Table of Contents
I spend my days helping boards and engineering teams get quantum-ready, and one myth keeps surfacing: “If quantum can break RSA, then AI must be close, and I’ve heard the NSA already has AI plus quantum cracking 2048‑bit keys.” That’s nonsense. Quantum computing is a new model of computation with a proven algorithmic route to factoring large numbers. AI is a collection of algorithms running on classical, silicon-based hardware, and it excels at pattern recognition. Those are different things. Modern encryption’s resistance to AI rests on unchanging mathematical principles and computational limits, and recent research (2023-2025) keeps reinforcing the point: no matter how advanced machine learning becomes, it cannot overcome the hardness assumptions that secure cryptographic systems. An AI program is, at bottom, bit operations on classical chips. It cannot defy the super‑polynomial complexity of problems like integer factorization and finite‑field discrete logarithms (both subexponential classically), or the exponential complexity of elliptic‑curve discrete logarithms, absent an algorithmic revolution that no one has produced.
Introduction: AI Hype vs. Quantum Reality in Cryptography
It is easy to be impressed by AI’s pattern-matching and then imagine a super-intelligent algorithm “finding a hidden pattern” to crack RSA or AES. The idea is a category error. AI still runs on classical computers and obeys the same complexity constraints as any other classical algorithm. It cannot outsmart the mathematics underlying encryption without overturning core results in computational theory. No clever AI trick bypasses those limits unless our core assumptions, P ≠ NP chief among them, turn out to be wrong.
Quantum computing does threaten current cryptography, because it introduces a new model of computation rooted in physics. A sufficiently large quantum computer uses phenomena like superposition and interference to solve problems that sit out of reach for classical machines. Shor’s quantum algorithm factors large integers and computes discrete logarithms exponentially faster than any known classical method, which means it would break RSA and elliptic-curve cryptography (ECC) given the hardware. Grover’s algorithm speeds up brute-force search quadratically, effectively halving the key length of symmetric ciphers (a 128-bit key becomes a 64-bit problem). These are real threats, and they are why the U.S. National Institute of Standards and Technology (NIST) ran a multi-year project to standardize post-quantum cryptography, finalized in 2024 with algorithms built to withstand quantum attacks. There is no equivalent global effort for “post-AI cryptography.” AI does not change the game the way quantum physics does. At most it helps attackers exploit implementation flaws such as bugs or side-channel leakage; it leaves the underlying cryptographic math intact.
The rest of this article lays out the argument in four parts:
- Section 1 lays out the mathematical bedrock of modern cryptography: the conjectured separation of complexity classes (P ≠ NP) and the one-way functions that form an “invisible fence” against any feasible classical attack. RSA, elliptic-curve cryptography, and lattice-based schemes all rely on problems believed to be intractable for any classical algorithm, AI included, and symmetric ciphers like AES stay secure against brute force because the key space is astronomically large.
- Section 2 explains why quantum computing overturns those assumptions while AI does not. Shor’s algorithm uses quantum Fourier techniques to factor integers in polynomial time; Grover’s weakens symmetric keys by a square-root factor. The global response, NIST’s PQC standards above all, shows that the community is focused on the quantum threat, not a hypothetical AI one.
- Section 3 examines why AI fails at cryptanalysis. Modern ciphers are designed to produce output indistinguishable from random noise to any efficient algorithm, which erases the patterns machine learning would need. The theory (no exploitable structure, a flat loss landscape with no gradient to follow) is backed by decades of empirical results: neural networks succeed only on toy or reduced ciphers, with essentially 0% success on real AES or RSA.
- Section 4 clarifies what AI can do in security. It sharpens side-channel attacks (analyzing power or timing to recover keys) and automates tasks like vulnerability discovery and phishing. These are serious, but they target the periphery of a cryptosystem, not its core math. I close with a 2023 case study where a deep-learning side-channel attack on a Kyber implementation got reported as “AI breaks encryption” when the algorithm itself was never touched.
Getting this distinction right matters for how you spend a security budget. The mathematical foundations of cryptography have held up well, and they hold against AI. The work ahead is fortifying implementations and moving to quantum-safe algorithms before a large-scale quantum computer, a cryptographically relevant quantum computer (CRQC), arrives.
1. Cryptography’s Mathematical Foundations
Modern encryption is built on problems believed to be out of reach for any feasible classical computation. That is deliberate. Decades of computational complexity theory give us a rulebook for which problems are tractable, and any would-be codebreaker, human or AI, has to play by it. Claiming that an AI can crack RSA or AES without the key implies an algorithmic breakthrough on the order of proving P = NP, which almost no expert considers plausible.
1.1 P, NP, and the “Invisible Fence” of Complexity
At the center of this sits the P versus NP problem. P is the class of problems a deterministic algorithm can solve in polynomial time, which is to say efficiently. NP is the class whose solutions can be verified in polynomial time. P ⊆ NP, but the field widely conjectures that P ≠ NP, meaning some problems in NP have no polynomial-time algorithm. The implications for cryptography run deep: many schemes are secure precisely because their underlying problem is believed to lie outside P for classical computers.
