Neural Cryptography: From Symmetric Encryption to ...

Neural Cryptography: From Symmetric Encryption toAdversarial Steganography

Dylan Modesitt, Tim Henry, Jon Coden, and Rachel Lathe

Abstract— Neural Cryptography is an emergent fieldthat aims to combine cryptography with Neural Networksfor applications in cryptanalysis and encryption. Inthis paper, we (1) show Neural Networks are capableof performing symmetric encryption in an adversarialsetting and improve on the known literature on this topic.We also (2) show that Neural Networks are capable of de-tecting known cryptographically insecure communicationby having them play known cryptographic games basedon Ciphertext Indistinguishability. Finally, we (3) presentfurther research in Neural Steganography in the contextof developing neural end-to-end stegonographic (image-in-image, text-in-image, video-in-video) algorithms in thepresence of adversarial networks attempting to censor.

I. SYMMETRIC ENCRYPTION

Symmetric encryption is a form of encryption inwhich the sender and receiver use the same key toencrypt a plaintext and decrypt the correspondingcyphertext. Traditionally, symmetric encryption al-gorithms have used either block or stream ciphers.However, it has been demonstrated that in a systemof neural networks, with end-to-end adversarialtraining, they can learn how to perform forms of‘encryption’ and ‘decryption’ without the use of aspecific cryptographic algorithm [1].

A. Prior WorkThe work done by Adabi and Andersen can be

summarized as follows. They create three neuralagents: Alice, Bob, and Eve. Alice receives asinput a plaintext in the form of a fixed lengthbitstring, P , as well as a private key K. In practice,these are the same length though hypotheticallythis is not required. Bob receives the output ofAlice, C, as well as the private key and is ex-pected to produce the original message P . Eve isanother network that receives Alice’s output C, but

*This work was done as the final project to 6.857: Computer andNetwork Security at the Massachusetts Institute of Technology

does not receive the private key. The architectureof these individual networks consist each of asingle feed forward layer with no bias and σactivation, being followed by four 1-dimensionalconvolutions with tanh activations, presumablywith the intention to diffuse. The networks are thentrained in an adversarial fashion with the followingconstructions for loss (where d is the L1 norm):

LE(ΘA,ΘE, P,K) := d(P,E(ΘE, A(ΘA, P,K)))

LB(ΘA,ΘB, P,K) := d(P,E(ΘB, A(ΘA, P,K), K))

LAB(ΘA,ΘB, P,K) := LB(· · · )− LE(· · · )

where the training goal is to choose the optimalΘA,ΘB such that LAB is minimized.

This construction was trained in rounds tradingoff freezing Bob/Eve and unfreezing Eve/Bob, andit showed to be relatively sturdy to decryption fromEve while Bob was able to learn.

The researchers showed that the networks didnot learn XOR for doing a sort of one-timepad, but rather some other hard-to-invert function.Evidence of this is found in that “a single-bit flipin the key typically induces significant changes inthree to six of the 16 elements in the ciphertext,and smaller changes in other elements”. As we willdescribe, calling these operations ‘encryption’ isquite misleading.

1) Replication: In replicating the paper’s find-ings, we found somewhat poorer results than de-scribed, as well as design decision that lend them-selves to obfuscation rather than encryption. Bothimplementations by others [2], as well as our ownKeras implementation, performed worse than theoriginal paper and converged less frequently thanthe stated 1/2 or 1/3. We had to make minordeviations from the original training schedule, suchas slightly pre-fitting the Alice-Bob network before

1

adversarial iterations, to get convergence at all.We also had to iterate more frequently betweennetworks, as too long between switching led tomuch more chaotic results.

Furthermore, the original paper considers thescheme to be ‘secure’ against the adversary ifnewly initialized Eve(s) can not converge within5 epochs. However, we believe that this conditionis quite insufficient, as in our experience, simplygiving Eve more time often resulted in her recov-ering a significant number of bits.

