2020 International Conference on Computational Science and Computational Intelligence (CSCI)

A Review of Machine Learning

and Cryptography Applications
Korn Sooksatra∗ and Pablo Rivas† , Senior, IEEE
School of Engineering and Computer Science
Department of Computer Science, Baylor University
∗ Email: Korn [email protected], † Email: Pablo [email protected]

Abstract—Adversarially robust neural cryptography deals with its own encryption mechanism. This research captured the
the training of a neural-based model using an adversary to attention of many researchers in both areas, cryptography,
leverage the learning process in favor of reliability and trustwor- and machine learning [10]–[13]. However, while the authors
thiness. The adversary can be a neural network or a strategy
guided by a neural network. These mechanisms are proving of [9] gathered much attention, they are other lesser-known
successful in finding secure means of data protection. Similarly, successful models that need to be put in the proper context to
machine learning benefits significantly from the cryptography display the problems that have been solved and the challenges
area by protecting models from being accessible to malicious that still exist. This paper aims to provide context on recent
users. This paper is a literature review on the symbiotic rela- research in the intersection between cryptography and machine
tionship between machine learning and cryptography. We explain
cryptographic algorithms that have been successfully applied in learning.
machine learning problems and, also, deep learning algorithms The paper is organized as follows: Section II describes
that have been used in cryptography. We pay special attention preliminaries on both deep learning and adversarial neural
to the exciting and relatively new area of adversarial robustness. networks; Section III presents a general introduction to state
of the art machine learning algorithms that benefit from
Index Terms—neural cryptography, deep learning, block ci-
phers, generative adversarial networks, adversarial robustness cryptography; Section IV cryptography research that benefits
directly from machine learning; we present a discussion and
future work in Section V and conclusions in Section VI.
I. I NTRODUCTION II. P RELIMINARIES
Cryptography is concerned with studying how we can A. Deep Learning
protect data, offering security against intruders [1]. Much of A deep learning model is a machine learning model that
the security depends on sophisticated means to obtain pseudo- has a long structure and numerous parameters [14]. Most
random mappings that are invertible, allowing both encryp- deep learning models are modeled as neural networks. Layers
tion and decryption tasks [2]. The strength of cryptographic in this kind of neural network can be homogeneous or not
algorithms often relies on publicizing the algorithms for the homogeneous. Hence, each layer in the model can be either
community to study for weaknesses and possible attacks so convolutional, recurrent, or fully-connected. Fig. 1 shows an
that when a vulnerability is detected, the algorithm can be up- example of deep learning model consisting of two convo-
dated or patched [3]. This public nature of algorithms also has lutional layers and one fully-connected layer. Convolutional
positive effects concerning mass production, implementation, neural networks (CNNs) have been of particular interest in
and deployment; however, one important additional aspect that the deep learning community in different applications [15].
must not be overlooked is trustworthiness: knowing exactly
how the algorithm works, or at least knowing that one can B. Adversarial Neural Network
have access to that information creates trust [4]. The issue of In 2014, Goodfellow et.al [16], [17] proposed a state-of-
trust has hindered the progress of machine learning algorithms art scheme, called Generative Adversarial Networks (GANs)
in the field of cryptography until recently. which motivated the idea of adversarial neural network. GANs
The machine learning community has brought a new wave composed of two neural networks: a generative model (called
of interest in the field with exciting and innovative research. generator) and a discriminative model (called discriminator).
The problem of trustworthiness is no longer tabu and is the The generator receives a noisy input and generates an image to
object of much study today [5]. Much progress has been made send to the discriminator. The discriminator receives an image
in the area of explainable AI, which also promotes trust in AI to calculate the probability pd that the image is real and the
[6]–[8]. This has opened the door for other disciplines to con- probability pd that the image is generated by the generator.
sider machine learning, particularly deep learning models, to The discriminator’s goal is to maximize pd when the input
address highly complex problems from a different perspective. is real and pd when the input is not real, and the generator’s
In 2016, Abadi et al. [9], connected the idea of adversarial goal is to minimize the maximization of the discriminator. As a
learning and neural networks to train a neural model to learn result, after the learning process and competition between both