Take integer factorization. Multiplying two large primes is easy and runs in polynomial time, but factoring the product back appears to need super-polynomial time on a classical computer. For an n-bit composite such as an RSA modulus, the best known classical method, the General Number Field Sieve, runs in subexponential time, not polynomial. The discrete logarithm problem, finding x given $$g^x$$ ≡ h (mod p), has no known efficient classical solution in the general case either. Both are NP-type problems with no known polynomial algorithm, and both form the backbone of RSA and Diffie–Hellman/ECC cryptography. Cryptographers pick problems they believe sit outside P, then build encryption and signatures on top of them.
The “invisible fence” image, which computer scientist Scott Aaronson popularized, captures a boundary set by complexity classes: factoring and discrete log live outside the fence for classical computers. You can roam anywhere inside P, and a little past it with subexponential algorithms, but you cannot cross into solving those hard problems efficiently without new mathematics. An AI running on a classical Turing-machine model lives inside that fence. No amount of training or cleverness lets it step into a class of computation that breaks the complexity barriers. As long as AI runs on classical hardware, it does not get to bend the rules for problems believed to require super‑polynomial time: subexponential for factoring and finite‑field discrete logs, exponential for elliptic‑curve discrete logs.
1.2 One-Way Functions
Cryptographers turn that assumed hardness into one-way functions: functions easy to compute but infeasible to invert without special knowledge such as a secret key. Multiplying primes is easy and factoring the product is hard, and that asymmetry underlies RSA. Exponentiating modulo a prime is easy and the inverse, discrete log, is hard, which underpins Diffie-Hellman key exchange and elliptic-curve cryptography, where the group operations play a similar role.
RSA and integer factorization: RSA, invented in 1977, uses the multiplication of two large primes as its one-way function. Given primes p and q you can compute N = p·q easily, and N becomes the public modulus. Given N alone, recovering p and q appears to need super-polynomial time with any known classical algorithm. The best published method, the General Number Field Sieve (GNFS), runs in roughly $$exp(1.923*(log N)^{1/3}*(log log N)^{2/3})$$, which is astronomically large at practical key sizes. To put numbers on it, in 2020 researchers factored RSA-250 (an 829-bit number), and it took about 2,700 CPU-years, hundreds of cores grinding for years on a number far smaller than the 2048-bit keys in routine use. Extrapolate to a 2048-bit modulus and factoring it with known methods would take longer than the age of the universe. Easy multiplication, infeasible factorization: that gap is RSA’s security.
Discrete logarithms (Diffie-Hellman and ECC): A second one-way function is exponentiation in a finite group. Given a generator g and an integer x, computing h = $$g^x$$ mod p is easy. Given $$g^x$$ mod p and g, recovering x, the discrete logarithm, is hard. In classical Diffie-Hellman over the multiplicative group mod p, discrete log yields to subexponential algorithms like Index Calculus for some groups. For the elliptic-curve groups used in practice (ECDLP), the best known algorithm is Pollard’s rho at O(√N) for a group of size N, which is exponential in the input length, half the bit-length of N. A standard 256-bit curve has a group of size around $$2^{256}$$, so Pollard’s rho needs on the order of $$2^{128}$$ operations, well past feasible. In the generic group model it is proven that no algorithm beats √N for discrete log without special structure, and well-chosen curves expose none. That is why 256-bit ECC is treated as roughly equivalent to 3072-bit RSA, and why standards bodies equate RSA‑2048 to about 112‑bit classical strength while you need RSA‑3072 to match the ~128‑bit strength of AES‑128. An AI can no more shortcut discrete log than it can factor: the same super‑polynomial wall, subexponential in finite fields and exponential on elliptic curves.
Lattice problems (post-quantum crypto): Anticipating quantum attacks, newer public-key schemes lean on hard lattice problems. The leading example is Learning With Errors (LWE), which asks you to solve linear equations hidden by small random noise. Oded Regev showed that solving average-case LWE is as hard as solving certain worst-case lattice problems such as GapSVP in the same dimension. That worst-case hardness is why no efficient quantum algorithm for LWE is known. ML-KEM (CRYSTALS-Kyber), the NIST standard for key encapsulation, rests on a variant of LWE and operates in lattice dimensions between 512 and 1024 depending on security level, where the known attacks (lattice reduction and sieving) again run exponential in the dimension. Practical solvers handle far smaller dimensions than that, so lattice encryption is believed secure against both classical and quantum attack. It remains an assumption of hardness, though: if LWE is hard, no classical algorithm, AI included, solves it efficiently without a breakthrough in algorithmic number theory.
Each of these is a one-way function: easy forward, infeasible backward without the secret. The functions in mainstream use (factoring, discrete log, lattice problems) have absorbed decades of scrutiny, and security proofs typically tie breaking the cryptosystem to solving the underlying hard problem. Recovering an RSA plaintext without the private key is as hard as factoring the modulus. Recovering a Diffie-Hellman shared secret without the private keys is as hard as solving a discrete log. To break either, an AI would have to do what every other algorithm cannot: find a shortcut through the hard problem itself.