Fig. 1. MSE Loss and Decryption Accuracy in a SuccessfulConvergence

Above are two examples of training where Evedoes not gain any accuracy advantage after post-fitting, and one where she learns to decrypt nearly70% of the plaintext. Both experiments ran withan additional 50 epochs for Eve to post-fit. Theprior happened roughly only 1 in 6 trails, despitenormal vs xavier initialization.

At the end of the day, we do think these resultsare interesting but do have some fundamental

Fig. 2. MSE Loss and Decryption Accuracy in an Un-SuccessfulConvergence

flaws. Firstly, the outputs of the networks are con-tinuous floating point numbers. Thus, C, Pb, andPe can technically be any floats within the rangeof the final activation. This turns out to be a hugeproblem, as we often observed that C, even duringa convergence where Eve does not decrypt, simplyperforms a sort of mapping to arbitrary valuesbetween −1, 1, effectivly increasing the ‘base’ ofthe encoded image. The specifics of the encryptionand decryption operations are hard to discern, butit surely seems that Alice and Bob learn more ofan obfuscation than a method of encryption despitethe encryption being ‘key dependent’.

Furthermore, we believe that there are severalquite unfair assumptions made here that make thetask easier for Alice and Bob than Eve beyondthe absence of the key. The condition that Eveneeds to decrypt the ciphertext is absurdly strin-gent and does not lend itself well to any reasonabledefinition for being secure, but rather encourages

2

obfuscation.

B. Ciphertext Indistinguishability for EveInstead of having Eve produce the plaintext,

P , without the key K, from the ciphertext C,we think a better construction would be to askEve given a plaintext, P and a possible ciphertextC ′, does C ′ = Alice(P )? This lends itself toa more natural GAN description where Eve actsas a discriminator. The networks can continue tobe trained adversarially where Eve’s loss is nowbinary cross-entropy on the truth label:

LE := −∑i

(y′i log(yi) + (1− y′i) log(1− yi))

This architecture, visually, looks as follows:

Fig. 3. True GAN setup where Eve judges Ciphertext Indistin-guishability

Other formulations, such as given two plain-texts, P1 and P2, and two ciphertexts, C1, andC2, is Alice(P1) = C1 ∧ Alice(P2) = C2 or isAlice(P1) = C2 ∧ Alice(P2) = C1, could bethe subject of further exploration; however, wedid not want to over-complicate training withouta noticeable logical benefit to the reconstructionof the game rules.

With the simpler formulation, Alice and Bobare trained with the added loss term, beyond theMSE of the decryption on the plaintext, of thebinary crossentropy into the discriminator (frozen)of labels that suggest the ciphertext is not the en-cryption of the plaintext, in standard GAN fashion.Alternatively, we considered the loss of

γ ∗ 0.5− sumi|yi|n

to encourage uniformly distributed predictionsfrom the discriminator. This lightens the incentivefor Alice and Bob to get higher than 50% falsenegatives, which can only last temporarily. Wefound that the latter loss term helped in earlierconvergence, but could cause stability issues atconverged values where the discriminator choosesto predict values all of a single class. Thus, mod-ifying the gamma factor during training helpedimprove this stability.

We additionally found that using this criteriafor Eve resulted in a 0% success rate out of100 trials with the network architectures describedabove. Eve always obtains nearly 100% accuracywith the above metric and with all other networkarchitecture and training procedures remaining thesame.

Furthermore, we attempted to weaken Eveslightly by adding Gaussian Noise to the falseCiphertexts as to make them look more contin-uous, given the convergence pattern we described.However, any remotely reasonable level of noise([0 − 0.5]) std did not hinder Eve almost at all.Thus, this seemed to be a complete failure.