978-1-7281-7624-6/20/$31.00 ©2020 IEEE 591

DOI 10.1109/CSCI51800.2020.00105
 Fig. 1. Example of deep learning model represented as a convolutional neural network.

of them, the generator can generate an image which is almost 2) The cloud receives encrypted data from all the data
identical with the real image. Fig. 2 describes the architecture owner and let the model learn with the encrypted data
of this scheme. using public keys and evaluation keys of the data owners.
Existing works applied this idea to let neural network 3) After updating all the encrypted weights, the cloud sends
models learn by themselves where there are competitors in the encrypted and updated weights back to the data
the schemes. This is called adversarial neural network and owners.
categorized in unsupervised learning. 4) The data owners jointly decrypt it to gain the individual
updated weights by using secure multi-party computa-
III. C RYPTOGRAPHY FOR M ACHINE L EARNING tion (SMC) with their secret keys [21].
In some applications, obtaining training data only from one Second, advanced scheme is more complicated to ensure
source in a deep learning model is not enough. Thus, many that the data owners do not need to communicate to each other
data owners would like to let the model learn their own data for decrypting the encrypted results. This scheme consists
and also data from other sources. To successfully achieve of data owners, the cloud and authorized center (AU). This
the goal, they can have one cloud and let the model in the scheme applies double encryption, called BCP scheme [22],
cloud learn from their data. In addition, they do not want and MK-FHE, and its mechanism works as follows:
leak their sensitive information, and this scenario is called 1) Data owners generate their own public keys and secret
collaborative deep learning. In this paper, collaborative deep keys (no evaluation keys), encrypt their own data (i.e.
learning can be categorized into two types: sharing encrypted training data, partial weight and desired target) with their
training data and sharing encrypted gradients. To preserve own public key and send them to the cloud. Note that
the data owners’ privacy, all the data during the learning AU also has the data owners’ secret keys.
process (including operands for operations on the cloud) need 2) The cloud receives encrypted data from all the data
to be encrypted, called fully homomorphic encryption [18]. owner, but it cannot perform addition and multiplication
operations since it does not have evaluation keys. Hence,
A. Sharing encrypted training data it adds noise to them and sends them to AU.
Li et.al [19] designed two schemes (i.e. basic scheme and 3) AU decrypts them with the data owners’ secret keys and
advanced scheme) to preserve privacy for users who desired encrypts all the data with one public key. Then, it sends
to collaboratively train their data with deep learning on the them back to the cloud.
cloud, and the users as well as the cloud are honest-but- 4) Now, the cloud can calculate encrypted and updated
curious. This means that all the things in the models are weights from all the data encrypted with the same
honest to perform their duties, but try to reveal information public key. After obtaining the results, the cloud sends
in the learning process. First, basic scheme is composed of the results to AU to transform each result to the data
data owners and the cloud and based on multi-key fully encrypted with the particular data owner’s public key.
homomorphic encryption (MK-FHE) [20]. The mechanism is 5) The cloud sends each result back to its data owner, and
listed as below: each data owner can decrypt the result with his/her secret
1) Data owners generate public keys, secret keys and eval- key.
uation keys, encrypt their own data with the public keys The system was theoretically proved that it is semantically
(i.e. training data, partial weight and desired target) with secure [23] if the public key scheme is semantically secure.
his/her own public key and send them to the cloud. Also, the system can preserve privacy for the parameters of

592
 Real image Discriminator
Generator

Real or
Generated
image ?
Generated
image

Fig. 2. Generative Adversarial Network’s architecture.

