{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:17:29Z","timestamp":1766441849665,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":91,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765107","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:32:38Z","timestamp":1763854358000},"page":"4379-4393","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["The Phantom Menace in Crypto-Based PET-Hardened Deep Learning Models: Invisible Configuration-Induced Attacks"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-2066-7939","authenticated-orcid":false,"given":"Yiteng","family":"Peng","sequence":"first","affiliation":[{"name":"The Hong Kong University of Science and Technology, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4680-5715","authenticated-orcid":false,"given":"Dongwei","family":"Xiao","sequence":"additional","affiliation":[{"name":"The Hong Kong University of Science and Technology, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7872-1129","authenticated-orcid":false,"given":"Zhibo","family":"Liu","sequence":"additional","affiliation":[{"name":"The Hong Kong University of Science and Technology, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3167-0480","authenticated-orcid":false,"given":"Zhenlan","family":"Ji","sequence":"additional","affiliation":[{"name":"The Hong Kong University of Science and Technology, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3752-0718","authenticated-orcid":false,"given":"Daoyuan","family":"Wu","sequence":"additional","affiliation":[{"name":"Lingnan University, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0866-0308","authenticated-orcid":false,"given":"Shuai","family":"Wang","sequence":"additional","affiliation":[{"name":"The Hong Kong University of Science and Technology, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-5080-8736","authenticated-orcid":false,"given":"Juergen","family":"Rahmel","sequence":"additional","affiliation":[{"name":"HSBC, Hong Kong, China"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n.d.]. Research Artifact. https:\/\/sites.google.com\/view\/conpetro."},{"key":"e_1_3_2_1_2_1","unstructured":"2023. EZKL. https:\/\/ezkl.xyz\/."},{"key":"e_1_3_2_1_3_1","unstructured":"2023. TF Encrypted. https:\/\/github.com\/tf-encrypted\/tf-encrypted\/."},{"key":"e_1_3_2_1_4_1","unstructured":"2024. Orion. https:\/\/github.com\/gizatechxyz\/orion."},{"key":"e_1_3_2_1_5_1","unstructured":"2024. SecretFlow. https:\/\/github.com\/secretflow\/secretflow."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"crossref","unstructured":"Ehud Aharoni Allon Adir Moran Baruch Nir Drucker Gilad Ezov Ariel Farkash Lev Greenberg Ramy Masalha Guy Moshkowich Dov Murik Hayim Shaul and Omri Soceanu. 2023. HeLayers: A Tile Tensors Framework for Large Neural Networks on Encrypted Data. PETS.","DOI":"10.56553\/popets-2023-0020"},{"key":"e_1_3_2_1_7_1","unstructured":"Wei Ao and Vishnu Naresh Boddeti. 2024. AutoFHE: Automated Adaption of CNNs for Efficient Evaluation over FHE. In USENIX Security'24. 2173-2190."},{"key":"e_1_3_2_1_8_1","unstructured":"AWS. 2024. Cryptographic Computing - Amazon Web Services (AWS). https:\/\/aws.amazon.com\/security\/cryptographic-computing\/."},{"key":"e_1_3_2_1_9_1","unstructured":"Eugene Bagdasaryan Andreas Veit Yiqing Hua Deborah Estrin and Vitaly Shmatikov. 2020. How to backdoor federated learning. In AISTATS. PMLR."},{"key":"e_1_3_2_1_10_1","unstructured":"The Digital Banker. 2024. HSBC Fusion - AI Credit Assessment: Best credit assessment initiative - The Digital Banker. https:\/\/thedigitalbanker.com\/hsbcfusion-ai-credit-assessment-best-credit-assessment-initiative\/."