C. Encouraging Element-Wise Operations

In order to encourage element-wise operations,rather than relying on a series of fully connectedlayers and convolutions to learn some operation,we construct a network architecture based on thefollowing: given two inputs of the same length,learn only a function that is element-wise of thoseinputs producing a same-length output. Specif-ically, inputs i and j have enumerated entriesi1...n ∧ j1...n. Each ik, jk are two inputs to a smallfeed forward network of its own construction, withvariable numbers and sizes of hidden layers andvariable activations. This feed forward networkcould enforced be the same for all elements, or itcould be an entirely separate kernel. Our customelement-wise layer in Keras that can handle arbi-trary network depths, sizes, activations, and kernelconfigurations. The following figure diagrams thisnetwork architecture.

3

Fig. 4. Element-Wise Architecture Diagram with two 3-ElementInputs

With this network design, we hope to be capableof learning bit-wise functions, specifically xorand nxor. To verify, as a proof of concept, weverified that this network architecture is capableof learning sequence to sequence xor with nearlyperfect accuracy after a small number of steps.

We use this new layer construction to com-pletely change the network architecture of Alice,Bob, and Eve. Alice and Bob both get two bitwisenetwork layers, one with n hidden layers andone with 1 to produce a valid size result. Theactivation on the first layer should be somethingnon vertically-symmetrical, as to not require thosefunctions where [0, 1] and [1, 0] can not map tothe same thing. Otherwise, without biase, it isimpossible to have a function that does the contrarylike xor. ReLu showed to be a reasonable candi-date. The final activation need be something thatcan produce valid bits. In our experimentation, wefound that only two options alleviated the problemof mid-range floating point mapping. We couldeither add an additional loss term to Alice’s outputthat punished deviation from one of the bit values,1 or −1. This loss term was

λ(1−∑

i |yi|n

)

where λ could help weight this term. This feltlike holding the hand of the activation, and also

complicates the loss. Alternatively, we used thefollowing ‘hard tanh’ function.

htanh(x) = 2 ∗max(0,min(1, xi ∗ 0.2 + 0.5))− 1

based of the known ‘hard sigmoid’ function. Wefound this activation was an excellent choice toremove any ambiguity over floating point results.Furthermore, when placed on both Alice and Bob,floating point results for ciphertext or recoveredplaintext were practically eliminated. Eve wasgiven a larger network, where she had an additionalintermediate bitwise layer and additional denselayers after the bitwise later, all with significantlymore units. We think this raw parameter advantagehelps aleviate weak eve concerns.

D. Results and AnalysisThis problem is now essentially reduced to

attempting to get the networks of Alice and Bobto learn xor or nxor implicitly, in an adversar-ial setting, when it is the best choice to securecommunication. We found that this does indeedhappen, but with several caveats.

Fig. 5. Sucessfull element-wise hard bit output conversion tothe one time pad. The above shows overlaid loss (with false labelbcc on the generator), and the below shoes the accuracy of thediscriminator. Results were confirmed to be nxor

4

Oftentimes, instead of learning the highly non-linear xor and nxor, the networks choose to fallinto a shortcut. Sometimes, it would ignore adver-sarial loss entirely, and learn the identify functionand be unable to escape this local minimum. Thiswas rather rare though. More often, the networkwould decide to learn a function like nand or or,which can produce 75% reproduction accuracy, butlead to less discriminator accuracy near 60%.

We found that xor/nxor was learned implicitlyroughly only 1/12 times. These odds can be raisedby forcing Θa = Θb and using the same weights,independent of index. However, this is beyondhand holding. Thus, initialization and optimizationtechnique plays a huge role in what approach thenetwork takes. We found no standard initializationthat provided better results. Furthermore, more ‘so-phisticated’ optimizers, like Adam, unsurprisinglyyielded the best results.

Fig. 6. Local optimum learning of nand for securing communi-cations

Finally, we did experiment with using BNNs[4]. However, we had little success. Perhaps furtherresearch into this formulation could be interesting.Also, it may be the case that more ‘curiosity’ basedoptimization methods with Reinforcement Learn-

ing could provide more success here; however,we feel that the already drastically instable settingof this 3 Agent GAN combined with additionalin-stable RL methods like Q-learning and PolicyGradients would be a true recipe for disaster.

