Can you train AI to invert AES?

juansebastianl1 pts0 comments

AES Inversion — Juan Sebastian Lozano

Juan Sebastian Lozano<br>← Home

04 — July 2026<br>Can you train AI to invert AES?<br>At the core of every https browser session, every wifi connection with WPA2/3,<br>every hardware level device encryption module, sits the AES algorithm. This<br>makes inverting the algorithm - the process of finding the private key or the<br>clear text - one of the most simultaneously dangerous and valuable algorithmic<br>problems today.<br>As AI every software, I think it's possible that AI could solve the problem of<br>AES Inversion. Of course, I dont know for sure, but this post lays out the<br>argument for how it might happen. If you want to try and train a model to do<br>what Im talking about, check out the RL env in this github repo.<br>Why might AES be vulnerable?<br>In order for a model to be able to solve AES you have to fight two problems -<br>the sparsity of the reward, and complexity theory. Obviously one of these is<br>more fundamental than the other, while a clever researcher can find<br>intermediate rewards for almost any problem, superintelligence doesn't change<br>the mathematical constraints imposed on us by complexity theory. I will<br>address the sparse reward problem in the next section, but for now let us turn<br>our attention to complexity theory.<br>I wont explain the basics of AES in the post, but if you want a good<br>introduction to it, I recommend this one on the Braincoke blog.<br>The important thing to understand about AES is that it's a substitution-permutation<br>cipher, which means that it works by taking a block of bytes and permuting them<br>according to a set of functions. The goal is to create a something that behaves<br>like a one-way function, which are a hypothesized set of functions that are easy<br>to compute but hard to invert - specifically any probabilistic polynomial time<br>algorithm fails to invert them with probability $p$. They are ideally<br>injections so that if you have a quick algorithm for inversion, you can<br>recover the original text. This means that AES is built from many rounds of<br>relatively simple permutations parameterized by the key(s).<br>Inverting AES involves inverting a large number of composed permutations and<br>therefore is naturally a combinatorial problem. Now no matter how<br>superintelligence pans out in the long run, no superintelligence can bypass<br>mathematics or complexity theory. For us to believe that AES is efficiently<br>invertible in the first place, I have to make an argument as to why I believe<br>such an efficient inversion likely exists.<br>I will start by stating that AES can be stated as a satisfiability problem.<br>Choosing a particular mode of AES<br>Because AES can actually be run in different modes, we chose a concrete target<br>of AES-XTS, which the mode used for full-disk encryption. It uses two<br>independent AES-256 keys: $K_1$ encrypts the data and $K_2$<br>derives a per-block tweak. For the block at sector number $s$ and block index<br>$j$. Here $\oplus$ is simply XOR. $\otimes$ is elementwise multiplication<br>in a particular finite field. We first set up our per-block tweak:<br>$$T_0 = \mathrm{AES}_{K_2}\!\big(\mathrm{LE}_{128}(s)\big), \qquad T_j = T_0 \otimes \alpha^{\,j} \ \text{ in } \mathrm{GF}(2^{128}),$$

And using the per-block tweak we can encrypt our text:

$$C = \mathrm{AES}_{K_1}\!\big(P \oplus T_j\big) \oplus T_j,$$<br>where $\mathrm{LE}_{128}(s)$ is the sector number as a little-endian 128-bit<br>block and $\alpha$ is a multiplicative generator in<br>$\mathrm{GF}(2^{128})$. The data path is ordinary AES-256: an initial<br>AddRoundKey, then $R-1$ rounds of SubBytes, ShiftRows, MixColumns and AddRoundKey,<br>then a final round without MixColumns.<br>Inversion is the reverse. We observe the ciphertext $C$ and the public indices<br>$s$ and $j$, and we want the plaintext $P$ (and, implicitly, the keys).<br>To attack this with a solver we first have to write the cipher down as a concrete<br>object the solver can pick apart, so before I state the constraints it's worth<br>laying out the model itself.<br>AES as a circuit<br>We compile a window of XTS blocks into one flat circuit made of three<br>kinds of record:<br>Values are the byte-sized quantities in play. Some are<br>inputs we search over (the plaintext and the key bytes), some are constants<br>(the observed ciphertext), and some are internal wires - the intermediate<br>bytes that appear part-way through an AES computation.<br>Ops are the primitive operations that compute one value<br>from others: an S-box lookup, a MixColumns byte, an XOR, the "multiply by $x$"<br>step of the tweak chain, a round-key byte from the key schedule, and so on.<br>The ops are just AES itself, chopped into individual steps.<br>Constraints are the predicates that ought to hold at<br>a solution:"this wire equals the op that is supposed to produce it", "this predicted<br>ciphertext byte equals the target". Each constraint is what later turns into<br>a residual if you're doing Lagrangian optimization.<br>If you were writing a SAT solver to solve this problem, the state the solver<br>actually mutates is just the buffers of plaintext, $K_1$,<br>$K_2$, and (in...

block problem mathrm inversion invert algorithm

Related Articles