CryptoDB
Polynomial Time Cryptanalytic Extraction of Neural Network Models
| Authors: |
|
|---|---|
| Download: |
|
| Presentation: | Slides |
| Conference: | EUROCRYPT 2024 |
| Abstract: | Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks (DNNs) for a variety of tasks. Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access to their black-box implementations. Many versions of this problem have been studied over the last 30 years, and the best current attack on ReLU-based deep neural networks was presented at Crypto'20 by Carlini, Jagielski, and Mironov. It resembles a differential chosen plaintext attack on a cryptosystem, which has a secret key embedded in its black-box implementation and requires a polynomial number of queries but an exponential amount of time (as a function of the number of neurons). In this paper, we improve this attack by developing several new techniques that enable us to extract with arbitrarily high precision all the real-valued parameters of a ReLU-based DNN using a polynomial number of queries \emph{and} a polynomial amount of time. We demonstrate its practical efficiency by applying it to a full-sized neural network for classifying the CIFAR10 dataset, which has 3072 inputs, 8 hidden layers with 256 neurons each, and about $1.2$ million neuronal parameters. An attack following the approach by Carlini et al.\ requires an exhaustive search over $2^{256}$ possibilities. Our attack replaces this with our new techniques, which require only 30 minutes on a 256-core computer. |
BibTeX
@inproceedings{eurocrypt-2024-33918,
title={Polynomial Time Cryptanalytic Extraction of Neural Network Models},
publisher={Springer-Verlag},
doi={10.1007/978-3-031-58734-4_1},
author={Adi Shamir and Isaac Canales-Martínez and Anna Hambitzer and Jorge Chávez-Saab and Francisco Rodriguez and Nitin Satpute},
year=2024
}