However, an additional take-away helped uslook at a new approach to ‘secure’ communica-tion. Alice and Bob tended to perform obfuscationrather than encryption. So instead of forcing theproblem of having networks re-discover the one-time pad, we wanted to embrace the strengths ofDeep Learning and perhaps provide more usefulapplications within the realm of secure commu-nication. For this reason, we decided to exploreNeural Steganography, an also new (but perhapsmore useful), topic in Deep Learning, and did sowith much success.

II. INTRODUCTION TO STEGANOGRAPHY

Steganography is the practice of hiding datawithin data, oftentimes in plain sight where thehuman eye cannot detect that any secret mightbe concealed. This is different than most cryp-tographic practices where encryption is the focalpoint of protecting the secret; however, steganog-raphy is powerful practice that can be used tofool more passive observers. If an observer doesn’tthink that any secret is present they won’t takeany actions to alter or block the secret messagefrom reaching the intended observer. In this sense,there are two parts in steganography, first there isthe secret which is message that is hidden and thecover, the data that is supposed to hide the secretfrom an observer. This means that steganographycan be used to hide secrets in a myriad of datatypes if there are techniques to obfuscate the data.

The first mention of steganography can bedated back to 1499 Johannes Trithemius’ bookSteganographia which appeared to be a book aboutusing spells and magic to communicate across longdistances, but in reality was a book dedicated toearly cryptographic and steganographic pratices.It only took scholars over a hundred years toactually figure out the hidden meaning behindTrithemius’ work, and since then steganographyhas evolved to allow people to hide secrets inall types of data from text in images to video-in-video. In this part of the paper we will be focusing

5

on hiding text in images, images in images, andvideo-in-video using adversarial neural networksto devise a hiding scheme that can avoid a passiveobserver. However, in order to validate that ourneural network can create a sophisticated schemethat is capable of avoiding detection from mostobservers, we first need to construct an adversarythat has learned how to detect the most commonsteganographic practices of hiding data in images.

III. GOALS

We present several neural applications toSteganography, with the ultimate goal of hav-ing Neural Networks perform stenographic algo-rithms on different data both with the standardsteganographic goals (hidden secret looks like thecover and the reconstructed secret is accurate),as well as being undetectable to an adversarylooking for steganography. We think this servesas a good architectural candidate for censorship-resistant steganography among other applications.However, before presenting such a construction,we attempt to create an adversary that can detect(perform a steganalysis) on the most commondeterministic Steganography algorithm.

IV. LEAST SIGNIFICANT BIT

Least Significant Bit (LSB) is the most com-mon technique employed by practitioners intent onhiding binary data within binary data. The LSBscheme is quite simple to employ. We will explainthis in the context of hiding text in an image.For every pixel in an image there is an associated(r,g,b) tuple, which defines the color of the pixel.Each of these entries are byte and range in decimal0 to 255. In order to encode some text you firstconvert the text value to binary, i.e. a → 01100001. Now, to encode the information match theparity of the R, G, or B value to the parity associ-ated with 0 or 1 in the binary string representationof the character, i.e. the least significant bit of thecolor. In order to best demonstrate this, we willencode the character “a” in a sample 4× 4 image.

We start with our binary string representationof “a”, 0110 0001, and a matrix of (R,G,B) tripleseach representing a pixel in an image.[

(13, 32, 128) (96, 47, 26)(211, 5, 44) (69, 17, 200)

]

We start now with the highest order bit of “a” andthe R value of the pixel in the top left corner. Thehighest order bit in “a” is 0 and the R value ofthe pixel in the top left corner is 13, therefore wewant to change the parity of this value to matchthat of the bit, so we change the R value to 14.The (R,G,B) values of each picture look like thisafter this initial update step.[

(14, 32, 128) (96, 47, 26)(211, 5, 44) (69, 17, 200)

]↓[

(14, 33, 128) (96, 47, 26)(211, 5, 44) (69, 17, 200)

]↓[

(14,33,129) (96,48,26)(212,5, 44) (69, 17, 200)

]The values in bold in our final image represent

the bits that we’ve used to encode the character“a”. Notice, some of the bits haven’t changed fromthe original image because they already matchedthe parity of the relevant bit.

Note that in LSB, If someone were to look atthe (R,G,B) values for each pixel in an imagewithout a secret and then convert the parity ofthose values to bits, the resulting bitstring wouldbe fairly random. If the encoded secret is random,it would be exceedingly difficult for a passiveobserver to detect if there is an underlying secretor not; however, if an observer can detect any sortof pattern in what is the binary string, then theobserver should be able to detect if there is someinformation being encoded. Therefore, in order tosee if a neural network could actually create auseful steganalysis adversary we wanted to armour adversary with the ability to detect LSB.

V. CONSTRUCTING AN ADVERSARY TO

DETECT LEAST SIGNIFICANT BIT

Neural networks excel at learning to detect sta-tistical patterns, as they serve as a good universalfunction approximator, which is why it makessense that creating an adversary to detect text-in-image LSB encoding should be possible. Ob-viously, the adversary will not be able to detectall types of LSB encoding as things like encrypted

6

text will appear random; however, the adversaryshould be able to detect valid ascii charactersencoded as plaintext into an image. The adversarycan do this because the binary representation ofASCII characters is not random, nor are validEnglish words random. For example, lowercaseletters begins with 011 and uppercase letters beginswith 010, so our neural network should be able todetect if there is some pattern if those three binaryvalues are consistently showing up in order.

Next we need to define what kind of game wewant our adversary to play. We want the adversaryto detect if there is secret text encoded within theimage. The adversary does not need to detect andreveal what the secret is, but rather have confidencethat the pixel values are not random. Therefore, ourgame will be seeing if the adversary can detect ifthere is a secret encoded within the image withbetter than 50% accuracy. We chose this gamebecause when LSB is put into practice, it’s toavoid the detection of any secret being transmittedfrom one party to another. Therefore, if an observerdetects the possible presence of a secret, it is oftenjust as bad as the secret itself being revealed.

A. Data and Network ConstructionThe first step in defining how we were able to

construct this network is to talk about the dataset that we used. We used approximately 50,00032 × 32 images from ImageNet and drew froma dictionary of 10,000 words which were thenrandomly chosen to be embedded into imagesusing Least Significant Bit.

The adversary is then trying to determine ifthere is a hidden message in a given image. Wefind that CNNs make little sense to use here. Theinput for the CNN will be scaled down, makingthe individual pixel values (and, importantly, theirparity) very obfuscated. Thus, steganographic en-cryptions that rely on subtle pixel value changeswill be difficult or impossible to capture. Theseassumptions hold in our experimentation as wewere unable to have a CNN converge to detectLSB steganography. Rather, we want to have thenetwork learn some mapping to particular pixelvalues [0-255] and what those values mean (parity,for example).

The first step in figuring out this mapping is to

use a flatten layer, which reduces a 32× 32 imageto a list of 3072 (R,G,B) values.[

(13, 32, 128) (96, 47, 26)(211, 5, 44) (69, 17, 200)

]↓

[ 13, 32, 128, 96, 47, 26, 211, 5, 44, 69, 17, 200]

Now that we’ve flattened our image, we canmore easily find a mapping for each pixel value.We use an embedding layer, usually used to trans-late word encodings to a vector describing theirmeaning, but in this case the embedding layer willbe mapping pixel values to their associated parity.The embedding layer has an input dimension of256 because the (R,G,B) range from 0 to 255.This kind of ‘pixel embedding’ trick helps us de-tect steganographic encryptions that produce pixel-based patterns in the image. LSB and many otherstenographic algorithms fall under this umbrella.