deep learning (i.e. the weights) if the cloud does not collude 4) The cloud updates the global weight with the data
with AU. owners’ encrypted message by performing only addition
In 2019, Kwabena et.al [24] improved basic scheme in operation.
[19] by applying multi-scheme fully homomorphic encryption This work proves that there is no gradient’s leakage to the
(MS-FHE) [25] which is that the data owners can use different honest-but-curious cloud in this mechanism, and when the data
encryption schemes to join the collaborative deep learning. owner decrypts the encrypted result, the decrypted result is the
Also, the estimated activation function for Sigmoid function same as if the operations on the cloud were performed with
is more accurate and Relu function is estimated for alternative an unencrypted gradient.
(since a homomorphic encryption cannot perform division
operation). Furthermore, this work’s scheme has a slightly IV. M ACHINE L EARNING FOR C RYPTOGRAPHY
more accuracy of classification tasks than the ones of previous Not only encryption schemes have been used in machine
works [26]–[28] and runs faster than [28]. learning models, but also in this decade, machine learning
has certainly existed in encryption or cryptography field. The
machine learning-based cryptography can be categorized into
B. Sharing encrypted gradients two types: non-adversarial-machine-learning cryptography
Phong et.al [29] proposed additively homomorphic encryp- and adversarial-machine-learning cryptography.
tion scheme for collaborative deep learning by improving the A. Non-adversarial-machine-learning cryptography
work in [30] which applied asynchronous stochastic gradient
The prior works [34], [35] leveraged neural network models
descent (ASGD) [31], [32] for the learning method and was
to create encryption schemes. [34] in 2012 and [35] in 2015
called gradients-selective ASGD because each data owner
which enhanced the former utilized the mixing method and
chooses which gradients to globally share to preserve his/her
non linearity property of neural network models to build
privacy. Also, [30] showed additional scheme which leveraged
encryption and decryption schemes. The secret keys of the
differential privacy by adding Laplace noise [33] to all the
schemes are the parameters (weights and biases) of the net-
gradients. However, Phong and the others had a proof to
work or mixed with some random numbers. The drawbacks
show that gradients-selective ASGD and differential privacy
of these kinds of schemes are that if the architectures of the
still leaked some sensitive information of the data owners
networks are exposed, the schemes will not be secure.
although these methods slightly altered the values of gradients.
In 2017, Shruti et.al [36] applied a deep learning model to
In [29], ASGD is also applied for the learning method and the
create a symmetric encryption and decryption scheme based
mechanism is summarized as follows:
on a genetic algorithm [37] and DNA computing. This work
1) A data owner downloads the encrypted weight stored in includes the key generation part and encryption and decryption
the cloud using the secret key. part. First, the generic algorithm is applied to perform the key
2) The data owner computes the gradient after using the generation, and this algorithm consists of mutation, crossover
global weight and the training data to learn in his/her and selection. Key candidates which are binary strings are
deep learning model. initialized, and then mutation is performed to expand the
3) The data owner encrypts the gradient multiplied with the number of candidates by randomly flipping some bits on each
learning rate with his/her secret key and sends back to string. After that, crossover is performed to also increase the
the cloud. number of candidates by randomly swapping some parts of a

