Paper 2023/1665

Model Stealing Attacks On FHE-based Privacy-Preserving Machine Learning through Adversarial Examples

Bhuvnesh Chaturvedi, Indian Institute of Technology Kharagpur
Anirban Chakraborty, Indian Institute of Technology Kharagpur
Ayantika Chatterjee, Indian Institute of Technology Kharagpur
Debdeep Mukhopadhyay, Indian Institute of Technology Kharagpur

Classic MLaaS solutions suffer from privacy-related risks since the user is required to send unencrypted data to the server hosting the MLaaS. To alleviate this problem, a thriving line of research has emerged called Privacy-Preserving Machine Learning (PPML) or secure MLaaS solutions that use cryptographic techniques to preserve the privacy of both the input of the client and the output of the server. However, these implementations do not take into consideration the possibility of transferability of known attacks in classic MLaaS settings to PPML settings. In this paper, we demonstrate that it is possible to transfer existing model-extraction attacks using adversarial examples to PPML settings due to relaxed constraints on the abilities of the adversary. We show a working example of an end-to-end attack on an image processing application built using a popular FHE-based framework, namely Concrete-ML. We successfully create a cloned model with just 5000 queries, which is, in fact, 10× less than the size of the training set of the victim model, while incurring only a 7% loss in accuracy. Further, we incorporate the well-known defense strategy against such attacks and show that our attack is still able to clone the model. Finally, we evaluate the different defense rationales that exist in literature and observe that such model stealing attacks are difficult to prevent in secure MLaaS settings.

Available format(s)
Attacks and cryptanalysis
Publication info
Fully Homomorphic EncryptionPrivacy Preserving Machine LearningMLaaSAdversarial ExamplesModel Stealing Attack
Contact author(s)
bhuvneshchaturvedi2512 @ gmail com
ch anirban00727 @ gmail com
cayantika @ gmail com
debdeep mukhopadhyay @ gmail com
2023-10-30: approved
2023-10-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Bhuvnesh Chaturvedi and Anirban Chakraborty and Ayantika Chatterjee and Debdeep Mukhopadhyay},
      title = {Model Stealing Attacks On FHE-based Privacy-Preserving Machine Learning through Adversarial Examples},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1665},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.