B. Results and AnalysisWe used standard supervised learning tech-

niques to train the LSB adversary. We measuredour loss in terms of binary cross entropy andtrained our LSB adversary for 50 epochs with abatch size of 32 in each epoch to ensure that ouradversary adequately converged to being able todetect LSB. The following graphs indicate the lossover these iterations.

Fig. 7. Training Loss of Least Significant Bit Adversary

As we can see in our results, the adversarywas able to perform quite strongly and learn todetect if there was an LSB encoding within aimage quite quickly. This demonstrates that thisnetwork will make for a worthy adversary for

7

our Encoding Network in order to elicit a strongencoding scheme.

VI. TEACHING NEURAL NETWORKS TO

HIDE DATA IN DATA

Now that we have a sufficiently strong adver-sary, we want to see if we can design a networkthat will be able to hide a secret in plainsight inthe presence of this adversary. We explore neuralapproaches for text in image, image in image, andvideo in video. Furthermore, we use roughly thesame network for all pairings of data.

We again used about 50,000 32×32 images fromImageNet for image secretes and covers, about 50downsized 32×32 30 frames per second videos forthe video secrets and covers, and roughly 10,000valid English words. For training and testing werandomly sampled from these datasets.

We will refer to the LSB adversary that we cre-ated in the previous section as our Censor, whichwe will train adversarially against our EncodingNetwork. The Encoding Network is the networkthat will be learning how to hide secrets in thecovers.

A. Encoding Network ConstructionFrom a high level our Encoding Network, an

adversarial neural network, is comprised of threenetworks working together against the Censor.The three networks are the Prep Network, theHide Network, and the Reveal Network. The ar-chitecture and design of these three is inspiredby the previous work by Baluja (2017) [3]. ThePrep Network prepares the Secret to be hiddenin the Cover, while the Hide Network then hidesthe Secret within the Cover. Finally, the RevealNetwork exists to make sure that the Hidden Secretcan be reconstructed after being hidden. This lastpart is extremely important as a steganographicmodel would be useless if the receiver could notread the message. The following graphic depictshow the three networks interact with one another.

While each of the networks has a differentfunction, they all have a similar structure. Eachnetwork takes in an input which is an image alongwith identifying information in the form (height,width, channels). Channels represents the numberof values associated with a given pixel. When

Fig. 8. High-Level Representation of the Encoding Network

hiding text in an image, we can represent the textin its binary form with each pixel only having onevalue representing it (0 or 1) instead of three valuesfor standard color images. With images and videoswe set the channel value to 3 because for each pixelthere is an associated (R,G,B) triple.

In each network, if it’s necessary, we con-catenate the output of the previous network withthe input of the next network. Each network isconstructed from three modules, the Input Module,Output Module, and the Convolutional Module.This construction can be seen in the figure below.

Let’s first look at the Convolutional Module.This block is made up of three sets of four convo-lutional layers One set of convolutional layers hasa 3× 3 window size, the second set has a windowsize of 4 × 4, and the last set of convolutionallayers has a window size of 5 × 5. Each convo-lutional layer has a stride length matching that ofits window size. All three sets of convolutionallayer sequences operate independently until theyare concatenated. This means that the differentsequences of layers are able to capture information

8

Fig. 9. Prep, Hide, and Reveal Network Module Representation

about the image at different scales. The 3×3 con-volutional layers will capture small details, whilethe the 4 × 4 layers will capture the relationshipand interaction of those small regions, and finallythe 5 × 5 layers can capture the big picture ofthe image. We demonstrate this architecture in thefollowing figure. The Input Module function in two

Fig. 10. Convolutional Module Representation

ways. In one instance, like with the Prep Network,the Input Module is simply one layer that takes inthe input and then passes it to the ConvolutionalModule. However, in the Hide Network the InputModule concatenates the two inputs, the prep latentand the cover. The Output Module is actually made

up of three sets of layers. First, the Output Moduleconcatenates the outputs from the three sets ofconvolutional layers. Then it passes this outputthrough one round of 3 × 3, 4 × 4, and 5 × 5convolutional layers and then finally concatenatesthe result. This construction can be seen in thefigure below.