The strength of these schemes is a conjecture. We assume the problems are hard because no one has cracked them despite decades of effort, and a mathematical breakthrough could overturn that. AI has not changed the equation. It is one more tool a researcher might point at the problem, and so far it has produced no new algorithms here. Absent a real discovery, the best an AI can do is run the algorithms we already know, perhaps faster or at larger scale, and it still hits the super‑polynomial wall. It cannot conjure the inverse of a one-way function out of thin air.
1.3 Symmetric Ciphers and Brute Force
Public-key cryptography draws most of the “AI will break encryption” speculation, but symmetric cryptography like AES deserves attention too. Symmetric ciphers use a shared secret key, and their design rests on Claude Shannon’s principles of confusion and diffusion rather than on a number-theory problem. A well-built block cipher like AES-128 has no known analytical attack meaningfully faster than brute force. Its security comes from the size of the key space: $$2^{128}$$ possible keys.
Breaking AES by brute force means trying $$2^{127}$$ keys on average, about $$1.7×10^{38}$$ of them. At a billion ($$10^9$$) tests per second that is roughly $$5×10^{21}$$ years. More compute does not rescue the attacker. Grover’s quantum algorithm gives only a quadratic speedup, cutting AES-128 to about $$2^{64}$$ steps, still around $$1.8×10^{19}$$ operations, on the order of hundreds to thousands of CPU-years. If that ever came within reach, AES-256 sits ready, with $$2^{128}$$ complexity even under Grover. There is no smart way to guess a 128-bit key: you try them all or you don’t. AI finds no pattern in the key to shrink the search, because the key is uniformly random and the ciphertext looks like noise. Section 3 returns to this, since the deliberate randomness of ciphertext is exactly what defeats learning.
A secure cipher hides no pattern or structure for AI to exploit. A random key produces ciphertext that looks like noise, and without the key, decrypting even one block correctly is about a 1 in $$2^{128}$$ chance for AES-128. Machine learning finds no backdoor pattern in properly encrypted data because the cipher is built to remove such patterns. After more than 20 years of scrutiny, AES has held against every class of cryptanalysis, including the computer- and AI-assisted kind. The last widely used cipher to fall outright was RC4, broken through biases in its output that classical statistical analysis exploited, not anything an AI uniquely found. If human cryptanalysts with every tool available have not broken AES, an AI is not going to break it by thinking harder. Short of an unforeseen mathematical insight (an AI might help find one, but the insight has to exist), brute force is the baseline for symmetric encryption, and AI does no better than brute force.
The pattern across this section is consistent. Properly implemented encryption rests on problems believed to require super‑polynomial time: subexponential for integer factorization and finite‑field discrete logs, exponential for elliptic‑curve discrete logs, and exponential in the dimension for LWE-type lattice problems. Those beliefs sit on well-vetted complexity assumptions. An AI confined to classical computation does not slip past them. Short of a major algorithmic discovery, it breaks these schemes no more easily than any ordinary program. Brilliant pattern recognition is still searching for a needle in an astronomically large haystack, and no search strategy helps when the only path to success is to inspect every straw.
2. Why Quantum Computing Overturns Encryption but AI Does Not
If classical complexity is an invisible fence around what AI can do, quantum computing is a potential gate-crasher that changes the rules. Quantum algorithms are not merely faster or smarter; they work differently, with capabilities rooted in physics. A quantum computer can attack the mathematical problems under cryptography in ways no classical algorithm, AI included, can match. AI stays a set of algorithms running on classical hardware.
2.1 Shor’s Algorithm: Using Physics to Do the Impossible (for Classical Computers)
In 1994, Peter Shor found a polynomial-time quantum algorithm for integer factorization, plus a companion for discrete logarithms. Shor’s algorithm matters because it takes problems with no known polynomial‑time classical algorithm (subexponential at best for factoring and finite‑field discrete logs, exponential for elliptic‑curve discrete logs) and solves them in polynomial time on a quantum computer. It factors an n-bit integer in roughly $$O(n^3)$$ time, against subexponential or worse for the best classical methods. In complexity terms, factoring sits outside P for classical machines but inside BQP (bounded-error quantum polynomial time), the class a quantum computer handles efficiently.
How does it get there? It recasts factoring as finding the period of a periodic function, using quantum parallelism and the Quantum Fourier Transform (QFT). In simplified form:
- To factor N, you pick a random number a < N and consider the function $$f(x)=a^x$$ mod N.
- This function is periodic (because $$a^x$$ mod N eventually repeats, by Fermat’s little theorem or properties of modular arithmetic). Say the period is r, meaning $$a^r≡1$$ (mod N). If you can find r, there’s a good chance you can derive a factor of N from it (using the relation $$a^r−1≡0$$ mod N, which factors as $$(a^{r/2}−1)(a^{r/2}+1)=0$$ mod N; with some luck neither factor equals -1 mod N, yielding a nontrivial gcd with N).
- Quantum step: a quantum computer can create a superposition of all possible exponents x and compute $$a^x \bmod N$$ on all those values at once. Then by applying the QFT, it detects the periodicity r through interference. Measuring the quantum state yields information about r, and with a few repeats one can obtain r with high probability.