593
pair of key candidates. Then, the key candidates which results decode C in order to gain P . Therefore, Bob’s loss function
the best fitness functions are obtained. This process keeps is defined as
going on until the random values reach the threshold. LB = d(P, PBob ),
Next, the encryption scheme can be accomplished by the
DNA computing. A bit string of plaintext is converted to where
−1
a string of DNA by mapping 00 to A (Adenine), 01 to d(X, Y ) = ΣN
i=0 |Xi − Yi |, (1)
C (Cytosine), 10 to G (Guanine) and 11 to T (Thymine). and Xi is bit i of X. Eve’s loss function is defined as
This DNA string is processed by transcription and translation
process [38], and then it is converted back to a binary string. LE = d(P, PEve ),
After that, this string is performed by Exclusive OR (XOR)
operation with one of the generated key. The decryption and Alice-Bob’s loss function is defined as
process is just the reverse of the encryption process. (N/2 − LE )2
LAB = LB + ,
(N/2)2
B. Adversarial-machine-learning cryptography where N is the size of plaintext, and the latter component is
In the present, researchers focus on adversarial neural cryp- to ensure that Eve’s loss is not different to a random guess’s
tography in which the encryption and decryption algorithms loss.
can learn to improve its level of secrecy by themselves Note that values in C, PEve and PBob can be real values.
where there is an adversary existing in the scheme. In 2016, The goal of Alice and Bob is to minimize the average of
Abadi et.al [9], [39] utilized Generative Adversarial Networks LAB of all plaintexts, and the goal of Eve is to minimize the
(GANs) [16] and proposed a deep-learning based approach to average of LE of all plaintexts. The input of Alice’s network
provide secrecy for communications with adversarial neural is P ||K where || is a concatenation operator, the input of
cryptography. A simple scenario consists of Alice, Bob and Bob’s network is C||K, and the input of Eve’s network is
Eve. Alice communicates with Bob with a symmetric encryp- simply C. Alice’s network’s architecture starts with a fully-
tion, they desire to have secrecy property, and Eve intercepts connected (FC) layer, and this is followed by a sequence of
the communication and desires to obtain the plaintext from the one-dimension convolutional layers. Then, it is ended with
encrypted message [40]. For instance, as can be seen in Fig. 3, another FC layer, and the activation function of each layer
Alice produces ciphertext C from plaintext P with symmetric is tanh. Bob’s network’s architecture is simply the reverse
key K and sends to Bob. At the same time, Eve also receives of Alice’s, but the activation function of the last layer is
the ciphertext C. When Bob receives ciphertext C, it tries to Sigmoid, and Eve’s network’s one adds another FC layer at
decode ciphertext C with key K to recover plaintext P and the end to make it stronger than those two networks. Also,
outputs its recovered plaintext PBob . Similarly, Eve attempts to the activation function of the last layer is Sigmoid. The
recover plaintext P and outputs its recovered plaintext PEve . mechanism is
Note that Bob has an advantage over Eve since it has key K, 1) Train Eve’s network two rounds with static Alice and
but Eve does not. Bob to update θE .
2) Train Alice and Bob together to update θA and θB once.
3) Go back to step 1 if it is not enough with respect to a
hyper-parameter.
As a result, with 16-bit key, plaintext and ciphertext, Bob’s
loss and Alice-Bob’loss can be significantly low. On the other
hand, Eve’s loss is close to the loss of random guess.
Coutinho et.al [41] argued that the work in [9], on the one
hand, had some weaknesses in term of strong encryption and
Alice Bob
decryption’s accuracy. On the other hand, they considered two
key goals to improve the previous work. First, in practice, the
decyprtion algorithm needs to be able to fully recover all the
Eve plaintext where the work in [9] could not achieve it; hence,
this work tries to achieve this goal. Second, since [9] did not
Fig. 3. Alice, Bob and Eve with a symmetric encryption. show any detail related to an encryption algorithm of Alice
and Bob, there was no information to show how strong the
The proposed scenario in this work assumes that Alice, Bob encryption algorithm was. Additionally, Eve in [9] was very
and Eve are neural networks where Alice’s network, which has weak which lead to a weak encryption algorithm of Alice and
θA as a set of parameters, attempts to successfully protect C Bob. Therefore, this work attempts to lead the neural networks
and communicate with Bob, Bob’s network, which has θB as a of those to form unbreakable encryption and decryption, called
set of parameters, tries to fully recover P from C. and Eve’s One-Time Pad (OTP) [42] by making Eve stronger. Finally,
network’s goal, which has θE as a set of parameters, is to with the improvement, they proposed Chosen-Plaintext Attack

594
Adversarial Neural Cryptography (CPA-ANC). To success- is still not able to achieve OTP, and Alice and Bob cannot learn
fully achieve OTP which consists of XOR operations and some any strong encryption algorithm because Eve has only C as its
permutations, CryptoNet is created. To illustrate CyptoNet, input; thus, it is too weak for learning any strong encryption
according to [9], let Pi denote bit i of P , Ki denote bit i of Alice and Bob. Finally, in the third stage, the scenario is
of K and Ci denote bit i of C. The input of Alice’s network still the same as Fig. 3, but there was two differences. First,
is still P ||K, but each bit i of input is converted to an angle Alice’s input is from one of a set of two plaintexts, denoted
with function by SP = {P 1 , P 2 } where P 1 denotes the first plaintext and
f (x) = arccos(1 − 2x), P 2 denotes the second plaintext, and , second, SP is Eve’s
another input; hence, in term of neural network, Eve’s input
and the network’s architecture has only one fully-connected is P 1 ||P 2 ||C, and has two outputs which are the probability
layer. The output of this layer is converted back into bits with p0 that C is from P 1 and the probability p1 that C is from P 2 .
function Therefore, this scheme is called CPA-ANC, and Eve’s network
1 − cos(x)
f −1 (x) = . is similar to Alice’s. It has two hidden layers, and two neuron
2 in the output layers. The first hidden layer has R neurons, and
Bob’s network is identical with Alice’s, but it has C||K as their outputs are converted to angles by function f −1 . Then,
input instead. The reason for all these changes is for achieving these values are the inputs of the second hidden layer and
OTP. Fig. 4 shows Alice’s network’s architecture for a better later, their outputs are the inputs of two neurons of the output.
understanding where hi is neuron i in the output layer. After that, these two outputs are converted to p0 and p1 with
Sof tmax functions. Fig. 5 illustrates the scenario of the third
stage. As a result, Alice and Bob can achieve OTP for 58 trials
... ... out of 60 trials. Also, Bob can fully recover the plaintexts for
59 trials out of 60 trials. In conclusion, in this work, Alice
and Bob can produce strong encryption algorithms, and Bob
successfully gains all the bits of plaintexts in almost all cases.
... ...