Fig. 11. Output Module Representation

Now we can return to our overall construction.The Prep Network creates the Prep Latent, whichis the what the network learns to be the bestmapping from the Secret to the relevant pixelsneeded to encode the Secret in the Cover. Next,we concatenate the prepared Secret with the Cover,and pass that through the Hide Network in orderto finally create the Hidden Secret. The powerof neural networks is most evident here becausethe Encoding Network learns the best mappingto hide the Secret within the Cover, regardless ofhow complicated the scheme would be to devisemanually.

The final step is to pass the Hidden Secretinto the Reveal Network to make sure that theSecret can actually be recreated by the receiver. Ifwe train this entire network adversarially againstthe Censor, we can create a sophisticated networkcapable of avoiding detection from a strong adver-sary.

In order to train this network we first define theloss function:

9

L(C,HS, S,RS) = α(C −HS)2 + β(S −RS)2

where C is the Cover, HS is the Hidden Secret,S is the Secret, and RS is the Revealed Secret.β = 0.75 in practice. Then we train the networksas follows.• 2 epochs where α = 0• 10 epochs with respect to α = 1• 5 epochs of transfer-learning to the CensorThe final result is a network architecture that can

successfully hide text in images, images in images,and video in video. However, what is even moreastounding is that we are in fact including 2 bitsin every Hidden Secret image or video for every1 bit that exists in the Cover.

B. Hiding Images in ImagesEncoding images in images is the main goal

of our network architecture. The main differencein how this is executed is that we have to doless preprocessing of the Secret unlike when wehide text in images. Furthermore, each pixel inthe secret image is represented with three (R, G,B) values, so we need to make sure our networkknows to use three channels for the image. As wecan see in the graph below, our network performedstrongly at hiding the Secret well and accuratelydecoding the Hidden Secret.

Fig. 12. Encoding Network Loss for Hiding Images in Images

Now we look at how our Censor performedin detecting if there was any encoding in theimage. Our Censor was the LSB adversary thatwe constructed before; however, even though itwas adept at identifying LSB encoding for text in

image, the Encoding Network proved to be toodifficult to crack. We see in the graph below thatour loss hovered around 0.7, a poor value for sucha loss metric.

Fig. 13. Censor Loss for Hiding Images in Images

The poor performance of the Censor in this casecan be attributed to two reasons. The first beingthat our Encoding Network created some randomlooking mapping of pixels that enabled it to evadeany sort of pattern recognition that the Censor wasable to detect. The second possibility is that whileour Censor is good at detecting text in images,there is inherently more randomness in how imagesare encoded than text.

C. Hiding Video in VideoAs we have a good image in image network,

hiding video in video is a task easily done by justtaking every pair of video frames for the Cover andSecret and using the Encoding Network to producethe Hidden secret and latter the reveal. The figurebelow shows subsequent frames with this method.

Furthermore, we have developed a web applica-tion so users can do this with their own content,and we plan to make it publicly available in thenear future.

D. Hiding Text in ImagesFinally, we wanted to test how well our network

could hide text in images. We formatted the textas an image (a matrix) with one channel whereeach ‘pixel’ value is binary value correspondingto the binary representation of a character. Whilethe Censor was able to easily detect text in imageencoding based on LSB, our Encoding Network

10

Fig. 14. Two frames of a secret video (top left) and cover video(top right), as well as their hidden secret (bottom left) and revealedsecret (bottom right) counterparts.

was able to create a novel encoding scheme thatwas able to accurately hide and reveal the secrettext. We can see these results in the figures below.

