other hand, with a computer with quantum technology, due to Grover’s algorithm [61], it is possible to perform an exhaustive search in the square root of the classical time, and the key lengths should be $2^{256}$.
• Linear attack. In 1993, Matsui [62] invented one of the most practical attacks on DES, known as linear cryptanalysis. It can be applicable to AES by approximating the nonlinear parts in the rounds by linear expressions. This makes the round a linear function where the input or the output is easy to compute.
  In the situation where the S-box of the system is constructed following a vectorial boolean function $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^n}$, the linear cryptanalysis is constructed on the value of its nonlinearity, which is defined by:

  $${\mathtt{N}\mathtt{L}}_F=2^{n-1}-\frac{1}{2}\underset{a\ne 0,b\in {\mathbb{F}}_{2^n}}{max}\left|\sum _{x\in {\mathbb{F}}_2^n}{(-1)}^{b·F\left(x\right)\oplus a·x}\right|,$$

  where $a·x$ is the inner product in ${\mathbb{F}}_2$, defined as $a·x={\oplus }_{i=0}^n{a}_i{x}_i$. The nonlinearity of the function F represents the minimum Hamming distance between F and all possible affine functions. It is well-known that ${\mathtt{N}\mathtt{L}}_F$ is upper bounded by $2^n-2^{\frac{n}{2}-1}$. Vectorial Boolean functions that achieve ${\mathtt{N}\mathtt{L}}_F=2^n-2^{\frac{n}{2}-1}$ are called bent. Bent functions exist only when n is even and are important for building balanced S-boxes.
  In practice, the nonlinearity of the vectorial Boolean function F is studied via the linear probability table (LPT) defined for the entry $(a,b)\in {\mathbb{F}}_{2^n}^2$ by:

  $${\mathtt{L}\mathtt{P}\mathtt{T}}_F(a,b)={\left(\frac{\#\left\{x\in {\mathbb{F}}_2^n:a·x+b·F\left(x\right)=0\right\}}{2^{n-1}}-1\right)}^2.$$
  For AES, except for the first row and first column, all rows and columns of the LPT have the same distribution of values as given in

  Table 8. Distribution of the linear probability values of AES.

  Value	0	${\left(\frac{1}{64}\right)}^2$	${\left(\frac{2}{64}\right)}^2$	${\left(\frac{3}{64}\right)}^2$	${\left(\frac{4}{64}\right)}^2$	${\left(\frac{5}{64}\right)}^2$	${\left(\frac{6}{64}\right)}^2$	${\left(\frac{7}{64}\right)}^2$	${\left(\frac{8}{64}\right)}^2$
  Frequency	17	48	36	40	34	24	36	16	5

  .
• Differential attack. In 1991, Biham and Shamir [63] proposed differential cryptanalysis and applied it to DES. Differential cryptanalysis is a chosen-plaintext attack and works with two pairs of plaintext $(P_1,P_2)$ with a fixed difference $a=P_1+P_2$ and their corresponding ciphertext $(C_1,C_2)$. The goal of the differential cryptanalysis is to study the behavior of the difference $b=P_1+P_2$.
  For a vectorial Boolean function $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^n}$, the differential cryptanalysis is studied via the difference distribution table (DDT), which is defined for $(a,b)\in {\mathbb{F}}_{2^n}^2$ by:

  $${\mathtt{D}\mathtt{D}\mathtt{T}}_F(a,b)=\#\left\{x\in {\mathbb{F}}_{2^n}:F\left(x\right)+F(x+a)=b\right\}.$$
  The differential uniformity of F is defined by:

  $${\delta }_F=\underset{a\in {\mathbb{F}}_{2^n}^{*}}{max}{\mathtt{D}\mathtt{D}\mathtt{T}}_F(a,b).$$
  The differential cryptanalysis exploits the differential probability $D{P}_F$, specifically:

  $${\mathtt{D}\mathtt{P}}_F(a,b)=\frac{\#\left\{x\in {\mathbb{F}}_{2^n}:F\left(x\right)+F(a+x)=b\right\}}{2^n}.$$
  For a randomly chosen permutation and for any $a\in {\mathbb{F}}_{2^n}\backslash \left\{0\right\}$, the value $F\left(x\right)+F(a+x)$ is expected to be uniformly distributed with equiprobability. This makes ${\mathtt{D}\mathtt{D}\mathtt{T}}_F(a,b)$ a reliable and practical distinguisher if ${\mathtt{D}\mathtt{P}}_F(a,b)$ is sufficiently small.
  For the AES S-box,

  Table 9. Distribution of the differential probability values of AES.

