{"id":"https://openalex.org/W7160549861","doi":"https://doi.org/10.48550/arxiv.2605.04901","title":"On the (In-)Security of the Shuffling Defense in the Transformer Secure Inference","display_name":"On the (In-)Security of the Shuffling Defense in the Transformer Secure Inference","publication_year":2026,"publication_date":"2026-05-06","ids":{"openalex":"https://openalex.org/W7160549861","doi":"https://doi.org/10.48550/arxiv.2605.04901"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.04901","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.04901","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.04901","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5135561006","display_name":"Zhengyi Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Zhengyi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5083770719","display_name":"Yakai Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wang, Yakai","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135629465","display_name":"Kang Yang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yang, Kang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135611029","display_name":"Yu Yu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yu, Yu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002240947","display_name":"Jiaping Gui","orcid":"https://orcid.org/0009-0001-4272-9604"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gui, Jiaping","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135548083","display_name":"Yu Feng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Feng, Yu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135600022","display_name":"Ning Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Ning","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135586415","display_name":"Minyi Guo","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Guo, Minyi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5003939279","display_name":"Jingwen Leng","orcid":"https://orcid.org/0000-0002-5660-5493"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Leng, Jingwen","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.7584999799728394,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.7584999799728394,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10237","display_name":"Cryptography and Data Security","score":0.08269999921321869,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10764","display_name":"Privacy-Preserving Technologies in Data","score":0.047200001776218414,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/shuffling","display_name":"Shuffling","score":0.9233999848365784},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.6801999807357788},{"id":"https://openalex.org/keywords/oracle","display_name":"Oracle","score":0.6345999836921692},{"id":"https://openalex.org/keywords/bottleneck","display_name":"Bottleneck","score":0.5871999859809875},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.5598000288009644},{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.5097000002861023},{"id":"https://openalex.org/keywords/permutation","display_name":"Permutation (music)","score":0.4196999967098236},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.3880999982357025},{"id":"https://openalex.org/keywords/random-oracle","display_name":"Random oracle","score":0.3783999979496002}],"concepts":[{"id":"https://openalex.org/C167927819","wikidata":"https://www.wikidata.org/wiki/Q1930567","display_name":"Shuffling","level":2,"score":0.9233999848365784},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7366999983787537},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.6801999807357788},{"id":"https://openalex.org/C55166926","wikidata":"https://www.wikidata.org/wiki/Q2892946","display_name":"Oracle","level":2,"score":0.6345999836921692},{"id":"https://openalex.org/C2780513914","wikidata":"https://www.wikidata.org/wiki/Q18210350","display_name":"Bottleneck","level":2,"score":0.5871999859809875},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.5598000288009644},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.5097000002861023},{"id":"https://openalex.org/C21308566","wikidata":"https://www.wikidata.org/wiki/Q7169365","display_name":"Permutation (music)","level":2,"score":0.4196999967098236},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.3903999924659729},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.3880999982357025},{"id":"https://openalex.org/C94284585","wikidata":"https://www.wikidata.org/wiki/Q228184","display_name":"Random oracle","level":4,"score":0.3783999979496002},{"id":"https://openalex.org/C115051666","wikidata":"https://www.wikidata.org/wiki/Q6522493","display_name":"Ranging","level":2,"score":0.3174000084400177},{"id":"https://openalex.org/C66322947","wikidata":"https://www.wikidata.org/wiki/Q11658","display_name":"Transformer","level":3,"score":0.3149000108242035},{"id":"https://openalex.org/C11413529","wikidata":"https://www.wikidata.org/wiki/Q8366","display_name":"Algorithm","level":1,"score":0.31299999356269836},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3075999915599823},{"id":"https://openalex.org/C158622935","wikidata":"https://www.wikidata.org/wiki/Q660848","display_name":"Nonlinear system","level":2,"score":0.3052000105381012},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.28850001096725464},{"id":"https://openalex.org/C2780069185","wikidata":"https://www.wikidata.org/wiki/Q7977945","display_name":"Equivalence (formal languages)","level":2,"score":0.2770000100135803},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.27619999647140503},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.2752000093460083},{"id":"https://openalex.org/C761482","wikidata":"https://www.wikidata.org/wiki/Q118093","display_name":"Transmission (telecommunications)","level":2,"score":0.27379998564720154},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.271699994802475},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.2702000141143799},{"id":"https://openalex.org/C118930307","wikidata":"https://www.wikidata.org/wiki/Q600590","display_name":"Tuple","level":2,"score":0.2644999921321869},{"id":"https://openalex.org/C185429906","wikidata":"https://www.wikidata.org/wiki/Q1130160","display_name":"Estimator","level":2,"score":0.26109999418258667},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2540000081062317},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.25279998779296875},{"id":"https://openalex.org/C200985842","wikidata":"https://www.wikidata.org/wiki/Q3375503","display_name":"Random permutation","level":3,"score":0.2524000108242035}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.04901","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.04901","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.04901","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.04901","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"For":[0],"Transformer":[1],"models,":[2],"cryptographically":[3],"secure":[4],"inference":[5],"ensures":[6],"that":[7,88,102,117,140],"the":[8,12,16,21,36,54,95,103,141,164,180],"client":[9],"learns":[10,18],"only":[11,90],"final":[13],"output,":[14],"while":[15],"server":[17],"nothing":[19],"about":[20],"client's":[22],"input.":[23],"However,":[24],"securely":[25],"computing":[26],"nonlinear":[27,57],"layers":[28],"remains":[29],"a":[30,85,123,158],"major":[31],"efficiency":[32],"bottleneck":[33],"due":[34],"to":[35,53,59,74,94,122,130,155,176,179],"substantial":[37],"communication":[38],"rounds":[39],"and":[40,126,137],"data":[41],"transmission":[42],"required.":[43],"To":[44,78],"address":[45],"this":[46,65,80,98],"issue,":[47],"prior":[48],"works":[49,83],"reveal":[50],"intermediate":[51],"activations":[52,71,93,121,147],"client,":[55],"allowing":[56],"operations":[58],"be":[60],"computed":[61],"in":[62],"plaintext.":[63],"Although":[64],"approach":[66],"significantly":[67],"improves":[68],"efficiency,":[69],"exposing":[70],"enables":[72],"adversaries":[73],"extract":[75,131],"model":[76,132,168],"weights.":[77,133,182],"mitigate":[79],"risk,":[81],"existing":[82],"employ":[84],"shuffling":[86,104],"defense":[87,105],"reveals":[89],"randomly":[91],"permuted":[92],"client.":[96],"In":[97],"work,":[99],"we":[100],"show":[101],"is":[106],"not":[107],"as":[108,110],"robust":[109],"previously":[111],"claimed.":[112],"We":[113],"propose":[114],"an":[115],"attack":[116,143],"aligns":[118],"differently":[119],"shuffled":[120,146],"common":[124],"permutation":[125],"subsequently":[127],"exploits":[128],"them":[129],"Experiments":[134],"on":[135],"Pythia-70m":[136],"GPT-2":[138],"demonstrate":[139],"proposed":[142],"can":[144,166],"align":[145],"with":[148,170],"mean":[149],"squared":[150],"errors":[151],"ranging":[152,173],"from":[153,174],"$10^{-9}$":[154],"$10^{-6}$.":[156],"With":[157],"query":[159],"cost":[160],"of":[161],"approximately":[162],"\\$1,":[163],"adversary":[165],"recover":[167],"weights":[169],"L1-norm":[171],"differences":[172],"$10^{-4}$":[175],"$10^{-2}$":[177],"compared":[178],"oracle":[181]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-05-08T00:00:00"}