The core move: the quantum computer evaluates the function on exponentially many inputs at once through superposition, then uses interference to amplify the periodicity that reveals the answer. No classical procedure does this. A classical machine cannot reach it by trying harder; Shor’s algorithm uses quantum physics to perform a computation that would take exponential time by any classical route. Given enough stable qubits, a large-scale quantum computer could factor a 2048-bit RSA key in polynomial time, with estimates in the range of hours to days, where a classical computer would need longer than the age of the universe. The same algorithm breaks elliptic-curve cryptography by solving the elliptic-curve discrete log in polynomial time. Effectively every deployed public-key algorithm (RSA, Diffie–Hellman, ECDH, DSA, ECDSA) would fall to a sufficiently powerful quantum computer.
As of 2026, quantum computers remain far from the scale these attacks need. The largest numbers factored in real quantum experiments are tiny, and building a cryptographically relevant quantum computer (often termed a CRQC) with thousands or millions of low-error qubits is a hard engineering problem. The threat is still taken seriously because it rests on solid theory: build the machine, and it breaks the cryptography we use today. That near-inevitability, absent a move to quantum-resistant algorithms, is what makes the post-quantum transition urgent. For how to estimate Q-Day, the day quantum computers break current encryption, see Q-Day.org.
2.2 Grover’s Algorithm: Quadratic Speedup and Symmetric Key Implications
Lov Grover’s 1996 quantum algorithm speeds up unstructured search quadratically. For N candidates, say N possible keys in a brute-force search, Grover finds the right one in about √N steps instead of about N. That is a far smaller gain than Shor’s exponential speedup, but it still touches symmetric key sizes.
For AES, Grover halves the effective security. An exhaustive key search on AES-128 needs $$2^{128}$$ trials classically and about $$2^{64}$$ quantum steps, so a 128-bit key offers only 64-bit security against a quantum adversary. The standard response is AES-256, which Grover reduces to 128-bit security, still safe because $$2^{128}$$ operations, quantum or not, is astronomically large. Hash functions shift the same way: a 256-bit hash like SHA-256 sees its preimage resistance drop to roughly 128 bits.
Symmetric cryptography is easy to harden against Grover: use longer keys and hashes. Doubling the key length squares Grover’s workload and erases its advantage, which is why symmetric ciphers and hashes count as quantum-resistant at the right parameters (AES-256, SHA-384/512). Where public-key cryptography needs a full migration, symmetric protocols mostly need a parameter bump.
Quantum computing forces a migration of public-key infrastructure, which is why post-quantum algorithms exist, and it argues for longer symmetric keys. AI has prompted no comparable change. No one designs AI-resistant ciphers, because the standard schemes already hold against classical attack, AI included. After years of intensive machine-learning research, AES carries no significant scratches.
2.3 Global Cryptographic Response Focuses on Quantum, Not AI
The clearest signal of where the threat actually sits comes from what the world’s cryptographic authorities are doing.
NIST post-quantum standardization: In 2016, NIST opened a public competition for quantum-resistant public-key algorithms. Six years later, in July 2022, it named its first four selections: one key-establishment scheme (CRYSTALS-Kyber) and three signature schemes (CRYSTALS-Dilithium, FALCON, and SPHINCS+). In 2024 the first standards landed as FIPS 203, 204, and 205, covering ML-KEM (formerly CRYSTALS-Kyber, a lattice KEM), ML-DSA (formerly CRYSTALS-Dilithium, a lattice signature), and SLH-DSA (formerly SPHINCS+, a hash-based signature). Governments and industry have started the slow work of moving protocols like TLS and VPNs onto these algorithms, a multi-year effort of testing and integration. The reason is plain: a large quantum computer would be catastrophic for RSA and ECC, and the defenses need to be in place first.
No post-AI algorithms: No standards body has launched a process to replace cryptography because of AI. There is no AI-proof category because the existing schemes are already believed to be AI-proof. The NSA’s forward guidance, the Commercial National Security Algorithm Suite 2.0, likewise targets quantum, not AI. When NIST engages AI in security, it concerns using AI or defending against adversarial machine learning, not AI breaking ciphers. The contrast in where the effort goes says plenty.
What the cryptographers say: Leading cryptographers keep pouring cold water on the idea that AI can defeat encryption. In a January 2025 interview, Bruce Schneier (Harvard Kennedy School) noted that AI will sharpen some attack vectors but does not change the strength of the cipher itself: security, he said, “relies on the mathematics of [the] encryption algorithm” rather than on easily exploitable flaws. Matthew Green (Johns Hopkins University) makes a similar point, that secure encryption rests on the math and the algorithm, with no reliance on an adversary missing a pattern. Systems fail, in Green’s words, when they depend on getting “a bunch of complicated software and hardware security features right, rather than the mathematics of an encryption algorithm.” Rely on the math, as standard crypto does, and you stand on firm ground. That lines up with the argument here: AI can find bugs in the complicated software and hardware around a cipher, such as side-channel leakage or unsafe coding, but it does not touch the mathematical core.