  Value	0	$\frac{2}{256}$	$\frac{4}{256}$	1
  Frequency	33,150	32,130	255	1

  shows the distribution of the ${\mathtt{D}\mathtt{P}}_F$ values and their frequencies.
  If $x_0$ is a solution to the equation $F\left(x\right)+F(a+x)=b$, then $x_0+a$ is also a solution. This implies that ${\mathtt{D}\mathtt{D}\mathtt{T}}_F(a,b)\ge 2$ for all $a\ne 0$ and, consequently, ${\delta }_F\ge 2$. Vectorial Boolean functions satisfying ${\delta }_F=2$ are called almost perfect nonlinear (APN) functions. As shown in Table 9, the differential uniformity of the AES S-box is 4. Hence, AES does not belong to the APN family; nevertheless, its differential uniformity is too small. This makes AES resistant to differential cryptanalysis.

5.4. Applications of AI to Block Ciphers

  There are plenty of attacks on AES that can be performed by AI. The goal of using AI with AES is to test the resistance of its secret keys and its S-boxes to such attacks. AI can be used for the following tasks.

• Resistance to side-channel attacks [64]: Side-channel attacks exploit the operations performed by a cryptographic system during encryption or decryption to gain information about the private key. The most used channel attacks are timing attacks, simple power attacks, differential power attacks, electromagnetic radiation attacks, correlation power attacks, etc. These attacks rely on collecting and interpreting observations in order to infer information about key size and bits. These inferences lend themselves naturally to ML and ANNs in general and to advanced ANNs/models in particular. As described earlier, some work has already been initiated in this direction [52].
• Resistance to fault attacks [65]: Fault attacks are deployed to disturb the normal functioning of a cryptosystem. They are injected by various techniques such as laser, light pulses, electromagnetic perturbations, tampering with the clock, etc. This enables the attacker to collect the erroneous result and to gain information about the private key. As with side-channel attacks, fault attacks can be overcome by testing implementations against an advanced ANN that tries to leverage the erroneous results to infer information about the key. AES cipher implementations need to be tested against an advanced ANN model that tries to leverage collected output to infer the key before deployment.
• Resistance to linear attacks [62]: This task can be processed by computing the linear probability table of the S-box. ANNs as excellent function approximators can be used to model nonlinearity of S-boxes, similarly to the work of [53] on DES.
• Resistance to differential attacks [63]: This task can be performed by computing the difference distribution table of the S-box. As with linear attacks, ANNs as excellent function approximators can be used to model the differential properties of S-boxes, similarly to what has been done by [55] on the round-reduced Speck cipher and by [47] on the round function of GIFT.
• Resistance to truncated differentials [66]: This variant of the differential attack was presented by Knudson in 1994. This task can be processed by adapting the difference distribution table of the S-box under the truncated differentials criteria. As with differential attacks, ANNs as excellent function approximators can be used to model the truncated differential properties of S-boxes.
• Resistance to boomerang attacks [67]: The task of testing the boomerang cryptanalysis can be accomplished by studying the boomerang connectivity table (BCT) as defined by Cid et al. in 2018 [68]. The BCT of an invertible vectorial function $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^n}$ is defined at the entry $(a,b)\in {\mathbb{F}}_{2^n}$ by:

  $${\mathrm{BCT}}_F(a,b)=\#\left\{x\in {\mathbb{F}}_{2^n}:F^{-1}(F\left(x\right)+b)+F^{-1}(F(x+a)+b)=a\right\}.$$
• Algebraic immunity [69,70]: The algebraic immunity of a vectorial Boolean function F defined on $F_{2^n}$ is the lowest degree of all functions $G\ne 0$ satisfying $F\left(x\right)·G\left(x\right)=0$ or $(1+F(x\left)\right)·G\left(x\right)=0$, where $a·b$ is the inner product of the vectors a and b. The underlying vectorial Boolean function of AES can be modeled and tested using advanced ANNs.
• Balancedness [71]: A vectorial Boolean function $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^m}$ is balanced if every value of ${\mathbb{F}}_{2^m}$ is the image of exactly $2^{n-m}$ values from ${\mathbb{F}}_{2^n}$. The task of verifying balancedness can be processed by studying the vectorial Boolean function that defines the S-box of AES.
• Resistance to other attacks: There are plenty of attacks and criteria that can be implemented with AI to test the security of block ciphers. This includes correlation immunity [72], strict avalanche criterion (SAC) [73], fixed points and opposite fixed points [59], algebraic degree [72], impossible differential [74], etc. A complete list of such attacks can be found in [5,75].

In sum, AI can be used to test AES SubBytes() and MixColumns() functions, and the AES cipher with its modes of operations and their implementations can be used to test against all former attacks and to propose useful and efficient solutions, such as the choice of the key space, MixColumns() matrix polynomials, etc., that nullify/undermine the attacks.

6. The RSA Cryptosystem

In 1978, Rivest, Shamir, and Adleman [6] introduced RSA, a public key and digital signature scheme. RSA is used in various industrial applications, such as privacy, VPNs, communication channels, email services, cybersecurity, and web browsers.

6.1. The RSA Encryption Scheme

The RSA encryption scheme is composed of three algorithms.