},{"key":"e_1_3_2_1_11_1","unstructured":"Eli Ben-Sasson Iddo Bentov Yinon Horesh and Michael Riabzev. 2018. Scalable transparent and post-quantum secure computational integrity. (2018)."},{"key":"e_1_3_2_1_12_1","unstructured":"Ayoub Benaissa Bilal Retiat Bogdan Cebere and Alaa Eddine Belfedhal. 2021. TenSEAL: A Library for Encrypted Tensor Operations Using Homomorphic Encryption. arXiv:2104.03152 [cs.CR]"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00145-023-09463-5"},{"key":"e_1_3_2_1_14_1","first-page":"391","article-title":"DPsniper: black-box discovery of differential privacy violations using classifiers","author":"Bichsel Benjamin","year":"2021","unstructured":"Benjamin Bichsel, Samuel Steffen, Ilija Bogunovic, and Martin Vechev. 2021. DPsniper: black-box discovery of differential privacy violations using classifiers. In IEEE S&P. IEEE, 391-409.","journal-title":"IEEE S&P. IEEE"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338469.3358944"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-32946-3_5"},{"key":"e_1_3_2_1_17_1","volume-title":"Recursive proof composition without a trusted setup. Cryptology ePrint Archive","author":"Bowe Sean","year":"2019","unstructured":"Sean Bowe, Jack Grigg, and Daira Hopwood. 2019. Recursive proof composition without a trusted setup. Cryptology ePrint Archive (2019)."},{"key":"e_1_3_2_1_18_1","volume-title":"Portfolio allocation for Bayesian optimization. arXiv preprint arXiv:1009.5419","author":"Brochu Eric","year":"2010","unstructured":"Eric Brochu, Matthew W Hoffman, and Nando de Freitas. 2010. Portfolio allocation for Bayesian optimization. arXiv preprint arXiv:1009.5419 (2010)."},{"key":"e_1_3_2_1_19_1","first-page":"407","article-title":"Poisoning web-scale training datasets is practical","author":"Carlini Nicholas","year":"2024","unstructured":"Nicholas Carlini, Matthew Jagielski, Christopher A Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, and Florian Tram\u00e8r. 2024. Poisoning web-scale training datasets is practical. In IEEE S&P. IEEE, 407-425.","journal-title":"IEEE S&P. IEEE"},{"key":"e_1_3_2_1_20_1","first-page":"11","article-title":"Multiparty unconditionally secure protocols","author":"Chaum David","year":"1988","unstructured":"David Chaum, Claude Cr\u00e9peau, and Ivan Damgard. 1988. Multiparty unconditionally secure protocols. In STOC. 11-19.","journal-title":"STOC."},{"key":"e_1_3_2_1_21_1","first-page":"560","article-title":"Zkml: An optimizing system for ml inference in zero-knowledge proofs","author":"Chen Bing-Jyue","year":"2024","unstructured":"Bing-Jyue Chen, Suppakit Waiwitlikhit, Ion Stoica, and Daniel Kang. 2024. Zkml: An optimizing system for ml inference in zero-knowledge proofs. In EuroSys. 560-574.","journal-title":"EuroSys."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-10970-7_16"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-70694-8_15"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00145-019-09319-x"},{"key":"e_1_3_2_1_25_1","unstructured":"Neophytos Christou Di Jin Vaggelis Atlidakis Baishakhi Ray and Vasileios P Kemerlis. 2023. {IvySyn}: Automated vulnerability discovery in deep learning frameworks. In USENIX Security'23. 2383-2400."},{"key":"e_1_3_2_1_26_1","first-page":"344","article-title":"ImpNet: Imperceptible and blackbox-undetectable backdoors in compiled neural networks","author":"Clifford Eleanor","year":"2024","unstructured":"Eleanor Clifford, Ilia Shumailov, Yiren Zhao, Ross Anderson, and Robert Mullins. 