Successful attack on permutation-parity-machine-based neural cryptography

An algorithm is presented which implements a probabilistic attack on the key-exchange protocol based on permutation parity machines. Instead of imitating the synchronization of the communicating partners, the strategy consists of a Monte Carlo method to sample the space of possible weights during inner rounds and an analytic approach to convey the extracted information from one outer round to the next one. The results show that the protocol under attack fails to synchronize faster than an eavesdropper using this algorithm.

💡 Research Summary

The paper introduces a probabilistic attack on the neural key‑exchange protocol that uses permutation‑parity machines (PPMs). Unlike previous attacks that try to imitate the synchronization process of the legitimate parties, the proposed method samples the space of possible weight configurations during each inner round using a Monte‑Carlo approach and then propagates the information gained to subsequent outer rounds through an analytic update of a probability vector.

A PPM consists of two layers: K hidden units in the first layer, each receiving N binary inputs. The weights are selected from a large binary state vector s of size G (with G ≫ K N) via a publicly known mapping matrix π. For a given input X, each hidden unit computes a local field h_j by XOR‑ing the input bits with the selected weights; the unit becomes active (σ_j = 1) if the number of ones in h_j exceeds N/2, otherwise it stays inactive. The output τ of the whole machine is the parity of the K hidden states.

During key exchange, two parties A and B repeatedly receive the same public input X and mapping π, compute τ_A and τ_B, and store the state of the first hidden unit whenever τ_A = τ_B. After G such coincidences an outer round ends and the stored bits replace the current state vector. Repeating outer rounds eventually drives A and B to identical state vectors s_A = s_B, which then serve as a shared secret.

The attacker E also runs a PPM but, instead of trying to synchronize, maintains a probabilistic state vector p_E = (p₁,…,p_G)ᵀ. Each p_i estimates the posterior probability that the i‑th bit of s_A equals 0 given all publicly observed data D (inputs, π, τ_A, …). Initially all p_i = ½. In each inner round E draws M candidate weight vectors s_E by sampling each bit independently from a Bernoulli distribution with parameter p_i, but only for those bits actually selected by π. The candidate is accepted if the attacker’s output τ_E matches τ_A; otherwise it is discarded. After M valid candidates have been collected, the relative frequency of 0‑bits among the accepted samples updates the corresponding p_i. Bits that are not involved in the current round remain unchanged.

Because only the bits referenced by π need to be sampled, the computational cost scales with K N rather than G, making the method feasible even when G is orders of magnitude larger than the total number of weights. With a modest sample size (M ≈ 10³) the algorithm can already concentrate the probability mass on the correct weight configuration, driving many p_i toward 0 or 1 after a few outer rounds. The most probable state s_E* is then obtained by thresholding p_i at ½; if s_E* = s_A the attack succeeds.

To transfer information between outer rounds, the attacker computes the conditional probability that the first hidden unit σ₁ equals 0 given the current probability vector p_E⁻, the public input X, and the mapping π. The number of ones in the local field h₁ follows a binomial distribution with success probability

q₁ = (1/N) ∑_{i=1}^{N}