• Key Generation: Given a parameter n,
  • Select a random prime number p of bit size n.
  • Select a random prime number q of bit size n with $p\ne q$.
  • Compute $N=pq$ and $\varphi \left(N\right)=(p-1)(q-1)$.
  • Select a number e such that $gcd(e,\varphi (N\left)\right)=1$.
  • Compute a number d such that $ed\equiv 1(mod\varphi (N\left)\right)$.
  • Publish the public key $(N,e)$.
• Encryption: Given a public key $(N,e)$ and a message $M\in \mathbb{Z}/N\mathbb{Z}$,
  • Compute the ciphertext $C\equiv M^e(modN)$.
• Decryption: Given the private key $(N,d)$ and a ciphertext C,
  • Compute $M\equiv C^d(modN)$.

The correctness of the decryption works following Euler’s Theorem,

$$C^d\equiv M^{ed}\equiv M^{k\varphi \left(N\right)}M\equiv M(modN),$$

where k is the integer such that $ed=1+k\varphi \left(N\right)$.

6.2. Attacks on RSA

In RSA, there are originally three parameters: a modulus $N=pq$ with two large prime numbers p and q, a public exponent e satisfying $gcd(e,(p-1\left)\right(q-1\left)\right)=1$, and a private exponent d such that $ed\equiv 1(mod(p-1\left)\right(q-1\left)\right)$. This modular equation can be rewritten as $ed-k\varphi \left(N\right)=1$ and is called the key equation. Since its invention in 1978, RSA has been intensively cryptanalyzed by various methods [7,8,10]. We describe below some of these attacks. The prominent attacks on RSA can be categorized into three groups:

• Factorization attacks. The most obvious attack on RSA is to factor its modulus N. Nevertheless, since N is the product of two balanced large prime numbers, no known method is efficient to factor RSA moduli of size 1024 bits or more. There are several algorithms devoted to factoring integers, such as the Number Field Sieve method [76], Pollard’s Rho method [77], the Elliptic Curve Method [78], and others, with different running times as presented in Table 10.

Table 10. Algorithms to factor an integer n with running times.

Algorithm	Running Time Complexity	Nature of the Factor p
Pollard’s Rho [77]	$O\left(\sqrt{p}\right)$	largest prime factor
Elliptic Curve Method [78]	$O\left(e^{(1+o\left(1\right))\sqrt{2log\left(p\right)log(log(p\left)\right)}}\right)$	smallest prime factor
Number Field Sieve [76]	$O\left(e^{1.923log{\left(n\right)}^{\frac{1}{3}}loglog{\left(n\right)}^{\frac{2}{3}}}\right)$	any factor
Quadratic Sieve [79]	$O\left(e^{(1+o\left(1\right))\sqrt{log\left(n\right)log(log(n\left)\right)}}\right)$	any factor

Table 10. Algorithms to factor an integer n with running times.

Algorithm	Running Time Complexity	Nature of the Factor p
Pollard’s Rho [77]	$O\left(\sqrt{p}\right)$	largest prime factor
Elliptic Curve Method [78]	$O\left(e^{(1+o\left(1\right))\sqrt{2log\left(p\right)log(log(p\left)\right)}}\right)$	smallest prime factor
Number Field Sieve [76]	$O\left(e^{1.923log{\left(n\right)}^{\frac{1}{3}}loglog{\left(n\right)}^{\frac{2}{3}}}\right)$	any factor
Quadratic Sieve [79]	$O\left(e^{(1+o\left(1\right))\sqrt{log\left(n\right)log(log(n\left)\right)}}\right)$	any factor

• Despite the existence of such factorization algorithms, there is no known non-quantum-based method that can efficiently factor an RSA modulus of more than 1024 bits. The latest record for integer factorization was obtained in 2020 by Boudot et al. [80], who factored RSA-250, an RSA modulus with 829 bits.

• Algebraic attacks. Such attacks are based on the mathematical structure of the cryptosystem. Typically, for RSA, the algebraic attacks are related to the key equation $ed-k\varphi \left(N\right)=1$. In 1996, Coppersmith [81] proposed a method to solve certain polynomial equations and applied it to factor an RSA modulus if half of the bits of one of the prime factors were known. Since then, various generalizations of Coppersmith’s method have been proposed [7,8,9,10,82].
  In 1990, Wiener [83] showed that using RSA with a small private exponent is insecure. Using the key equation $ed-k\varphi \left(N\right)=1$ with $\varphi \left(N\right)=(p-1)(q-1)=N+1-(p+q)$$\approx N$, he showed that if p and q have the same bit size, and if $d<\frac{1}{3}{N}^{\frac{1}{4}}$, then:

  $$\left|\frac{e}{N}-\frac{k}{d}\right|<\frac{1}{2d^2},$$

  which implies that $\frac{k}{d}$ is one of the convergents of the continued fraction expansion of $\frac{e}{N}$. The convergents of $\frac{e}{N}$ can efficiently be computed by applying the continued fraction algorithm. In 1996, Boneh and Durfee [84] improved the bound up to $d<N^{0.292}$ by applying Coppersmith’s method and lattice reduction techniques.
• Side-channel attacks. The modular exponentiation is a crucial operation in RSA and must be implemented securely to prevent side-channel attacks. The application of side-channel attacks against RSA started in 1996 with the work of Kocher [24]. Since then, numerous studies have been conducted to make side-channel attacks infeasible against RSA [85,86,87,88].
  For the RSA cryptosystem, the running time during the decryption process can leak information about the private key. This method is known as a timing attack and is one of the most popular side-channel attacks. In RSA, the timing attack concerns the modular exponentiation if the square-and-multiply method is used. To compute $m^d(modN)$, the square-and-multiply method consists of expanding $d={(d_{r-1}{d}_{r-2}\cdots d_0)}_2$ in base 2, taking $a=1$, and then, for i from $r-1$ down to 0, computing $a\equiv a^2(modN)$; additionally, if $d_i=1$, $a\equiv am(modN)$. The drawback of this method is that the computation time is not the same when $d_i=1$ and $d_i=0$. This can be exploited to guess the binary decomposition of d and then to compute d. To ovoid timing attacks, there are various implementations of the modular exponentiation, such as square-always exponentiation [89].

6.3. Applications of AI to RSA

• Resistance to side-channel attacks [24]: RSA is vulnerable to side-channel attacks depending on its arithmetic operations, especially during the decryption process. Numerous studies have been proposed to protect it from side-channel attacks [87,88,90]. As with side-channel attacks on AES, advanced ANNs can be used to test the RSA cryptosystem and its implementations against the side-channel attacks before deployment. Some work has already been done in this direction. Ref. [57] used deep learning in side-channel attacks against a secure implementation of the RSA algorithm.
• Resistance to fault attacks [91]: In addition to side-channel attacks, RSA is vulnerable to fault attacks [92,93]. There are many techniques to force faults, such as variations in the clock, laser, X-rays, voltage, etc. These attacks also lend themselves to the use of advanced ANNs to infer key bits or plaintext from the collected output resulting from the faults.
• Resistance to factorization attacks: The security of RSA is partly based on the difficulty of factoring its modulus N. Obviously, the bit size of N is crucial against factoring algorithms, such as the Number Field Sieve and the Elliptic Curve method. The current recommendation for the size of the RSA modulus is at least 3000 bits [94]. Some initial work has been conducted in this direction by [95,96], but more is needed in order to strengthen the choice of primes p and q.
• Resistance to Fermat’s factoring method [97]: This method is based on solving the equation $N=x^2-y^2=(x-y)(x+y)$, which leads to $p=\frac{x+y}{2}$, $q=\frac{x-y}{2}$. If the difference $|p-q|$ is too small relative to N, then y is too small, and $\sqrt{N}$ is an approximation of x. This can be exploited to retrieve x, y, and the prime factors from p and q. The method works efficiently when $|p-q|<N^{\frac{1}{4}}$. AI can be used to learn x and y for different Ns and to eliminate the RSA prime factors p and q that are vulnerable to Fermat’s factoring method during the generation phase. Furthermore, biases in the distribution of consecutive primes [98] can be learned using an advanced ANN to help reduce the search space in factorization and Fermat’s factoring attacks.
• RSA with existing modulus: If $N_1=p_1{q}_1$ is the RSA modulus of two independent entities, then both entities know the prime factors and can decrypt the encrypted messages of each other. Unfortunately, AI cannot help guard against this scenario. Luckily, the likelihood that two organizations generate the same primes p and q is extremely slim, knowing that p and q are on the order of $2^{1024}$.
• RSA moduli with common factors: If $N_1=p{q}_1$ and $N_2=p{q}_2$ are two RSA moduli, then an attacker can compute $p=gcd(N_1,N_2)$, $q_1=\frac{N_1}{p}$, and $q_2=\frac{N_2}{p}$. This factors the two moduli. To generate a safe RSA modulus N, testing whether N is coprime to every modulus in the list of collected moduli can be efficiently performed by using the method of Bernstein [99,100] without the need for AI.
• RSA moduli with primes sharing most, middle, or least significant bits: If $N_1=p_1{q}_1$ and $N_2=p_2{q}_2$ are two RSA moduli, where $p_1\approx p_2$ share an amount of their least, middle, or most significant bits, then one can apply the method of May and Ritzenhofen [101] or the method of Faugère et al. [102] to factor $N_1$ and $N_2$. Here too, the factorization problem can be posed as an approximation function implemented using ANNs, leading to the elimination of the prime factors that share a significant number of their least significant bits.
• Resistance to small private exponents: The private exponent in RSA with a modulus $N=pq$ and a public exponent e is the integer d satisfying $ed-k(p-1)(q-1)=1$. Because of the attack of Wiener [83], and the attack of Boneh–Durfee [84], it is required that d be larger than $\sqrt{N}$. Nevertheless, in many instances, one can find the value d even if d is arbitrarily large [103,104]. AI can be used to build an approximation function using advanced ANNs for solving the equation above and using it to test the resistance of a generated RSA modulus to such attacks.
• Resistance to partial key exposure attacks: When a fraction of the most significant or the least significant bits of the private exponent d is guessed by an attacker, then Coppersmith’s method can be used to retrieve d entirely [105,106,107]. An ANN approximator for learning d from its fractions and known ciphertext plaintext pairs can be used to test any generated private key d against such attacks before using it for practical applications.