Quantum computing rewrites the rules by adding new computational power; AI does not. A quantum computer can break the assumptions classical cryptography depends on (factoring is hard, discrete log is hard) by using physics. An AI cannot. The community’s spending reflects that split: enormous effort on quantum defense, business as usual against AI. Treat “AI will break encryption” with heavy skepticism, because it runs against both the theory and the people who study this for a living. The next section goes into why AI, as a classical process, fails at cryptanalysis specifically.
3. Why AI Fails at Cryptanalysis
The mismatch is simple to state. Modern ciphers are engineered to erase patterns and structure from their output, and machine learning needs patterns and structure to learn. Three facets of that mismatch are worth examining:
- Cipher design: A secure scheme produces output that is computationally indistinguishable from random noise to anyone without the key. Exploitable patterns in the output would count as a break by cryptographic standards. Ciphers create a near black-box, random mapping that gives a learning algorithm nothing to grip.
- Learning dynamics: Neural networks learn by reducing error gradually, which needs a smooth gradient, some signal when they are close. In cryptanalysis, almost-correct decryption is still garbage, since one wrong key bit yields a completely wrong plaintext. The loss landscape is flat everywhere except at the correct key, so there is no gradient to follow.
- Empirical results: Decades of attempts back the first two points. The work distinguishes simplified ciphers or a handful of rounds; it does not break full AES or recover RSA keys. Against the full complexity of a real cryptosystem, the result is consistent failure.
3.1 Encryption as an Unlearnable Function
A central goal in cipher design is computational indistinguishability: without the key, an attacker should not be able to tell ciphertexts from random bitstrings with any non-negligible advantage. Formally, given either real encryptions or random bits of the same length, any efficient distinguisher guesses which is which only negligibly better than chance. Written compactly, {E(k, m)} ≈_{c} {U}: the distribution of encryptions is computationally indistinguishable from uniform noise.
How? Through rounds of permutation and substitution that diffuse and obscure any statistical structure from the plaintext and any link to the key, following Claude Shannon’s two principles:
- Diffusion: Each plaintext bit influences many ciphertext bits, spreading information out. Flip one plaintext bit and about half the ciphertext bits flip, the avalanche effect.
- Confusion: The relationship between key and ciphertext is made as complex as possible, usually through non-linear substitution boxes (S-boxes) and mixing that intertwine key and data bits.
After enough rounds in a cipher like AES, the output bits behave, from the attacker’s view, as random functions of the input. No simple correlation survives between a ciphertext byte and a plaintext byte, and even a slight statistical bias would count as a weakness. AES uses 10 rounds at the 128-bit level precisely so that no known shortcut beats brute force and the output passes demanding randomness tests.
For a machine learning model, this is poison. Train a network to predict plaintext from ciphertext without the key, feeding it many (ciphertext, plaintext) pairs, and it finds no predictive features, because the ciphertext looks random with respect to the plaintext. You are handing it random garbage and asking for meaning, which is impossible without the key to supply structure. It is like learning to predict fair coin flips: the best you can do is guess and land at 50%, which is exactly the success rate of decrypting with the wrong key. Formally, an encryption function under a fixed secret key k is a pseudorandom permutation on the message space. To an AI that does not know k, it is a pseudorandom function, which by definition has no compact, learnable description. Any efficient algorithm’s success at distinguishing or inverting the cipher reduces to breaking that pseudorandomness, which is built to be infeasible.
Another angle: encrypted data has maximal entropy from the attacker’s side, and high entropy means no predictability. Machine learning works by exploiting redundancy, the low-entropy structure in data; English text, for instance, carries enough statistical regularity for a model to predict missing words. Done right, ciphertext has no such redundancy. It is as random as data compressed to the limit and then XORed with a one-time pad, so the model has nothing to grip. A recent 2025 study on LLMs and encryption made a related point: most ciphers operate at the bit or character level while language models operate at the word or sub-word level, a mismatch that caps their effectiveness on cryptographic tasks. To the model, cipher output is noise, and learning noise is a fool’s errand.
3.2 No Gradients, No Learning
Training a neural network needs feedback: a way to measure how wrong the model is and which direction to nudge it. In image recognition or translation, a slightly wrong answer still produces a gradient pointing toward improvement, because those tasks are loosely continuous. Get part of the output a little wrong and you are still somewhat close to right.
Decryption is all or nothing. Get one key bit wrong out of 128 and the entire plaintext comes out wrong, not almost-correct but random. There is no 90%-decrypted message: either every key bit is right and you recover the exact plaintext, or it is garbage. The loss function for key recovery is brutal. It is flat, with no reward, for every wrong key, and it drops to zero only at the single correct key. Picture a surface flat everywhere with one needle-sharp hole at the right key. Gradient descent cannot find that hole, because there is no slope to follow and no sense of getting warmer as you near the key.