2024. ImpNet: Imperceptible and blackbox-undetectable backdoors in compiled neural networks. In SaTML. IEEE, 344-357.","journal-title":"SaTML. IEEE"},{"key":"e_1_3_2_1_27_1","volume-title":"HEIR: Homomorphic Encryption Intermediate Representation. https:\/\/github.com\/google\/heir.","author":"Contributors HEIR","year":"2023","unstructured":"HEIR Contributors. 2023. HEIR: Homomorphic Encryption Intermediate Representation. https:\/\/github.com\/google\/heir."},{"key":"e_1_3_2_1_28_1","unstructured":"Pranav Dahiya Ilia Shumailov and Ross Anderson. 2024. Machine Learning needs Better Randomness Standards: Randomised Smoothing and {PRNG-based} attacks. In USENIX Security'24. 3657-3674."},{"key":"e_1_3_2_1_29_1","first-page":"479","article-title":"BOAT: Building auto-tuners with structured Bayesian optimization","author":"Dalibard Valentin","year":"2017","unstructured":"Valentin Dalibard, Michael Schaarschmidt, and Eiko Yoneki. 2017. BOAT: Building auto-tuners with structured Bayesian optimization. In WWW. 479-488.","journal-title":"WWW."},{"key":"e_1_3_2_1_30_1","first-page":"11966","article-title":"Lira: Learnable, imperceptible and robust backdoor attacks","author":"Doan Khoa","year":"2021","unstructured":"Khoa Doan, Yingjie Lao, Weijie Zhao, and Ping Li. 2021. Lira: Learnable, imperceptible and robust backdoor attacks. In ICCV. 11966-11976.","journal-title":"ICCV."},{"key":"e_1_3_2_1_31_1","volume-title":"Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive","author":"Fan Junfeng","year":"2012","unstructured":"Junfeng Fan and Frederik Vercauteren. 2012. Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive (2012)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1257\/pandp.20201057"},{"key":"e_1_3_2_1_33_1","first-page":"1180","article-title":"Unsupervised domain adaptation by backpropagation","author":"Ganin Yaroslav","year":"2015","unstructured":"Yaroslav Ganin and Victor Lempitsky. 2015. Unsupervised domain adaptation by backpropagation. In ICML. PMLR, 1180-1189.","journal-title":"ICML. PMLR"},{"key":"e_1_3_2_1_34_1","unstructured":"Yue Gao Ilia Shumailov and Kassem Fawaz. 2025. Supply-chain attacks in machine learning frameworks. In MLSys."},{"key":"e_1_3_2_1_35_1","first-page":"169","article-title":"Fully homomorphic encryption using ideal lattices","author":"Gentry Craig","year":"2009","unstructured":"Craig Gentry. 2009. Fully homomorphic encryption using ideal lattices. In STOC. 169-178.","journal-title":"STOC."},{"key":"e_1_3_2_1_36_1","first-page":"291","article-title":"The knowledge complexity of interactive proof-systems","author":"Goldwasser Shafi","year":"1985","unstructured":"Shafi Goldwasser, Silvio Micali, and Charles Rackoff. 1985. The knowledge complexity of interactive proof-systems. In STOC. 291-304.","journal-title":"STOC."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-49896-5_11"},{"key":"e_1_3_2_1_38_1","volume-title":"Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733","author":"Gu Tianyu","year":"2017","unstructured":"Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017)."},{"key":"e_1_3_2_1_39_1","unstructured":"Miguel Guevara. 2023. Expanding our Fully Homomorphic Encryption offering - Google Developers Blog. https:\/\/developers.googleblog.com\/en\/expanding-ourfully-homomorphic-encryption-offering\/."},{"key":"e_1_3_2_1_40_1","volume-title":"AEVA: Black-box Backdoor Detection Using Adversarial Extreme Value Analysis. In ICLR.","author":"Guo Junfeng","year":"2022","unstructured":"Junfeng Guo, Ang Li, and Cong Liu. 2022. AEVA: Black-box Backdoor Detection Using Adversarial Extreme Value Analysis. In ICLR."