Abstract
The increasing use of deep learning (DL) models has given rise to significant privacy concerns regarding training and inference data. To address these concerns, the community has increasingly adopted crypto-based privacy-enhancing technologies (CPET) like homomorphic encryption (HE), secure multi-party computation (MPC), and zero-knowledge proofs (ZKP). The integration of CPET with DL, often referred to as CPET-DL, is commonly facilitated by specialized frameworks like CrypTen, TenSEAL, and EZKL. These frameworks offer configurable parameters to balance model accuracy and computational efficiency during privacy-preserving operations. However, these configurations, while seemingly harmless, can introduce subtle vulnerabilities. The stealthy attacks induced by misconfigurations are hard to detect because 1) the plaintext models remain vulnerability-free, and 2) existing auditing tools are hardly applicable to CPET-hardened models. This creates a paradox: tools intended to protect privacy can be undermined through configuration manipulation. We present ConPETro, the first attack on CPET-hardened models by manipulating the CPET-DL framework configurations. We show that well-crafted configurations allow attackers to create CPET-hardened models that function similarly to benign plaintext models under normal inputs, but exhibit significantly reduced robustness for malicious inputs embedded with triggers. ConPETro strategically selects triggers to maximize behavioral deviations with benign models and uses gradient consistency to guide configuration exploration, effectively finding malicious configurations that bypass standard plaintext model auditing. Evaluations across three mainstream CPET-DL frameworks (HE, MPC, and ZKP) demonstrate ConPETro's effectiveness in both semantic and non-semantic triggers. ConPETro achieves an average maximum attack success rate (ASR) of 72.27% in CPET-hardened models with non-semantic triggers; the accuracy only drops by 4%, thus maintaining stealthiness. It also achieves a maximum ASR of 94.74% with semantic triggers across three datasets. We also demonstrate that our stealthy attacks can bypass advanced defense and detection tools.
| Original language | English |
|---|---|
| Title of host publication | CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security |
| Publisher | Association for Computing Machinery, Inc |
| Pages | 4379-4393 |
| Number of pages | 15 |
| ISBN (Electronic) | 9798400715259 |
| ISBN (Print) | 9798400715259 |
| DOIs | |
| Publication status | Published - Oct 2025 |
| Event | 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025 - Taipei, Taiwan, China Duration: 13 Oct 2025 → 17 Oct 2025 |
Publication series
| Name | CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security |
|---|
Conference
| Conference | 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025 |
|---|---|
| Country/Territory | Taiwan, China |
| City | Taipei |
| Period | 13/10/25 → 17/10/25 |
Bibliographical note
Publisher Copyright:© 2025 Copyright held by the owner/author(s).
Funding
The HKUST authors were supported in part by a RGC GRF grant under the contract 16214723, RGC CRF grant under the contract C6015-23G, and research fund provided by HSBC. We are grateful to the anonymous reviewers for their valuable comments.
Keywords
- Configuration Attacks
- Deep Learning
- Model Auditing
- Privacy-Preserving Protocols
- Security Testing