7. Learning with Errors

In 2005, Regev [11] introduced the Learning With Errors problem (LWE). It has become an important computational problem in lattice-based cryptography.

7.1. Description of Learning with Errors

An instance of LWE is parameterized by a positive integer m, a prime number q, and a probability distribution $\chi$ over ${\mathbb{Z}}_q$, the ring of integers modulo q. A typical example of a probability distribution is the continuous Gaussian distribution centered in $c\in {\mathbb{R}}^n$ with a parameter $\sigma >0$. It is defined for a vector $x\in {\mathbb{R}}^n$ by:

$${\chi }_{c,\sigma }\left(x\right)=\frac{1}{{\sigma }^n}{e}^{-\pi {\parallel \frac{x-c}{\sigma }\parallel }^2}.$$

There are two main equivalent sub-problems in LWE, Search LWE and Decision LWE, which are known to be equivalent.

• Search LWE can be summarized as follows. Let $\chi$ be a probability distribution over ${\mathbb{Z}}_q$. Given a matrix $A\in {\mathbb{Z}}_q^{m\times n}$ and a vector $b\in {\mathbb{Z}}_q^m$ whose entries are chosen uniformly, find a vector $s\in {\mathbb{Z}}_q^n$ such that $As+e=b$, where $e\in {\mathbb{Z}}_q^m$ is a vector generated by $\chi$.
• Decision LWE can be summarized as follows. Given a matrix $A\in {\mathbb{Z}}_q^{m\times n}$ and a vector $b\in {\mathbb{Z}}_q^m$, determine whether $(A,b)\in L_1$ or $(A,b)\in L_2$, where $L_1$ is the set of all tuples $(A,b)\in {\mathbb{Z}}_q^{m\times n}\times {\mathbb{Z}}_q^m$ generated by uniformly random distribution and $L_2$ is the set of all tuples $(A,b)\in {\mathbb{Z}}_q^{m\times n}\times {\mathbb{Z}}_q^m$, such that $b=As+e$ for a vector $s\in {\mathbb{Z}}_q^n$, uniformly distributed, and $e\in {\mathbb{Z}}_q^m$, generated by $\chi$.

The first cryptosystem based on LWE was presented by Regev in 2005. It is parameterized by the four parameters m, n, q, and $\chi$, with q prime, $m\ge 4(n+1)log\left(q\right)$, and $\chi$ as a probability distribution, such that a vector $e\in {\mathbb{Z}}_q^m$ generated by $\chi$ satisfies $\parallel e\parallel <B<\frac{1}{4mq}$ with overwhelming probability. The system is composed of four algorithms, which can be summarized as follows.

• Key Generation: Given the parameters m, n, q, and $\chi$,
  • Select a matrix $A\in {\mathbb{Z}}_q^{m\times n}$ at random.
  • Select a secret vector $s\in {\mathbb{Z}}_q^n$.
  • Select a private vector $e\in {\mathbb{Z}}_q^m$ according to a probability distribution $\chi$ over ${\mathbb{Z}}_q$.
  • Compute $b\in {\mathbb{Z}}_q^m$, such that $b=As+e$, and publish the public key $(A,b)$.
• Encryption: Given the parameters m, n, q, $\chi$, a public key $(A,b)$, and a message $M\in \{0,1\}$,
  • Select a vector $r\in {\mathbb{Z}}_q^m$ at random.
  • Compute the ciphertext $(C_1,C_2)$, where $C_1=r^{t}A\in {\mathbb{Z}}_q^n$ and $C_2=r^{t}b+⌊\frac{q}{2}⌋M\in {\mathbb{Z}}_q$. Here, $x^t$ represents the transpose of x.
• Decryption: Given the parameters m, n, q, $\chi$, a ciphertext $(C_1,C_2)$, and a secret key s,
  • Compute $u=C_2-C_{1}s\in {\mathbb{Z}}_q$.
  • If $\left|u\right|\le \frac{q}{4}$, then the decryption is 0, else the decryption is 1.

The correctness of the decryption depends on the size of u. Indeed,

$$u=C_2-C_{1}s=r^{t}e+⌊\frac{q}{2}⌋M,$$

and if e satisfies $\parallel e\parallel <B$ with high probability, then $\parallel r^{t}e\parallel <mB<\frac{q}{4}$, and the decryption occurs.

7.2. Hardness of LWE

The security of LWE is based on the hardness of various open problems in lattice reduction theory. A lattice $\mathcal{L}\subset {\mathbb{R}}^n$ is a discrete subgroup of ${\mathbb{R}}^n$ that is generated by m vectors $u_1,\dots ,u_m\in {\mathbb{R}}^n$ using integer coefficients; that is,

$$\mathcal{L}=\left\{\sum _{i=1}^m{a}_i{u}_i|a_i\in \mathbb{Z}\right\}.$$

The set $B=\{u_1,\dots ,u_m\}$ is called a basis of $\mathcal{L}$, m is its rank, and n is its dimension. When $n=m$, the lattice is called a full-rank lattice.