},{"key":"e_1_3_2_1_41_1","first-page":"27","article-title":"Characterizing and understanding software security vulnerabilities in machine learning libraries","author":"Harzevili Nima Shiri","year":"2023","unstructured":"Nima Shiri Harzevili, Jiho Shin, JunjieWang, SongWang, and Nachiappan Nagappan. 2023. Characterizing and understanding software security vulnerabilities in machine learning libraries. In MSR. IEEE, 27-38.","journal-title":"MSR. IEEE"},{"key":"e_1_3_2_1_42_1","first-page":"1220","article-title":"Sok: General purpose compilers for secure multi-party computation","author":"Hastings Marcella","year":"2019","unstructured":"Marcella Hastings, Brett Hemenway, Daniel Noble, and Steve Zdancewic. 2019. Sok: General purpose compilers for secure multi-party computation. In IEEE S&P. IEEE, 1220-1237.","journal-title":"IEEE S&P. IEEE"},{"key":"e_1_3_2_1_43_1","volume-title":"Cheetah: Lean and fast secure Two-Party deep neural network inference. In USENIX Security'22. 809-826.","author":"Huang Zhicong","year":"2022","unstructured":"Zhicong Huang, Wen-jie Lu, Cheng Hong, and Jiansheng Ding. 2022. Cheetah: Lean and fast secure Two-Party deep neural network inference. In USENIX Security'22. 809-826."},{"key":"e_1_3_2_1_44_1","unstructured":"Intel and Alibaba Cloud. 2022. Alibaba Builds End-to-End PPML Solution. https:\/\/www.intel.com\/content\/www\/us\/en\/customer-spotlight\/stories\/alibabacloud-ppml-customer-story.html."},{"key":"e_1_3_2_1_45_1","unstructured":"ISACA. 2024. Exploring Practical Considerations and Applications for Privacy Enhancing Technologies. https:\/\/www.isaca.org\/resources\/whitepapers\/2024\/exploring-practical-considerations-and-applications-for-privacyenhancing-technologies."},{"key":"e_1_3_2_1_46_1","first-page":"19","article-title":"Manipulating machine learning: Poisoning attacks and countermeasures for regression learning","author":"Jagielski Matthew","year":"2018","unstructured":"Matthew Jagielski, Alina Oprea, Battista Biggio, Chang Liu, Cristina Nita-Rotaru, and Bo Li. 2018. Manipulating machine learning: Poisoning attacks and countermeasures for regression learning. In IEEE S&P. IEEE, 19-35.","journal-title":"IEEE S&P. IEEE"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690250"},{"key":"e_1_3_2_1_48_1","unstructured":"B. Knott S. Venkataraman A.Y. Hannun S. Sengupta M. Ibrahim and L.J.P. van der Maaten. 2021. CrypTen: Secure Multi-Party Computation Meets Machine Learning. In arXiv 2109.00984."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623212"},{"key":"e_1_3_2_1_50_1","unstructured":"Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00060"},{"key":"e_1_3_2_1_52_1","volume-title":"A Survey on the Applications of Zero-Knowledge Proofs. arXiv preprint arXiv:2408.00243","author":"Lavin Ryan","year":"2024","unstructured":"Ryan Lavin, Xuekai Liu, Hardhik Mohanty, Logan Norman, Giovanni Zaarour, and Bhaskar Krishnamachari. 2024. A Survey on the Applications of Zero-Knowledge Proofs. arXiv preprint arXiv:2408.00243 (2024)."},{"key":"e_1_3_2_1_53_1","volume-title":"Junbum Shin, and Mun-Kyu Lee.","author":"Lee Seewoo","year":"2023","unstructured":"Seewoo Lee, Garam Lee, Jung Woo Kim, Junbum Shin, and Mun-Kyu Lee. 2023. HETAL: efficient privacy-preserving transfer learning with homomorphic encryption. In ICML. JMLR.org, Article 786, 26 pages."