... ...

Alice Bob
...

Eve
... Fig. 5. CPA-ANC scenario.

In 2017, Hayes and Danezis [13] also leveraged GANs and

... adversarial training idea to generate steganographic images,
which were images that embedded messages. Their key idea,
which is depicted in Fig. 6, is that it is better when an
Fig. 4. Alice’s CryptoNet. adversary cannot notice that an encrypted message contains
a message. The scenario in this work also has Alice, Bob
In this work, there are three stages in this work. In the first and Eve. To illustrate it, Alice’s input is a message P
stage, there are only Alice’s and Bob’s networks, and the result concatenated with image K and provides the output which
shows that Bob and Alice can learn to communicate where is a steganographic image C to Bob and Eve. Then, Bob
Bob is able to fully recover the plaintexts for all 4-bit, 8-bit who also has image K as an input with C, and its output
and 16-bit plaintexts. However, the encryption algorithms that is a decrypted message PBob . Eve’s input is only C, and its
they learn are not secrecy, and, certainly, they are not able to output is the confidence score cEve of how likely the input is a
achieve OTP since there is no adversarial neural cryptography normal image or steganographic image, as illustrated in Fig 6.
or Eve in the scenario. In the second stage, an adversarial Analogous to GANs, Alice’s network is a generator and Eve’s
neural cryptography or Eve is added into the scenario; hence, network is a discriminator, but Alice also has another task
the scheme can be identified by Fig. 3. The result of this stage which is to allow Bob to recover a message in the particular

595
 encrypted messages can be successfully recovered into the
original messages by the receiver. Additionally, the keys and
plaintexts in those works are small (i.e. 16-bit); in practice, a
key’s and plaintext’s size can be 256 bits or more.
According to the aforementioned remaining issues, the
further works can be summarized as follows:
• Discovering a fully robust deep learning model for ad-
Alice Bob
versarial attacks.
• Designing an adversarial neural cryptography model with
a mathematical proof for fully recovering encrypted mes-
Eve sages.
• Developing an adversarial neural cryptography model
Fig. 6. Alice Bob and Eve with a steganographic image. which supports larger sizes of key and plaintext.

