EE Seminar: Polynomial Time Cryptanalytic Extraction of Neural Network Models
(The talk will be given in English)
Speaker: Prof. Adi Shamir
Computer Science and Applied Mathematics,Weizmann Institute of Science
|
011 hall, Electrical Engineering-Kitot Building |
Monday, December 9th, 2024
12:00 - 13:00
|
|
Polynomial Time Cryptanalytic Extraction of Neural Network Models
Abstract
Abstract. Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks (DNNs) for a variety of tasks. Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access to their black-box implementations. Many versions of this problem have been studied over the last 30 years, and the best previous attack on ReLU-based deep neural networks was presented at Crypto’20 by Carlini, Jagielski, and Mironov. It resembled a differential chosen plaintext attack on a cryptosystem, which has a secret key embedded in its black-box implementation and required a polynomial number of queries but an exponential amount of time (as a function of the number of neurons).
In this talk, I will improve this attack by developing several new techniques that make it possible to extract with arbitrarily high precision all the real-valued parameters of a ReLU-based DNN using a polynomial number of queries AND a polynomial amount of time. We demonstrated its practical efficiency by applying it to a full-sized neural network for classifying the CIFAR10 dataset, which has 3072 inputs, 8 hidden layers with 256 neurons each, and about 1.2 million neuronal parameters. An attack following the approach by Carlini et al. requires an exhaustive search over 2^256 possibilities, whereas our attack requires only 30 minutes on a 256-core computer. In the last part of the talk I will show a recent extension of the attack which can extract in polynomial time all the parameters of the network even when the attacker receives only the label (e.g., a “cat” or a “dog”) of any given input, rather than the numeric values of its logits.
השתתפות בסמינר תיתן קרדיט שמיעה = עפ"י רישום שם מלא + מספר ת.ז. בטופס הנוכחות שיועבר באולם במהלך הסמינר
