Paper 2026/139

Cryptanalytic Extraction of Convolutional Neural Networks

Xiaohan Sun, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China
Hao Lei, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China
Longxiang Wei, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China
Xiaokang Qi, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China
Kai Hu, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China
Meiqin Wang, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China
Wei Wang, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China
Abstract

Neural network model extraction attacks pose a serious threat to the intellectual property of deep learning models. While most prior work focuses on Fully Connected Networks (FCNs), effective extraction of Convolutional Neural Networks (CNNs) remains underexplored, particularly in the hard-label setting. In this work, we propose the first systematic method for the recovery of complete CNN parameters in such conditions. By reformulating convolutional layers as sparse Block Toeplitz with Toeplitz Blocks (BTTB) matrices, we extend the model extraction attack method from FCNs to CNNs. The proposed method supports both one- and two-dimensional CNNs, handling scenarios with multiple kernels, multi-channel structures, and average pooling. To enhance computational efficiency and scalability, a kernel-centric clustering algorithm is proposed to exploit kernel parameter sharing, and a Singular Value Decomposition (SVD)-based acceleration strategy is adopted to address the computational cost of large sample sets. Moreover, we perform experiments to demonstrate that our method accurately and efficiently extracts CNN parameters, including multi-channel, multi-kernel and average-pooling layers, with a worst-case relative error of $2^{-17.75}$ and up to $2^{9.26}$ speedup, and recover large models LeNet-5 within practical runtime.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. Minor revision. Australasian Conference on Information Security and Privacy (ACISP 2026)
Keywords
Neural Network ExtractionReLU-based Convolutional Neural NetworksHard-label Attack
Contact author(s)
xhansun @ mail sdu edu cn
leihao @ mail sdu edu cn
longxiangwei @ mail sdu edu cn
xiaokangqi @ mail sdu edu cn
kai hu @ sdu edu cn
mqwang @ sdu edu cn
weiwangsdu @ sdu edu cn
History
2026-01-29: revised
2026-01-29: received
See all versions
Short URL
https://ia.cr/2026/139
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2026/139,
      author = {Xiaohan Sun and Hao Lei and Longxiang Wei and Xiaokang Qi and Kai Hu and Meiqin Wang and Wei Wang},
      title = {Cryptanalytic Extraction of Convolutional Neural Networks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/139},
      year = {2026},
      url = {https://eprint.iacr.org/2026/139}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.