Lattices have plenty of properties and hard unsolved problems that are used to build cryptosystems that are still resistant, even to quantum computers. The most known and used hard problems in lattice theory are the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP). Both problems use the minimum distance ${\lambda }_1\left(\mathcal{L}\right)$ of $\mathcal{L}$, which is defined by:

$${\lambda }_1\left(\mathcal{L}\right)=\underset{v\in \mathcal{L}\backslash \left\{0\right\}}{min}\parallel v\parallel ,$$

where $\parallel v\parallel$ is the Euclidean norm defined for $v=(v_1,\dots ,v_n)\in {\mathbb{R}}^n$ by $\parallel v\parallel ={\left({\sum }_{i=1}^n{v}_i^2\right)}^{\frac{1}{2}}$.

• Shortest Vector Problem (SVP): Let $\mathcal{L}$ be a lattice with a basis B. Find the shortest nonzero lattice vector $u\in \mathcal{L}$ with $\parallel u\parallel ={\lambda }_1\left(\mathcal{L}\right)$.
• Closest Vector Problem (CVP): Let $\mathcal{L}$ be a lattice with a basis B and $v\notin \mathcal{L}$ be a vector. Find a lattice vector $u\in \mathcal{L}$ such that $\parallel u-v\parallel \le {\lambda }_1\left(\mathcal{L}\right)$.

The security of LWE is based on two sub-problems in lattices: the Decisional Approximate SVP (${\mathtt{G}\mathtt{a}\mathtt{p}\mathtt{S}\mathtt{V}\mathtt{P}}_{\gamma }$) and the Approximate Shortest Independent Vectors Problem (${\mathtt{S}\mathtt{I}\mathtt{V}\mathtt{P}}_{\gamma }$), where $\gamma \ge 1$ is a positive real parameter.

• Decisional Approximate SVP (${\mathtt{G}\mathtt{a}\mathtt{p}\mathtt{S}\mathtt{V}\mathtt{P}}_{\gamma }$): Let $\mathcal{L}$ be a lattice with a basis B and $r>0$ be a real number. Decide whether ${\lambda }_1\left(\mathcal{L}\right)\le r$ or ${\lambda }_1\left(\mathcal{L}\right)>\gamma r$.
• Approximate Shortest Independent Vectors Problem (${\mathtt{S}\mathtt{I}\mathtt{V}\mathtt{P}}_{\gamma }$): Let $\mathcal{L}$ be a full-rank lattice with dimension n and a basis B. Find n linearly independent vectors $v_i\in \mathcal{L}$ such that $\parallel v_i\parallel \le \gamma {\lambda }_n\left(\mathcal{L}\right)$, where ${\lambda }_n\left(\mathcal{L}\right)$ is the n-th successive minimum of the lattice.

In 2005, Regev [11] showed that, when the LWE error e is generated by a Gaussian distribution with a parameter $\sigma =\alpha q$, where $\frac{\sqrt{n}}{q}<\alpha <1$, then solving LWE implies a quantum solution of ${\mathtt{G}\mathtt{a}\mathtt{p}\mathtt{S}\mathtt{V}\mathtt{P}}_{\gamma }$ and ${\mathtt{S}\mathtt{I}\mathtt{V}\mathtt{P}}_{\gamma }$ over n-dimensional lattices in the worst case for $\gamma =\tilde{O}(n/\alpha )$, where $\tilde{O}(·)$ is a function with various poly-logarithmic factors. In 2009, Peikert [108] showed that classical reductions are possible from the worst-case hardness of the GapSVP problem to the search version of LWE when the modulus q is exponential in the dimension n, especially when $q\ge 2^{\frac{n}{2}}$. In 2013, Brakerski et al. [109] showed that LWE is classically at least as hard as standard worst-case lattice problems with any subexponential modulus.

7.3. Applications of AI to LWE

The security of LWE comes from its reduction to worst-case lattice problems. Such problems are believed to be hard for both classical and quantum computers. As a consequence, there is a very limited number of attacks that can be launched against LWE. While the theoretical security of LWE depends on hard problem in lattices, its practical security depends on the parameters used in a specific instantiation. Intuitively, both ${\mathtt{G}\mathtt{a}\mathtt{p}\mathtt{S}\mathtt{V}\mathtt{P}}_{\gamma }$ and ${\mathtt{S}\mathtt{I}\mathtt{V}\mathtt{P}}_{\gamma }$ problems can benefit from the power of advanced ANNs as approximators. The set of parameters that are vulnerable to solutions of ${\mathtt{G}\mathtt{a}\mathtt{p}\mathtt{S}\mathtt{V}\mathtt{P}}_{\gamma }$ and ${\mathtt{S}\mathtt{I}\mathtt{V}\mathtt{P}}_{\gamma }$ by an advanced ANN should be discarded. To date, no such attempts can be found in the literature.