},{"key":"e_1_3_2_1_54_1","first-page":"263","article-title":"Deeppayload: Black-box backdoor attack on deep learning models through neural payload injection","author":"Li Yuanchun","year":"2021","unstructured":"Yuanchun Li, Jiayi Hua, Haoyu Wang, Chunyang Chen, and Yunxin Liu. 2021. Deeppayload: Black-box backdoor attack on deep learning models through neural payload injection. In ICSE. IEEE, 263-274.","journal-title":"ICSE. IEEE"},{"key":"e_1_3_2_1_55_1","unstructured":"Yichen LI Dongwei Xiao Zhibo Liu Qi Pang and Shuai Wang. 2024. Metamorphic Testing of Secure Multi-Party Computation (MPC) Compilers. In ESEC\/FSE."},{"key":"e_1_3_2_1_56_1","volume-title":"Kim-Kwang Raymond Choo, and Debiao He","author":"Lin Chao","year":"2021","unstructured":"Chao Lin, Min Luo, Xinyi Huang, Kim-Kwang Raymond Choo, and Debiao He. 2021. An efficient privacy-preserving credit score system based on noninteractive zero-knowledge proof. IEEE systems journal 16, 1 (2021), 1592-1601."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/3387108"},{"volume-title":"Reflection backdoor: A natural backdoor attack on deep neural networks","author":"Liu Yunfei","key":"e_1_3_2_1_58_1","unstructured":"Yunfei Liu, Xingjun Ma, James Bailey, and Feng Lu. 2020. Reflection backdoor: A natural backdoor attack on deep neural networks. In ECCV. Springer, 182-199."},{"key":"e_1_3_2_1_59_1","unstructured":"Forbes Media LLC. 2024. AI's Role In Modern Medical Diagnosis. https:\/\/www.forbes.com\/councils\/forbesbusinesscouncil\/2024\/10\/14\/ais-rolein-modern-medical-diagnosis\/."},{"key":"e_1_3_2_1_60_1","volume-title":"Bumblebee: Secure two-party inference framework for large transformers. Cryptology ePrint Archive","author":"Huang Zhicong","year":"2023","unstructured":"Wen-jie Lu, Zhicong Huang, Zhen Gu, Jingyu Li, Jian Liu, Cheng Hong, Kui Ren, Tao Wei, and WenGuang Chen. 2023. Bumblebee: Secure two-party inference framework for large transformers. Cryptology ePrint Archive (2023)."},{"key":"e_1_3_2_1_61_1","first-page":"17","volume-title":"ATC'23","author":"Ma Junming","year":"2023","unstructured":"Junming Ma, Yancheng Zheng, Jun Feng, Derun Zhao, Haoqi Wu, Wenjing Fang, Jin Tan, Chaofan Yu, Benyu Zhang, and Lei Wang. 2023. SecretFlow-SPU: A performant and User-Friendly framework for Privacy-Preserving machine learning. In ATC'23. 17-33."},{"key":"e_1_3_2_1_62_1","volume-title":"Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)."},{"key":"e_1_3_2_1_63_1","volume-title":"A survey on bias and fairness in machine learning. ACM computing surveys (CSUR) 54, 6","author":"Mehrabi Ninareh","year":"2021","unstructured":"Ninareh Mehrabi, Fred Morstatter, Nripsuta Saxena, Kristina Lerman, and Aram Galstyan. 2021. A survey on bias and fairness in machine learning. ACM computing surveys (CSUR) 54, 6 (2021), 1-35."},{"key":"e_1_3_2_1_64_1","volume-title":"Machine Learning Models Have a Supply Chain Problem. arXiv preprint arXiv:2505.22778","author":"Meiklejohn Sarah","year":"2025","unstructured":"Sarah Meiklejohn, Hayden Blauzvern, Mihai Maruseac, Spencer Schrock, Laurent Simon, and Ilia Shumailov. 2025. Machine Learning Models Have a Supply Chain Problem. arXiv preprint arXiv:2505.22778 (2025)."},{"key":"e_1_3_2_1_65_1","first-page":"27","article-title":"Delphi: A cryptographic inference system for neural networks","author":"Mishra Pratyush","year":"2020","unstructured":"Pratyush Mishra, Ryan Lehmkuhl, Akshayaram Srinivasan, Wenting Zheng, and Raluca Ada Popa. 2020. Delphi: A cryptographic inference system for neural networks. In PPMLP. 27-30.","journal-title":"PPMLP."},{"key":"e_1_3_2_1_66_1","first-page":"1765","article-title":"Universal adversarial perturbations","author":"Moosavi-Dezfooli Seyed-Mohsen","year":"2017","unstructured":"Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. 