Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Polynomial Time Cryptanalytic Extraction of Deep Neural Networks in the Hard-Label Setting

Nicholas Carlini, Jorge Chávez-Saab, Anna Hambitzer, Francisco Rodríguez-Henríquez, Adi Shamir

TL;DR

New techniques are introduced that, for the first time, achieve cryptanalytic extraction of DNN parameters in the most challenging hard-label setting, using both a polynomial number of queries and polynomial time.

Abstract

Deep neural networks (DNNs) are valuable assets, yet their public accessibility raises security concerns about parameter extraction by malicious actors. Recent work by Carlini et al. (crypto'20) and Canales-Martínez et al. (eurocrypt'24) has drawn parallels between this issue and block cipher key extraction via chosen plaintext attacks. Leveraging differential cryptanalysis, they demonstrated that all the weights and biases of black-box ReLU-based DNNs could be inferred using a polynomial number of queries and computational time. However, their attacks relied on the availability of the exact numeric value of output logits, which allowed the calculation of their derivatives. To overcome this limitation, Chen et al. (asiacrypt'24) tackled the more realistic hard-label scenario, where only the final classification label (e.g., "dog" or "car") is accessible to the attacker. They proposed an extraction method requiring a polynomial number of queries but an exponential execution time. In addition, their approach was applicable only to a restricted set of architectures, could deal only with binary classifiers, and was demonstrated only on tiny neural networks with up to four neurons split among up to two hidden layers. This paper introduces new techniques that, for the first time, achieve cryptanalytic extraction of DNN parameters in the most challenging hard-label setting, using both a polynomial number of queries and polynomial time. We validate our approach by extracting nearly one million parameters from a DNN trained on the CIFAR-10 dataset, comprising 832 neurons in four hidden layers. Our results reveal the surprising fact that all the weights of a ReLU-based DNN can be efficiently determined by analyzing only the geometric shape of its decision boundaries.

Polynomial Time Cryptanalytic Extraction of Deep Neural Networks in the Hard-Label Setting

TL;DR

New techniques are introduced that, for the first time, achieve cryptanalytic extraction of DNN parameters in the most challenging hard-label setting, using both a polynomial number of queries and polynomial time.

Abstract

Deep neural networks (DNNs) are valuable assets, yet their public accessibility raises security concerns about parameter extraction by malicious actors. Recent work by Carlini et al. (crypto'20) and Canales-Martínez et al. (eurocrypt'24) has drawn parallels between this issue and block cipher key extraction via chosen plaintext attacks. Leveraging differential cryptanalysis, they demonstrated that all the weights and biases of black-box ReLU-based DNNs could be inferred using a polynomial number of queries and computational time. However, their attacks relied on the availability of the exact numeric value of output logits, which allowed the calculation of their derivatives. To overcome this limitation, Chen et al. (asiacrypt'24) tackled the more realistic hard-label scenario, where only the final classification label (e.g., "dog" or "car") is accessible to the attacker. They proposed an extraction method requiring a polynomial number of queries but an exponential execution time. In addition, their approach was applicable only to a restricted set of architectures, could deal only with binary classifiers, and was demonstrated only on tiny neural networks with up to four neurons split among up to two hidden layers. This paper introduces new techniques that, for the first time, achieve cryptanalytic extraction of DNN parameters in the most challenging hard-label setting, using both a polynomial number of queries and polynomial time. We validate our approach by extracting nearly one million parameters from a DNN trained on the CIFAR-10 dataset, comprising 832 neurons in four hidden layers. Our results reveal the surprising fact that all the weights of a ReLU-based DNN can be efficiently determined by analyzing only the geometric shape of its decision boundaries.
Paper Structure (46 sections, 11 equations, 12 figures, 3 tables, 6 algorithms)

This paper contains 46 sections, 11 equations, 12 figures, 3 tables, 6 algorithms.

Table of Contents

  1. Introduction
  2. Why Previous Techniques Cannot Be Used
  3. Our Contributions
  4. Organization
  5. Related Work
  6. Attack Overview
  7. Adversarial Goals and Assumptions.
  8. Dual Point Finding
  9. Step 1: find a point $x_2$ on the decision boundary.
  10. Step 2: make a random excursion to $x_3$.
  11. Step 3: find another point $x_4$ on the decision boundary.
  12. Step 4: move along the decision boundary until $\hbox{\boldmath$x$}_{\textrm{dual}}$.
  13. Step 5: re-locate the decision boundary.
  14. Find the normal vector $m$ to the decision boundary.
  15. Signature Recovery
  16. ...and 31 more sections

Figures (12)

  • Figure 1: The similarity between DNN's and block ciphers.
  • Figure 2: A schematic description of various attacks. a. Input space partition. b. Decision boundary. c. Path between two inputs.
  • Figure 3: Representation of the DNN as a composition of the recovered layers $f_1,\ldots,f_{i-1}$, the current target layer $f_i$ and the non-recovered future layers $f_{i+1},\ldots, f_{r+1}$ (cf. \ref{['def:DNN']}).
  • Figure 4: A green critical hyperplane of some neuron which changes the local orientation of two decision boundary patches on its two sides.
  • Figure 5: Visualization of our dual point finding algorithm.
  • ...and 7 more figures

Theorems & Definitions (18)

  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • ...and 8 more