ML Security PapersBreaking Euston: Recovering Private Inputs from Secure Inference by Exploiting Subspace Leakage
Published on arXiv
2604.17238
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Successfully recovers private user inputs from Euston secure inference framework by exploiting orthogonal matrix leakage in SVD-based transmission protocol
Subspace Leakage Exploitation Attack
Novel technique introduced
In the 47th IEEE Symposium on Security and Privacy (IEEE S&P 2026), Gao et al. proposed an efficient and user-friendly secure transformer inference framework, namely Euston. In Euston, a singular value decomposition-based matrix transmission protocol is designed to efficiently transmit input matrices, reducing communication bandwidth by approximately 2.8 times. In this manuscript, we show that this transmission protocol introduces subspace leakage of random masks, enabling the model owner to recover private samples easily. We further validate the effectiveness of the recovery attack through simple experiments on image and language datasets, highlighting a fundamental privacy risk of the protocol design.
Key Contributions
- Identifies subspace leakage vulnerability in Euston's SVD-based matrix transmission protocol
- Demonstrates recovery of private inputs by exploiting leaked orthogonal matrices U and H
- Validates attack effectiveness on both image and language datasets
🛡️ Threat Analysis
The attack reconstructs private user inputs (images and text) from a deployed secure inference system by exploiting leaked information (orthogonal matrices from SVD decomposition). The adversary (model owner) reverse-engineers user data from the inference protocol — a clear model inversion / data reconstruction attack.