8. The Ascon Family of Ciphers

In this section, we describe Ascon [22], the family of authenticated encryption and hashing algorithms selected by NIST for future standardization of lightweight cryptography.

8.1. Description of Ascon

Ascon is a family of several algorithms devoted to different tasks. The family includes Ascon-128 and Ascon-128a authenticated ciphers, the Ascon-Hash hash function, and the Ascon-Xof extendable output function. They ensure 128-bit security and use a common 320-bit permutation. All of the algorithms operate at 320-bit states. Each state S is divided into an inner part $S_r$ of size r bits and an outer part $S_c$ of size $c=320-r$ bits, where r depends on the Ascon variant. Moreover, each state is divided into five 64-bit registers $x_0,\cdots ,x_4$, such that:

$$S=S_r\parallel S_c=x_0\parallel x_1\parallel x_2\parallel x_3\parallel x_4.$$

The authenticated encryption design of Ascon is parameterized by a key bit length of $k\le 160$, a rate r, and two integers a and b. The integers a and b serve to count the compositions of a permutation p of the set ${\{0,1\}}^{320}$. The permutation p is the composition of three permutations, specifically:

$$p=p_L\circ p_S\circ p_C,$$

where $p_C$ is a constant addition, $p_S$ is a substitution layer, and $p_L$ is a linear diffusion layer (see [22] for more details).

8.2. Ascon Encryption

The encryption process of Ascon starts with four initial parameters:

• A key $K\in {\{0,1\}}^k$ with $k\le 160$;
• A nonce $N\in {\{0,1\}}^{128}$;
• Associated data $A\in {\{0,1\}}^{*}$;
• A plaintext $P\in {\{0,1\}}^{*}$.

It is split into four phases:

• Initialization: The 320-bit initial state in Ascon is built by the concatenation of an initial vector $IV$, a secret k-bit key K, and a 128-bit nonce N; that is:

  $$S=IV\parallel K\parallel N.$$
  The initial vector $IV$ has the form:

  $$IV=k\parallel r\parallel a\parallel b\parallel 0^{160-k},$$

  where a is the initialization and finalization round number, and b is the intermediate round number. After initializing the state, a permutation p is applied to it a times, followed by XORing the key K so that the output has the form:

  $$S\leftarrow p^a\left(S\right)\oplus \left(0^{320-k}\parallel K\right).$$
• Processing Associated Data: If associated data $A\in {\{0,1\}}^{*}$ is provided and not null, they are appended with a single 1 and $r-1-\left(\right|A\left|\right(modr\left)\right)$ 0s, then split into s blocks of size r so that:

  $$A\leftarrow A\parallel 1\parallel 0^{r-1-\left(\right|A\left|\right(modr\left)\right)}=A_1\parallel A_2\parallel \cdots \parallel A_s.$$
  If A is empty, then $s=0$. For each $i=1,\cdots ,s$, the following calculation is performed:

  $$S\leftarrow p^b((S_r\oplus A_i)\parallel S_c).$$
  After all calculations, the state is transformed as:

  $$S\leftarrow S\oplus \left(0^{319}\parallel 1\right).$$
• Plaintext Processing: The plaintext $P\in {\{0,1\}}^{*}$ is also appended with a single 1 and $r-1-\left(\right|P\left|\right(modr\left)\right)$ 0s, and then is split into t blocks of size r, so that:

  $$P\leftarrow P\parallel 1\parallel 0^{r-1-\left(\right|P\left|\right(modr\left)\right)}=P_1\parallel P_2\parallel \cdots \parallel P_t.$$
  Then, for $i=1,\cdots ,t$, the following calculations are performed:

  $$\begin{array}{cc}\hfill & C_i\leftarrow S_r\oplus P_i,\hfill \\ \hfill & S\leftarrow \left\{\begin{array}{cc}{p}^b(C_i\parallel S_c)\hfill & \mathrm{if}1\le i<t,\hfill \\ C_i\parallel S_c\hfill & \mathrm{if}i=t.\hfill \end{array}\right.\hfill \end{array}$$
  After processing $C_t$, the value ${\tilde{C}}_t={⌊S_r\oplus P_t⌋}_{\left|P\right|(modr)}$ is calculated, where ${⌊x⌋}_k$ is the bitstring x truncated to the most significant k bits.
• Finalization: In this phase, the following values are calculated:

  $$\begin{array}{cc}\hfill & S\leftarrow p^a\left(S\oplus \left(0^r\parallel K\parallel 0^{320-r-k}\right)\right),\hfill \\ \hfill & T\leftarrow {⌈S⌉}^{128}\oplus {⌈K⌉}^{128},\hfill \end{array}$$

  where ${⌈x⌉}^k$ is the bitstring x truncated to the least significant k bits. The ciphertext is finally composed as:

  $$C=C_1\parallel \cdots \parallel C_{t-1}\parallel {\tilde{C}}_t,$$

  which is transmitted together with the tag T.

