PINDROP BLOG

Cryptographers Question the Promise of AI, Machine Learning in Security

SAN FRANCISCO–Artificial intelligence and machine learning are the two dominant buzzphrases at the RSA Conference this year, but some of the founding fathers of the security community are questioning how much use those technologies will be for security.

“I’m actually skeptical that there will be much impact on security from AI,” Ron Rivest, a professor at MIT and one of the inventors of the RSA crypto system, said during the cryptographers’ panel at the conference here Tuesday.

The number of security companies touting AI and/or machine learning as part of their offerings is uncountable, but Rivest and the other panelists said it was unclear exactly what effect they would have. Adi Shamir, a professor at the Weizmann Institute in Israel, said he could see some usefulness for AI in defensive technologies, but probably not on the other side of the ball.

“AI can be helpful for defensive purposes, but I doubt it will be helpful for finding new zero days,” he said. “Finding deviations from normal behavior is where AI can be useful. I’m optimistic about it for defense.”

Shamir was less convinced about the idea of quantum computing spelling the end of encryption as we know it. Although the NSA has said it is preparing encryption systems to deal with quantum computing’s potential power, Shamir said human brain power may still hold an advantage in attacking crypto algorithms.

“I think there’s a higher chance that RSA could be broken by math, by classical analysis,” he said. “There’s absolutely no guarantee that it won’t happen in twenty or thirty years. I wouldn’t lose too much sleep over quantum computers.”

Many security and policy experts have been losing plenty of sleep over the possibility of government-mandated backdoors in encryption systems, especially since the nasty battle between Apple and the FBI last year. While that conflict ended with the FBI being able to access an encrypted iPhone without Apple’s technical assistance, there are many other pending cases that involve the same issue, and Trump administration officials have said that the government needs the ability to get past encryption.

Rivest, who has studied the technical and policy aspects of the problem for many years, said a United States policy that mandates backdoors would not have the effect that Washington anticipates.

“Encryption is a global technology, and any policy that contemplates it has to deal with the fact that we live on a planet that’s well-connected,” he said.

Shamir went further, saying that a government policy requiring backdoors in American encryption systems would be a boon for foreign companies.

“By forcing American companies to put in backdoors they’d be shooting themselves in the foot,” Shamir said. “Foreign companies would be happy to step in.”

Image: DennisM2, public domain.