Make it concrete. Set up a network that takes ciphertext in and outputs plaintext, trying to learn the decryption function implicitly, and train it on many plaintext-ciphertext pairs under one fixed key the network never sees directly. Early outputs are random; compare to the true plaintext and compute a loss such as mean squared error or cross-entropy. The correct key would give near-zero loss, but the network sits nowhere near it. A small parameter tweak almost never stumbles onto the right key’s behavior, and because of the avalanche effect, a small change does not produce a slightly more correct plaintext; it produces another random-looking wrong one. The loss does not improve in any meaningful way, and no gradient points toward the correct key. Training collapses to random guessing of the key, which for AES has a success probability around $$1/2^{128}$$, effectively zero.
This shows up in the research too. Scaling neural networks up, more layers and parameters, has not reliably improved cipher-breaking the way it improves language modeling; the gains stay incremental, as the Speck results below make clear. A 2025 benchmark of LLM cryptography capabilities reaches the same verdict for large language models. Model size is not the obstacle. The cryptographic transformation is built to destroy the very information a model would need. The tell is in how these networks behave: they overfit, memorizing specific ciphertext-plaintext pairs, then fail on new ciphertexts, because there is no general pattern to learn, only the memorized table. Mohammed Alani’s much-discussed 2012 papers reported that a neural network could recover DES and 3DES plaintext from relatively few plaintext-ciphertext pairs, but later analysis traced the result to memorization of a fixed-key training set, with no ability to decrypt new ciphertexts. The network had not learned DES; it had learned a handful of mappings.
The summary is simple: cryptographic functions produce a loss landscape hostile to learning. No useful plateaus or local minima guide the optimizer, just a desert of random error with one oasis hidden at an effectively random spot. Without the key, the network is trying to model a pseudorandom permutation, and that is infeasible.
3.3 Track Record
Theory is one thing; the tests are another. The empirical verdict is lopsided: AI has not come close to breaking any modern encryption scheme at proper parameters. A short history:
- 1990s: The earliest neural-cryptanalysis work goes back to the 1990s, when researchers like Sebastien Dourlens (1995) experimented with training networks to recover parts of a DES key. These attempts guessed a few key bits better than random but came nowhere near cracking 56-bit DES. Predicting 28 bits and leaving 28 unknown still leaves a brute force over the rest, at best a slight reduction in search, not a break.
- Alani’s DES/3DES (2012): Mohammed M. Alani published a neural known-plaintext attack on DES and 3DES that drew real interest. The method trained a network to recover plaintext from ciphertext (not to recover the key), needing roughly 2,048 plaintext-ciphertext pairs for DES and about 4,096 for 3DES. Others could not reproduce it. Independent researchers later found the full-round DES and 3DES claims did not hold up, and Alani himself published a note acknowledging the early results were not realistic, attributing them to lost experimental data and to how heavily neural-network training depends on initial conditions rather than on the data alone. There was no consistent, generalizable attack, and nothing that threatened real Triple DES. The episode showed the limits of the training setup, not a weakness in DES.
- Gohr’s Speck result (2019): The best-known success in neural cryptanalysis came from Gohr in 2019, who applied deep learning to distinguishing reduced-round versions of Speck, a lightweight block-cipher family the NSA designed for simplicity. His network performed differential cryptanalysis, separating ciphertext pairs that follow a chosen XOR difference from random pairs, and it beat classical differential distinguishers on Speck32/64 out to several rounds. That mattered: it was the first time deep learning outperformed a human-designed attack on any cipher, even a reduced one. Keep the scope in view, though. Full Speck32/64 has 22 rounds, and Speck is simpler than AES. Follow-up work moved the needle only slightly. Benamira et al. (2021) mostly dissected what Gohr’s network had actually learned, and the strongest reported key-recovery result on 11-round Speck32/64, from a 2025 study by Hou et al., reached about a 62% success rate, up from roughly 52% in Gohr’s original. Real progress, on a lightweight cipher at half its rounds. Against full 22-round Speck32/64, or any standard cipher like AES with its richer S-boxes and diffusion, neural networks have made no dent. AES-128 remains unbroken: the best known attacks (differential, linear) reach around seven of its 10 rounds, demand astronomical data, still fail to recover the key, and none of them are AI-based.
- LLM challenges (2023-2025): As large language models like GPT-4 and Anthropic’s Claude arrived, researchers tested whether all that text training gave them any cryptanalytic ability. Early 2023 tests found that GPT-4 could solve some classical ciphers, such as Caesar shifts and simple substitutions, because those carry language-like patterns the model had likely seen in training. On modern ciphers like AES and RSA, it was guessing. A more rigorous picture came when an academic team built a 2025 benchmark for LLMs on encrypted data, grouping tasks as easy (simple substitutions), medium (Vigenère, transposition), and hard (RSA, AES with unknown keys). The pattern was the expected one: strong on easy, decent on medium with enough hints, and failure on hard. Claude 3.5 landed around 32% exact-decryption accuracy across the mix and GPT-4 around 18%, but those totals ride on the easy ciphers. On RSA and AES the success rate was essentially 0%, with the RSA rows showing exact-match scores of zero and random-quality results elsewhere. The authors put it plainly: “LLMs… face challenges with tasks that require precise numerical reasoning… since encryption operates at the bit/character level and LLMs are trained on text tokens, this mismatch further limits their effectiveness”. Handing an LLM an AES ciphertext is handing it gibberish, with no semantic context and no training signal to use.
