[Resource Topic] 2022/1039: The Limits of Provable Security Against Model Extraction

Resource Attacks and cryptanalysis
#1

Welcome to the resource topic for 2022/1039

Title:
The Limits of Provable Security Against Model Extraction

Authors: Ari Karchmer

Abstract:

Can we hope to provide provable security against model extraction attacks? As a step towards a theoretical study of this question, we unify and abstract a wide range of “observational” model extraction defense mechanisms – roughly, those that attempt to detect model extraction using a statistical analysis conducted on the distribution over the adversary’s queries. To accompany the abstract observational model extraction defense, which we call OMED for short, we define the notion of complete defenses – the notion that benign clients can freely interact with the model – and sound defenses – the notion that adversarial clients are caught and prevented from reverse engineering the model. We then propose a system for obtaining provable security against model extraction by complete and sound OMEDs, using (average-case) hardness assumptions for PAC-learning.
Our main result nullifies our proposal for provable security, by establishing a computational incompleteness theorem for the OMED: any efficient OMED for a machine learning model computable by a polynomial size decision tree that satisfies a basic form of completeness cannot satisfy soundness, unless the subexponential Learning Parity with Noise (LPN) assumption does not hold. To prove the incompleteness theorem, we introduce a class of model extraction attacks called natural Covert Learning attacks based on a connection to the Covert Learning model of Canetti and Karchmer (TCC '21), and show that such attacks circumvent any defense within our abstract mechanism in a black-box, nonadaptive way.
Finally, we further expose the tension between Covert Learning and OMEDs by proving that Covert Learning algorithms require the nonexistence of provable security via efficient OMEDs. Therefore, we observe a “win-win” result by obtaining a characterization of the existence of provable security via efficient OMEDs by the nonexistence of natural Covert Learning algorithms.

ePrint: https://eprint.iacr.org/2022/1039

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .