Is the Hard-Label Cryptanalytic Model Extraction Really Polynomial?

• URL: http://arxiv.org/abs/2510.06692v1
• Date: Wed, 08 Oct 2025 06:29:36 GMT
• Title: Is the Hard-Label Cryptanalytic Model Extraction Really Polynomial?
• Authors: Akira Ito, Takayuki Miura, Yosuke Todo,
• Abstract summary: Deep Neural Networks (DNNs) have attracted significant attention, and their internal models are now considered valuable intellectual assets.<n>In this paper, we show that the assumptions underlying their attack become increasingly unrealistic as the attack-target depth grows.<n>To address this critical limitation, we propose a novel attack method called CrossLayer Extraction.
• Score: 4.693322408385527
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Deep Neural Networks (DNNs) have attracted significant attention, and their internal models are now considered valuable intellectual assets. Extracting these internal models through access to a DNN is conceptually similar to extracting a secret key via oracle access to a block cipher. Consequently, cryptanalytic techniques, particularly differential-like attacks, have been actively explored recently. ReLU-based DNNs are the most commonly and widely deployed architectures. While early works (e.g., Crypto 2020, Eurocrypt 2024) assume access to exact output logits, which are usually invisible, more recent works (e.g., Asiacrypt 2024, Eurocrypt 2025) focus on the hard-label setting, where only the final classification result (e.g., "dog" or "car") is available to the attacker. Notably, Carlini et al. (Eurocrypt 2025) demonstrated that model extraction is feasible in polynomial time even under this restricted setting. In this paper, we first show that the assumptions underlying their attack become increasingly unrealistic as the attack-target depth grows. In practice, satisfying these assumptions requires an exponential number of queries with respect to the attack depth, implying that the attack does not always run in polynomial time. To address this critical limitation, we propose a novel attack method called CrossLayer Extraction. Instead of directly extracting the secret parameters (e.g., weights and biases) of a specific neuron, which incurs exponential cost, we exploit neuron interactions across layers to extract this information from deeper layers. This technique significantly reduces query complexity and mitigates the limitations of existing model extraction approaches.

Related papers

• Polynomial Time Cryptanalytic Extraction of Deep Neural Networks in the Hard-Label Setting [45.68094593114181]
  Deep neural networks (DNNs) are valuable assets, yet their public accessibility raises security concerns. This paper introduces new techniques that, for the first time, achieve cryptanalytic extraction of DNN parameters in the most challenging hard-label setting.
  arXiv  Detail & Related papers  (2024-10-08T07:27:55Z)
• Hard-Label Cryptanalytic Extraction of Neural Network Models [10.568722566232127]
  We propose the first attack that theoretically achieves functionally equivalent extraction under the hard-label setting. The effectiveness of our attack is validated through practical experiments on a wide range of ReLU neural networks.
  arXiv  Detail & Related papers  (2024-09-18T02:17:10Z)
• Model X-ray:Detecting Backdoored Models via Decision Boundary [62.675297418960355]
  Backdoor attacks pose a significant security vulnerability for deep neural networks (DNNs) We propose Model X-ray, a novel backdoor detection approach based on the analysis of illustrated two-dimensional (2D) decision boundaries. Our approach includes two strategies focused on the decision areas dominated by clean samples and the concentration of label distribution.
  arXiv  Detail & Related papers  (2024-02-27T12:42:07Z)
• Polynomial Time Cryptanalytic Extraction of Neural Network Models [3.3466632238361393]
  Best current attack on ReLU-based deep neural networks was presented at Crypto 2020. New techniques enable us to extract with arbitrarily high precision all the real-valued parameters of a ReLU-based neural network.
  arXiv  Detail & Related papers  (2023-10-12T20:44:41Z)
• Backdoor Attack with Sparse and Invisible Trigger [57.41876708712008]
  Deep neural networks (DNNs) are vulnerable to backdoor attacks. backdoor attack is an emerging yet threatening training-phase threat. We propose a sparse and invisible backdoor attack (SIBA)
  arXiv  Detail & Related papers  (2023-05-11T10:05:57Z)
• Backdoor Defense via Suppressing Model Shortcuts [91.30995749139012]
  In this paper, we explore the backdoor mechanism from the angle of the model structure. We demonstrate that the attack success rate (ASR) decreases significantly when reducing the outputs of some key skip connections.
  arXiv  Detail & Related papers  (2022-11-02T15:39:19Z)
• NeuroUnlock: Unlocking the Architecture of Obfuscated Deep Neural Networks [12.264879142584617]
  We present NeuroUnlock, a novel SCAS attack against obfuscated deep neural networks (DNNs) Our NeuroUnlock employs a sequence-to-sequence model that learns the obfuscation procedure and automatically reverts it. We also propose a novel methodology for DNN obfuscation, ReDLock, which eradicates the deterministic nature of the obfuscation.
  arXiv  Detail & Related papers  (2022-06-01T11:10:00Z)
• On the Importance of Encrypting Deep Features [15.340540198612823]
  We analyze model inversion attacks with only two assumptions: feature vectors of user data are known, and a black-box API for inference is provided. Experiments have been conducted on state-of-the-art models in person re-identification, and two attack scenarios (i.e., recognizing auxiliary attributes and reconstructing user data) are investigated. Results show that an adversary could successfully infer sensitive information even under severe constraints.
  arXiv  Detail & Related papers  (2021-08-16T15:22:33Z)
• Poison Ink: Robust and Invisible Backdoor Attack [122.49388230821654]
  We propose a robust and invisible backdoor attack called Poison Ink'' Concretely, we first leverage the image structures as target poisoning areas, and fill them with poison ink (information) to generate the trigger pattern. Compared to existing popular backdoor attack methods, Poison Ink outperforms both in stealthiness and robustness.
  arXiv  Detail & Related papers  (2021-08-05T09:52:49Z)
• Black-box Detection of Backdoor Attacks with Limited Information and Data [56.0735480850555]
  We propose a black-box backdoor detection (B3D) method to identify backdoor attacks with only query access to the model. In addition to backdoor detection, we also propose a simple strategy for reliable predictions using the identified backdoored models.
  arXiv  Detail & Related papers  (2021-03-24T12:06:40Z)
• Hidden Backdoor Attack against Semantic Segmentation Models [60.0327238844584]
  The emphbackdoor attack intends to embed hidden backdoors in deep neural networks (DNNs) by poisoning training data. We propose a novel attack paradigm, the emphfine-grained attack, where we treat the target label from the object-level instead of the image-level. Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data.
  arXiv  Detail & Related papers  (2021-03-06T05:50:29Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.