VI. C ONCLUSION
steganographic image. Therefore, Bob’s loss function is
We have discussed the recent research algorithms in the
LBob = d(P, PBob ), (2) intersecting areas of cryptography and machine learning. We
described cryptography algorithms from which machine learn-
where d(X, Y ) is as defined in (1) and Xi is bit i of X. Eve’s
ing can benefit, by means of providing privacy or otherwise.
loss function is
Similarly, we summarized approaches where cryptography can
LEve = −y · log(cEve ) − (1 − y) · log(1 − cEve ), (3) benefit from machine learning by modeling pseudo-random
invertible functions, complex mappings, and others. Whenever
where y is 1 when the input is K and 0 otherwise. This cryptography has leveraged machine learning, new possibili-
equation is identical with the discriminator in GANs. Alice’s ties have been introduced into the field.
loss function is just a combination of d(K, C), (2) and (3) as The area of adversarial robustness by which one is able
LAlice = λA · d(K, C) + λB · LBob + λE · LEve , (4) to certify that a particular block-cipher deep learning-based
model is of much interest within the machine learning commu-
where λA , λB and λE are Alice’s weight, Bob’s weight and nity and will not be susceptible to adversarial attacks, either
Eve’s weight respectively. The first part of (4) indicates that chosen plaintext or ciphertext attacks. This can further the
C is not supposed to be much different to K. issues associated with explainability and trustworthiness that
This work uses CelebA dataset [43] and BOSS dataset [44] are crucial in the adoption of deep learning technology in other
for evaluation. After training Alice, Bob and Eve, Eve’s loss is fields of science.
close to a random guess. In the other word, Eve’s confidence Neural cryptography can potentially lead to wide-spread
score is close to 0.5. Also, Bob is able to successfully decode data privacy protection, if resources are invested in the areas
the messages, and the steganographic images still look similar of rapid development and testing of cryptography protocols
to the original images. However, Alice’s result is a little worse and standards. Further, the dramatic decrease in the costs
than conventional steganographic algorithms, and Eve’s result associated with storage make these type of neural models a
is also slightly worse than a conventional steganalyzer. important alternative to secure data communications.
V. D ISCUSSION AND F UTURE W ORKS ACKNOWLEDGMENT
Although an encryption scheme (i.e. a homomorphic en- The authors would like to thank the support of the Depart-
cryption) has been applied to multiple collaborative deep ment of Computer Science at Baylor University during this
learning models to preserve data owners’ privacy in many research study.
existing works, there are still some other aspects that need
to be considered for robustness such as an adversarial attack R EFERENCES
(i.e. an adversarial example). An adversarial attack was ex- [1] A. Stanoyevitch, Introduction to Cryptography with mathematical foun-
plained and constructed in [45]–[48], and [47]–[54] proposed dations and computer implementations. CRC Press, 2010.
approaches for deep learning model to be robust to adversarial [2] N. Ferguson, B. Schneier, and T. Kohno, “Cryptography engineering:
Design principles and practical applications,” 2010.
attacks. However, some further works are still required for [3] T. Ristenpart and S. Yilek, “When good randomness goes bad: Virtual
adversarially robust deep learning models. machine reset vulnerabilities and hedging deployed cryptography.” in
On the other hand, whether or not deep learning models NDSS, 2010.
[4] R. Walton, “Cryptography and trust,” information security technical
and adversarial neural cryptography models can be utilized report, vol. 11, no. 2, pp. 68–71, 2006.
in practice in encryption schemes is still an open question [5] L. Floridi, “Establishing the rules for building trustworthy ai,” Nature
because non-adversarial deep learning models are not secure Machine Intelligence, vol. 1, no. 6, pp. 261–262, 2019.
[6] W. Samek, G. Montavon, A. Vedaldi, L. K. Hansen, and K.-R. Müller,
enough to be practically used, and adversarial neural cryptog- Explainable AI: interpreting, explaining and visualizing deep learning.
raphy models lack of the mathematical proof showing that Springer Nature, 2019, vol. 11700.