8.3. Ascon Decryption

In Ascon, the decryption algorithm starts with the following parameters, already fixed in the encryption algorithm:

• The key $K\in {\{0,1\}}^k$ with $k\le 160$;
• The nonce $N\in {\{0,1\}}^{128}$;
• The associated data $A\in {\{0,1\}}^{*}$;
• The ciphertext $C\in {\{0,1\}}^{*}$;
• The tag $T\in {\{0,1\}}^{128}$.

The decryption is nearly identical to encryption. More precisely, the initialization and the processing associated data are identical, while plaintext processing is replaced by ciphertext processing as follows.

First, the ciphertext $C\in {\{0,1\}}^{*}$ is split into t blocks of size r so that:

$$C=C_1\parallel C_2\parallel \cdots \parallel C_{t-1}\parallel {\tilde{C}}_t,$$

with $0\le |{\tilde{C}}_t|<r$.

Second, for $i=1,\cdots ,t-1$, the following calculations are performed:

$$\begin{array}{cc}\hfill & P_i\leftarrow S_r\oplus C_i,\hfill \\ \hfill & S\leftarrow p^b\left(C_i\parallel S_c\right).\hfill \end{array}$$

Then, two values ${\tilde{P}}_t$ and $S_r$ are computed as:

$$\begin{array}{cc}\hfill & {\tilde{P}}_t\leftarrow {⌊S_r⌋}_{|{\tilde{C}}_t|}\oplus {\tilde{C}}_t,\hfill \\ \hfill & S_r\leftarrow S_r\oplus \left({\tilde{P}}_t\parallel 1\parallel 0^{r-|{\tilde{C}}_t|-1}\right).\hfill \end{array}$$

Next, the following values are computed:

$$\begin{array}{cc}\hfill & S\leftarrow p^a\left(S\oplus \left(0^r\parallel K\parallel 0^{320-r-k}\right)\right),\hfill \\ \hfill & T^{*}\leftarrow {⌈S⌉}^{128}\oplus {⌈K⌉}^{128}.\hfill \end{array}$$

Finally, if $T=T^{*}$, then return $P_1\parallel \cdots \parallel P_{t-1}\parallel {\tilde{P}}_t$, else return ⊥.

8.4. Security of Ascon

The hardness of Ascon is tightly linked to the choice of the parameters $a,b,$ and r and to the key size k used to perform the encryption and the decryption. To guarantee 128-bit security, the recommended parameters are listed in

Table 11. Parameters for Ascon-128 and Ascon-128a.

Algorithm	Key	Nonce	Tag	Data	a	b	Rate r
Ascon-128	128	128	128	64	12	6	64
Ascon-128a	128	128	128	128	12	8	128

.

Since its selection as the winner of the CAESAR competition, the Ascon family has been intensively analyzed for vulnerabilities. Section 6 of [22] presents an overview of the security analysis and resiatance to attacks. All published results so far support its security and efficiency.

8.5. Applications of AI to Ascon

The Ascon family uses a 5-bit S-box [22] that needs to be immune against known attacks for substitution layers $p_S$, such as the linear and differential attacks. Section 5.4 presents an exhaustive list of these attacks that are also applicable to the Ascon lightweight cipher.

To this end, AI can be used to test the Ascon S-box, as well as the full or partial transformation process reflected by small a and b values against all these attacks, in order to propose the set of parameters that nullify/undermine these attacks.

9. Conclusions

Artificial intelligence (AI) and, in particular, deep learning using sophisticated artificial neural network (ANN) architecture, is exponentially developing and gaining practical use in all sectors of daily life. In this paper, we presented areas where the use of AI can help enhance the security of cryptographic systems. We particularly focused on four prominent systems in modern cryptography, namely, the Advanced Encryption Standard (AES), the Rivest–Shamir–Adleman (RSA) scheme, the Learning With Errors (LWE) scheme, and the lightweight Ascon cipher family. We reviewed their security and pinpointed layers, functions, and areas that could potentially benefit from cryptanalysis that uses advanced ANN architectures. This said, depending on the function to approximate S-box and vectorial Boolean functions for AES, S-box and permutations for Ascon, Diophantine equations and factorization for RSA, lattice problems for LWE), ANNs may not necessarily outperform other machine learning (ML) techniques. For instance, LWE introduces vectors of errors similar to noise in the encryption process, which may hinder the performance of ANNs, since it is a well-known fact that ANNs suffer from noisy training data. Experimentation is needed to confirm this hypothesis. Furthermore, sophisticated ANN architectures can have the tendency to overfit the presented training data, which may lead to errors for unseen encrypted data or plaintext.

Finally, beyond prediction, ANNs do not provide any insights into the structure of the function being approximated, which may not help in fine-tuning the function/layer being approximated (see [110] for Explainable AI). For further research, we envisage experimenting with different ANN architectures and building an ANN generator that automatically generates an adversary ANN from the specification of the S-box or the vectorial Boolean function to help cryptosystem designers quickly test the strength of the cryptographic functions and substitution layers.