Saved in:
Bibliographic Details
Main Authors: Li, Zhengyi, Wang, Yakai, Yang, Kang, Yu, Yu, Gui, Jiaping, Feng, Yu, Liu, Ning, Guo, Minyi, Leng, Jingwen
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.04901
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917464116297728
author Li, Zhengyi
Wang, Yakai
Yang, Kang
Yu, Yu
Gui, Jiaping
Feng, Yu
Liu, Ning
Guo, Minyi
Leng, Jingwen
author_facet Li, Zhengyi
Wang, Yakai
Yang, Kang
Yu, Yu
Gui, Jiaping
Feng, Yu
Liu, Ning
Guo, Minyi
Leng, Jingwen
contents For Transformer models, cryptographically secure inference ensures that the client learns only the final output, while the server learns nothing about the client's input. However, securely computing nonlinear layers remains a major efficiency bottleneck due to the substantial communication rounds and data transmission required. To address this issue, prior works reveal intermediate activations to the client, allowing nonlinear operations to be computed in plaintext. Although this approach significantly improves efficiency, exposing activations enables adversaries to extract model weights. To mitigate this risk, existing works employ a shuffling defense that reveals only randomly permuted activations to the client. In this work, we show that the shuffling defense is not as robust as previously claimed. We propose an attack that aligns differently shuffled activations to a common permutation and subsequently exploits them to extract model weights. Experiments on Pythia-70m and GPT-2 demonstrate that the proposed attack can align shuffled activations with mean squared errors ranging from $10^{-9}$ to $10^{-6}$. With a query cost of approximately \$1, the adversary can recover model weights with L1-norm differences ranging from $10^{-4}$ to $10^{-2}$ compared to the oracle weights.
format Preprint
id arxiv_https___arxiv_org_abs_2605_04901
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle On the (In-)Security of the Shuffling Defense in the Transformer Secure Inference
Li, Zhengyi
Wang, Yakai
Yang, Kang
Yu, Yu
Gui, Jiaping
Feng, Yu
Liu, Ning
Guo, Minyi
Leng, Jingwen
Cryptography and Security
Artificial Intelligence
For Transformer models, cryptographically secure inference ensures that the client learns only the final output, while the server learns nothing about the client's input. However, securely computing nonlinear layers remains a major efficiency bottleneck due to the substantial communication rounds and data transmission required. To address this issue, prior works reveal intermediate activations to the client, allowing nonlinear operations to be computed in plaintext. Although this approach significantly improves efficiency, exposing activations enables adversaries to extract model weights. To mitigate this risk, existing works employ a shuffling defense that reveals only randomly permuted activations to the client. In this work, we show that the shuffling defense is not as robust as previously claimed. We propose an attack that aligns differently shuffled activations to a common permutation and subsequently exploits them to extract model weights. Experiments on Pythia-70m and GPT-2 demonstrate that the proposed attack can align shuffled activations with mean squared errors ranging from $10^{-9}$ to $10^{-6}$. With a query cost of approximately \$1, the adversary can recover model weights with L1-norm differences ranging from $10^{-4}$ to $10^{-2}$ compared to the oracle weights.
title On the (In-)Security of the Shuffling Defense in the Transformer Secure Inference
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2605.04901