596
 [7] R. Goebel, A. Chander, K. Holzinger, F. Lecue, Z. Akata, S. Stumpf, [31] J. Dean, G. Corrado, R. Monga, K. Chen, M. Devin, M. Mao, M. Ran-
P. Kieseberg, and A. Holzinger, “Explainable ai: the new 42?” in Inter- zato, A. Senior, P. Tucker, K. Yang et al., “Large scale distributed deep
national cross-domain conference for machine learning and knowledge networks,” in Advances in neural information processing systems, 2012,
extraction. Springer, 2018, pp. 295–303. pp. 1223–1231.
[8] A. Holzinger, “From machine learning to explainable ai,” in 2018 World [32] B. Recht, C. Re, S. Wright, and F. Niu, “Hogwild: A lock-free approach
Symposium on Digital Intelligence for Systems and Machines (DISA). to parallelizing stochastic gradient descent,” in Advances in neural
IEEE, 2018, pp. 55–66. information processing systems, 2011, pp. 693–701.
[9] M. Abadi and D. G. Andersen, “Learning to protect commu- [33] R. Sarathy and K. Muralidhar, “Evaluating laplace noise addition to
nications with adversarial neural cryptography,” in arXiv preprint satisfy differential privacy for numeric data.” Trans. Data Priv., vol. 4,
arXiv:1610.06918, 2016. no. 1, pp. 1–17, 2011.
[10] C. Zhang, P. Patras, and H. Haddadi, “Deep learning in mobile and [34] E. Volna, M. Kotyrba, V. Kocian, and M. Janosek, “Cryptography based
wireless networking: A survey,” IEEE Communications Surveys & on neural network.” in ECMS, 2012, pp. 386–391.
Tutorials, vol. 21, no. 3, pp. 2224–2287, 2019. [35] H. Noura, A. E. Samhat, Y. Harkouss, and T. A. Yahiya, “Design
[11] S. Dörner, S. Cammerer, J. Hoydis, and S. Ten Brink, “Deep learning and realization of a new neural block cipher,” in 2015 International
based communication over the air,” IEEE Journal of Selected Topics in Conference on Applied Research in Computer Science and Engineering
Signal Processing, vol. 12, no. 1, pp. 132–143, 2017. (ICAR). IEEE, 2015, pp. 1–6.
[12] C. Huang, P. Kairouz, X. Chen, L. Sankar, and R. Rajagopal, “Context- [36] S. Kalsi, H. Kaur, and V. Chang, “Dna cryptography and deep learning
aware generative adversarial privacy,” Entropy, vol. 19, no. 12, p. 656, using genetic algorithm with nw algorithm for key generation,” Journal
2017. of medical systems, vol. 42, no. 1, p. 17, 2018.
[13] J. Hayes and G. Danezis, “Generating steganographic images via adver- [37] D. Whitley, “A genetic algorithm tutorial,” Statistics and computing,
sarial training,” in Advances in Neural Information Processing Systems, vol. 4, no. 2, pp. 65–85, 1994.
2017, pp. 1954–1963. [38] Q. Limin, “The study of dna-based encryption method [d],” Zheng Zhou:
[14] I. Goodfellow, Y. Bengio, A. Courville, and Y. Bengio, Deep learning. Zheng Zhou University of Light Industry, 2008.
MIT press Cambridge, 2016, vol. 1, no. 2. [39] M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov,
[15] K. Mulligan and P. Rivas, “Dog breed identification with a neural net- K. Talwar, and L. Zhang, “Deep learning with differential privacy,” in
work over learned representations from the xception cnn architecture,” Proceedings of the 2016 ACM SIGSAC Conference on Computer and
in 21st International Conference on Artificial Intelligence (ICAI 2019), Communications Security, 2016, pp. 308–318.
2019. [40] M. Abadi, U. Erlingsson, I. Goodfellow, H. B. McMahan, I. Mironov,
[16] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, N. Papernot, K. Talwar, and L. Zhang, “On the protection of private
S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial nets,” in information in machine learning systems: Two recent approches,” in
Advances in neural information processing systems, 2014, pp. 2672– 2017 IEEE 30th Computer Security Foundations Symposium (CSF).
2680. IEEE, 2017, pp. 1–6.
[17] ——, “Generative adversarial networks,” Communications of the ACM, [41] M. Coutinho, R. de Oliveira Albuquerque, F. Borges, L. J. Garcia Vil-
vol. 63, no. 11, pp. 139–144, 2020. lalba, and T.-H. Kim, “Learning perfectly secure cryptography to protect
[18] C. Gentry and D. Boneh, A fully homomorphic encryption scheme. communications with adversarial neural cryptography,” Sensors, vol. 18,
Stanford university Stanford, 2009, vol. 20, no. 9. no. 5, p. 1306, 2018.
[19] P. Li, J. Li, Z. Huang, T. Li, C.-Z. Gao, S.-M. Yiu, and K. Chen, “Multi- [42] C. E. Shannon, “Communication theory of secrecy systems,” The Bell