The bottom line of the record: no AI has ever pulled a secret key or plaintext out of a properly implemented cipher faster than brute force or a known theoretical attack. Every success is either a weakened version, with fewer rounds or a simplified structure, or a classical cipher already insecure by modern standards. Properly used modern ciphers stay unbroken. That confidence tracks the theory: you do not break a 128-bit scheme without something on the order of $$2^{128}$$ work, however good the pattern recognition.
Could a future AI invent an attack humans missed? Maybe, but it would still have to obey the mathematics. Say some clever algebraic attack cut AES to $$2^{100}$$. That would be an enormous result, and $$2^{100}$$ is still about $$10^{30}$$, completely infeasible. Cryptanalysts have hunted for algebraic structure in AES for years (an 8×8 S-box built on inversion in GF($$2^8$$), well-understood linear mixing) and found nothing substantial. An AI might automate parts of that search, but it is unlikely to crack AES where decades of human effort and automated tools have not, and discovering such an attack would itself take enormous data and computation, essentially redoing the cryptanalysts’ work.
The empirical record says the same thing the theory does: done right, encryption produces output that is effectively random to an AI. A neural network learns the decryption mapping without the key about as well as it predicts lottery numbers. The rare wins, like distinguishing reduced-round Speck, are narrow and do not generalize to real encryption. Where AI does get a foothold against cryptographic systems is the next subject, and it is the messy real-world layer: implementations and the people using them, never the math.
4. AI’s True Role in Security
AI cannot break the math, but it would be wrong to conclude it has no effect on security. AI is becoming a strong tool for both attackers and defenders elsewhere in the stack. What it goes after is the implementation layer, the side channels, and the humans, while the cipher math stays out of reach. This section looks at how AI gets used there, and why none of it amounts to breaking encryption in the sense of defeating its mathematical guarantees.
4.1 AI-Powered Side-Channel Attacks
One of the most useful applications of AI in cryptanalysis is the side-channel attack. These do not take on the cipher head-on. They exploit information that leaks from the physical implementation, including:
- Timing: how long an operation takes, which can depend on secret data.
- Power consumption: how much power a chip draws during operations, which can correlate with the data or instructions being processed.
- Electromagnetic emanations: emissions that carry information about what a device is processing.
- Acoustic and other physical effects: even sound or heat can leak information in some settings.
Cryptographic devices leak these signals without meaning to. Analysts have long exploited them, capturing power traces of a chip running AES with an oscilloscope and deducing the key. The traces are noisy and complex, and that is where machine learning, deep learning in particular, helps: it can sift large volumes of noisy data for patterns a simpler method would miss.
Case study: a post-quantum side-channel (2023). In early 2023, Dubrova, Ngo, and Gärtner (DNG) published a side-channel attack on a specific implementation of Kyber, the lattice KEM NIST had selected for standardization (now ML-KEM). Using deep learning, they analyzed power-consumption traces from a device running decapsulation, the secret-key operation. The press reported it as “AI breaks post-quantum encryption.” The reality was narrower. Training the network took on the order of 150,000 power traces collected under varied conditions. The target implementation used masking that could be set from two to six shares, with more shares making the attack harder. Against the weakest two-share version, a single trace recovered the secret only about 0.12% of the time, and the success rate climbed only as many traces were combined. With more shares, single-trace success fell to essentially zero, and only with 20 or more traces did it reach high percentages.
The takeaways from this example:
- The algorithm itself was not broken. The attack needed the device to run many operations and leak data. A burglar who copies a key by studying the scratches on it has not defeated the lock’s design; he has read physical evidence.
- Deep learning did the heavy lifting of turning raw analog traces into a key guess, learning to tie subtle power patterns to the handling of specific key bits.
- Cloudflare’s analysis of the work, with input from side-channel experts, was blunt: “Kyber is not broken and AI has been used for more than a decade now to aid side-channel attacks”. Neural networks for side channels are not new; they extend pattern-recognition work that goes back years. What changed is scale: train on tens of thousands of traces and the network finds highly non-linear correlations that human analysts and simpler statistics miss.
AI will stay useful here. Future side-channel attacks on smartcards, HSMs, and IoT devices will lean more on machine learning to pull keys from faint signals. These remain attacks on the implementation, with the cipher math untouched. Done right, countermeasures (constant-time code, masking, noise injection, secure hardware) blunt side channels, and AI does not waltz past them.
4.2 Beyond Cryptography: AI in Broader Cyber Offense and Defense
Outside cryptanalysis, AI cuts both ways.
Offensive uses:
- Vulnerability discovery: Machine learning helps find software flaws through smart fuzzing (generating inputs that trigger crashes or odd behavior) or by spotting bug-prone patterns in code learned from large corpora of known vulnerabilities.
- Social engineering: Generative AI produces convincing phishing emails, voice calls, and fake video, letting attackers personalize scams at scale and impersonate trusted people. None of this breaks encryption, but it can trick someone into revealing a secret or installing malware.
- Malware automation: AI can help malware adapt to evade detection, using reinforcement learning to try evasion tactics across a network until something works.