Fig. 15. Encoding Network Loss for Hiding Text in Images

VII. FURTHER RESEARCH AND

POTENTIAL APPLICATIONS

The possibilities for further research and appli-cations of this topic are immense in certain aspectsand useless in others. Steganography and securitypractices in general are far older than computing

and machine learning, yet we see the massivepotential that the union between these two subjectscould bring.

Our initial motivation was inspired by our TAand project advisor Jonathan Frankle who talked tous about how in countries with totalitarian regimesit can be difficult for citizens to discuss dissentingopinions online or to organize demonstrations orprotests due to the ever watching government.Steganography can be utilized by these citizens toevade the watchful eye of the government withoutraising suspicion; however, with the continuedimprovements in computing, this becomes moredifficult. Using a network like the one we’ve pro-posed here it could be possible to train our networkagainst an adversary that mimics the censor inquestion, like we did with our LSB adversary,in order to ensure that people would be able tofreely discuss their opinions. This application iscontingent on being able to replicate a strongenough adversary because if our adversary is tooweak the resulting encoding will be easily detectedby a stronger adversary.

However, we think that the question of whetherneural networks can perform encryption amongthemselves is trickier than it might seem. In orderto gain a satisfactory outcome, much augmentationand complication needs to be introduced, takingaway from the elegance of the original idea ‘NeuralNetworks learning to encrypt’. Our approach nar-rowed the problem to be essentially, how hard is itto learn XOR in this loss space. Beyond the pointof doing it to do it, we see little future applicationof this technology; however, we would be happyto see ourselves proved wrong.

11

APPENDIX

A. Open Source Software

You can visit all the code we made for ourproject https://github.com/DylanModesitt/neural-cryptography. Everything was written in python3.6 with 3.7 future . We used Keras with a TFbackend. Further setup instructions are describedin the ReadMe. We hope you like it!

B. DES ECB Cryptanalysis

Additionally, we attempted to expose the weak-ness of DES ECB mode with a single key byutilizing neural networks. As we learned in 6.857,DES ECB is not CCA secure (an adversary canalways pad an input message with an additionalblock and send it to the encryption oracle, and justcompare all but the last block of the result with theciphertext to win the CCA game).

Thus, we attempted to set up a form of an indis-tinguishability game, and create a neural networkadversary to try to learn an advantage. A majorconstraint in creating a CCA-like game within aneural network structure is that DES ECB haspermutations and s-boxes that are not differentiablewhich prevents us from giving our adversary en-cryption oracle or decryption oracle access.

Instead, we created a CPA-like game that pre-sented our adversary with one plaintext and oneciphertext, and challenged it to determine whetheror not the ciphertext was the encryption of theplaintext or just random bits. Our implementationwas first tested by using DES ECB with oneround (which effectively does not alter half of theplaintext) and observing that our adversary quicklyconverged to 100% accuracy. Ultimately, however,we were not able to find a network architecturethat gave our adversary an advantage in this game,even with 2-round DES ECB encryption. This is atestament to the ”randomness” of DES.

C. Steganography Keras Model Diagram

Fig. 16. Detailed Representation of the Full Encoding Network

12

ACKNOWLEDGMENTREFERENCES

[1] M. Abadi and D. G. Andersen. Learning to Protect Communi-cations with Adversarial Neural Cryptography. ArXiv e-prints,October 2016.

[2] ankeshanand. Adversarial Neural Cryptography in TensorFlow,2015.

[3] Shumeet Baluja. Hiding images in plain sight: Deep steganog-raphy. In I. Guyon, U. V. Luxburg, S. Bengio, H. Wallach,R. Fergus, S. Vishwanathan, and R. Garnett, editors, Advancesin Neural Information Processing Systems 30, pages 2069–2079. Curran Associates, Inc., 2017.

[4] Matthieu Courbariaux and Yoshua Bengio. Binarynet: Trainingdeep neural networks with weights and activations constrainedto +1 or -1. CoRR, abs/1602.02830, 2016.

13