key privacy-preserving deep learning in cloud computing,” Future Gen- System Technical Journal, vol. 28, no. 4, pp. 656–715, 1949.
eration Computer Systems, vol. 74, pp. 76–85, 2017. [43] Z. Liu, P. Luo, X. Wang, and X. Tang, “Deep learning face attributes
[20] A. López-Alt, E. Tromer, and V. Vaikuntanathan, “On-the-fly multiparty in the wild,” in Proceedings of International Conference on Computer
computation on the cloud via multikey fully homomorphic encryption,” Vision (ICCV), December 2015.
in Proceedings of the forty-fourth annual ACM symposium on Theory [44] [Online]. Available: http://agents.fel.cvut.cz/boss/index.php?mode=VIEW
of computing, 2012, pp. 1219–1234. &tmpl=materials
[21] O. Goldreich, “Secure multi-party computation,” Manuscript. Prelimi- [45] S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “Deepfool: a simple
nary version, vol. 78, 1998. and accurate method to fool deep neural networks,” in Proceedings of
[22] E. Bresson, D. Catalano, and D. Pointcheval, “A simple public-key the IEEE conference on computer vision and pattern recognition, 2016,
cryptosystem with a double trapdoor decryption mechanism and its pp. 2574–2582.
applications,” in International Conference on the Theory and Application [46] A. Ilyas, S. Santurkar, D. Tsipras, L. Engstrom, B. Tran, and A. Madry,
of Cryptology and Information Security. Springer, 2003, pp. 37–54. “Adversarial examples are not bugs, they are features,” in Advances in
[23] S. Goldwasser and S. Micali, “Probabilistic encryption,” Journal of Neural Information Processing Systems, 2019, pp. 125–136.
computer and system sciences, vol. 28, no. 2, pp. 270–299, 1984. [47] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing
[24] O.-A. Kwabena, Z. Qin, T. Zhuang, and Z. Qin, “Mscryptonet: Multi- adversarial examples,” arXiv preprint arXiv:1412.6572, 2014.
scheme privacy-preserving deep learning in cloud computing,” IEEE [48] X. Yuan, P. He, Q. Zhu, and X. Li, “Adversarial examples: Attacks and
Access, vol. 7, pp. 29 344–29 354, 2019. defenses for deep learning,” IEEE transactions on neural networks and
[25] Z. Li and T.-H. Lai, “On evaluating circuits with inputs encrypted by learning systems, vol. 30, no. 9, pp. 2805–2824, 2019.
different fully homomorphic encryption schemes.” IACR Cryptol. ePrint [49] S. Gu and L. Rigazio, “Towards deep neural network architectures robust
Arch., vol. 2013, p. 198, 2013. to adversarial examples,” arXiv preprint arXiv:1412.5068, 2014.
[26] P. Mohassel and Y. Zhang, “Secureml: A system for scalable privacy- [50] A. Raghunathan, J. Steinhardt, and P. Liang, “Certified defenses against
preserving machine learning,” in 2017 IEEE Symposium on Security and adversarial examples,” arXiv preprint arXiv:1801.09344, 2018.
Privacy (SP). IEEE, 2017, pp. 19–38. [51] S. Gowal, K. Dvijotham, R. Stanforth, R. Bunel, C. Qin, J. Uesato,
[27] H. Chabanne, A. de Wargny, J. Milgram, C. Morel, and E. Prouff, R. Arandjelovic, T. Mann, and P. Kohli, “On the effectiveness of interval
“Privacy-preserving classification on deep neural network.” IACR Cryp- bound propagation for training verifiably robust models,” arXiv preprint
tol. ePrint Arch., vol. 2017, p. 35, 2017. arXiv:1810.12715, 2018.
[28] R. Gilad-Bachrach, N. Dowlin, K. Laine, K. Lauter, M. Naehrig, and [52] E. Wong and Z. Kolter, “Provable defenses against adversarial examples
J. Wernsing, “Cryptonets: Applying neural networks to encrypted data via the convex outer adversarial polytope,” in International Conference
with high throughput and accuracy,” in International Conference on on Machine Learning. PMLR, 2018, pp. 5286–5295.
Machine Learning, 2016, pp. 201–210. [53] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards
[29] L. T. Phong, Y. Aono, T. Hayashi, L. Wang, and S. Moriai, “Privacy- deep learning models resistant to adversarial attacks,” arXiv preprint
preserving deep learning via additively homomorphic encryption,” IEEE arXiv:1706.06083, 2017.
Transactions on Information Forensics and Security, vol. 13, no. 5, pp. [54] M. Mirman, M. Fischer, and M. Vechev, “Distilled agent dqn for
1333–1345, 2018. provable adversarial robustness,” International Conference on Learning
[30] R. Shokri and V. Shmatikov, “Privacy-preserving deep learning,” in Representations (ICLR) Conference, 2019.
Proceedings of the 22nd ACM SIGSAC conference on computer and
communications security, 2015, pp. 1310–1321.

597