Defensive uses:
- Anomaly detection: Intrusion-detection and SIEM systems use AI to comb logs and traffic for unusual patterns, learning what normal looks like and flagging deviations with fewer false positives than fixed rules.
- Automated incident response: Some SOC tools triage alerts, correlate signals, and take action such as isolating a likely-compromised machine, faster than human reaction alone.
- Vulnerability management: AI helps prioritize patching by predicting which flaws are likely to be exploited, focusing effort on the highest-risk issues.
These uses matter, and some are reshaping security operations. But they work around the cryptography, not on it. AI shifts how operations run and possibly who holds the advantage, automated attackers against automated defenders, without invalidating cryptographic protection that is implemented properly. However capable an AI attacker is, it cannot decrypt your Signal or WhatsApp messages by force. It will reach for a side channel, trick you into revealing them, or go after the endpoint. That is the recurring lesson: the weak link is usually the user or the system’s edges, not the cipher, and AI is good at going after weak links, for instance by generating convincing fake messages to phish a password.
AI has limits worth remembering. These models are powerful but neither infallible nor omniscient, and they open new attack surfaces of their own, such as adversarial examples that trick a model into misclassifying an input. Attacking AI systems is an active research area in its own right, so defenders should be wary of leaning on AI without understanding how it fails or gets evaded.
The realistic read: AI will keep reshaping cybersecurity, mainly by automating work and exploiting human and implementation weaknesses, and it will not break cryptographic algorithms. The foundation, those mathematical hardness assumptions, holds. To get into an encrypted system, AI takes the easy path: an unpatched bug, a leaky side channel, a gullible human. It does not solve a problem believed super‑polynomially hard, exponentially hard on elliptic curves.
Conclusion
This has run through complexity theory, cipher design, quantum algorithms, the mechanics of how neural networks learn, and the real-world case studies. Every angle points the same way: AI cannot break modern encryption.
The reasons:
- Mathematical hardness: Encryption rests on problems believed to need super-polynomial time (factoring, discrete log, lattice problems). They live in the P ≠ NP world, and as long as that conjecture holds, which all experience supports, no classical algorithm solves them efficiently however intelligent it is. AI gets no exemption from problems with no known polynomial‑time classical algorithm, nor from brute‑force key search. It runs on the same Turing-machine model as any program.
- Cryptographic design: Modern ciphers remove patterns and biases by construction. The output looks random and the key has to be guessed exactly. Machine learning runs on patterns and gradual improvement, both of which encryption denies. The indistinguishability property means that, to any efficient algorithm, a cipher is a pseudorandom permutation: if an AI could tell cipher output from random, it would already be mounting a distinguishing attack, which it cannot do against AES. The loss landscape for key guessing is flat, with no breadcrumbs for gradient descent.
- Empirical track record: No practical demonstration of AI breaking a real cryptographic system exists. It fails consistently on AES decryption and RSA factorization, and even specialized neural cryptanalysis of simplified ciphers buys only incremental gains. Classical cryptanalysis and exhaustive search remain the only routes against strong ciphers, and neither scales to break them.
- Quantum contrast: The one known way to dramatically speed up these problems is a quantum computer. Shor’s algorithm moves factoring and discrete log into polynomial time with quantum resources, which is exactly why quantum is a real threat and AI is not. The global investment in PQC, against zero investment in AI-proof crypto, shows which one the field treats as pressing.
- Expert consensus: In research, in interviews, and in what they actually build, cryptographers treat AI as a way to sharpen existing attack vectors, not to create new ones. No one is rewriting AES or RSA because of AI. They harden implementations, use vetted libraries, train users, and keep their eyes on the quantum threat. As the Cloudflare analysis put it, “It’s exceedingly rare for modern established cryptography to get broken head-on.” The breaks happen elsewhere in the system, and that is where AI will go.
What does this mean in practice? Keep trusting well-vetted algorithms: AES and RSA/ECC for now, the new PQC standards for the future. Your encrypted data is safe from AI codebreakers. Stay vigilant, though, about how encryption gets implemented and used:
- Watch for side-channel leaks in hardware and software, and use constant-time implementations and libraries tested against them.
- Assume AI will supercharge phishing and social engineering. The human is often the weakest link, so training and awareness matter.
- Patch and monitor. AI can help attackers find new exploits and move faster.
- Be ready to move to post-quantum cryptography when the time comes, possibly within the next decade or two, because that is an existential threat to current public-key systems. Adopting hybrid solutions that combine classical and PQC algorithms now is a sensible early hedge.
The “AI versus encryption” story is a lesson in not falling for sensationalism. Encryption is built on some of the best-tested principles in computer science and mathematics, and a flashy demo or a speculative claim does not overturn them. Breaking them would take a revolution in how we understand computation, or a jump to a different model like quantum. AI, for all its power, stays inside the lines of that understanding.
Modern encryption will keep shielding data from AI as well as it shields it from any classical computation. The worry on the horizon is quantum, and that is where the field’s effort belongs. Until then, when you read that “AI can now break X encryption,” hold onto your skepticism and go back to the math.