2017. Universal adversarial perturbations. In CVPR. 1765-1773.","journal-title":"CVPR."},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2014.03.001"},{"key":"e_1_3_2_1_68_1","first-page":"3038","article-title":"Helium: Scalable MPC among lightweight participants and under churn","author":"Mouchet Christian","year":"2024","unstructured":"Christian Mouchet, Sylvain Chatel, Apostolos Pyrgelis, and Carmela Troncoso. 2024. Helium: Scalable MPC among lightweight participants and under churn. In CCS. 3038-3052.","journal-title":"CCS."},{"key":"e_1_3_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1007\/s40747-022-00756-z"},{"key":"e_1_3_2_1_70_1","unstructured":"Tuomas Oikarinen and Diego Dorn. 2023. Training a NN to 99% accuracy on MNIST in 0.76 seconds. https:\/\/github.com\/tuomaso\/train_mnist_fast."},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"crossref","unstructured":"Qi Pang Yuanyuan Yuan and ShuaiWang. 2024. MPCDiff: Testing and Repairing MPC-Hardened Deep Learning Models. In NDSS.","DOI":"10.14722\/ndss.2024.23380"},{"key":"e_1_3_2_1_72_1","volume-title":"Wonkyung Jung, and Jung Ho Ahn.","author":"Park Jaiyoung","year":"2022","unstructured":"Jaiyoung Park, Michael Jaemin Kim, Wonkyung Jung, and Jung Ho Ahn. 2022. AESPA: Accuracy preserving low-degree polynomial activation for fast private inference. arXiv preprint arXiv:2201.06699 (2022)."},{"key":"e_1_3_2_1_73_1","volume-title":"Pytorch: An imperative style, high-performance deep learning library. arXiv preprint arXiv:1912.01703","author":"Paszke A","year":"2019","unstructured":"A Paszke. 2019. Pytorch: An imperative style, high-performance deep learning library. arXiv preprint arXiv:1912.01703 (2019)."},{"key":"e_1_3_2_1_74_1","first-page":"5178","article-title":"Autorep: Automatic relu replacement for fast private network inference","author":"Peng Hongwu","year":"2023","unstructured":"Hongwu Peng, Shaoyi Huang, Tong Zhou, et al. 2023. Autorep: Automatic relu replacement for fast private network inference. In ICCV. 5178-5188.","journal-title":"ICCV."},{"key":"e_1_3_2_1_75_1","first-page":"2251","article-title":"Testing and Understanding Deviation Behaviors in FHEHardened Machine Learning Models","author":"Peng Yiteng","year":"2025","unstructured":"Yiteng Peng, DaoyuanWu, Zhibo Liu, Dongwei Xiao, Zhenlan Ji, Juergen Rahmel, and Shuai Wang. 2025. Testing and Understanding Deviation Behaviors in FHEHardened Machine Learning Models. In ICSE. IEEE, 2251-2263.","journal-title":"ICSE. IEEE"},{"key":"e_1_3_2_1_76_1","first-page":"8748","article-title":"Learning transferable visual models from natural language supervision","author":"Radford Alec","year":"2021","unstructured":"Alec Radford, Jong Wook Kim, Chris Hallacy, Aditya Ramesh, Gabriel Goh, Sandhini Agarwal, Girish Sastry, Amanda Askell, Pamela Mishkin, Jack Clark, et al. 2021. Learning transferable visual models from natural language supervision. In ICML. PmLR, 8748-8763.","journal-title":"ICML. PmLR"},{"key":"e_1_3_2_1_77_1","volume-title":"Joao Sa Sousa, and Jean-Pierre Hubaux","author":"Sav Sinem","year":"2020","unstructured":"Sinem Sav, Apostolos Pyrgelis, Juan R Troncoso-Pastoriza, David Froelicher, Jean-Philippe Bossuat, Joao Sa Sousa, and Jean-Pierre Hubaux. 2020. POSEIDON: Privacy-preserving federated neural network learning. arXiv preprint arXiv:2009.00349 (2020)."},{"key":"e_1_3_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-34671-2_34"},{"key":"e_1_3_2_1_80_1","unstructured":"Bing Sun Jun Sun Wayne Koh and Jie Shi. 2024. Neural Network Semantic Backdoor Detection and Mitigation: A Causality-Based Approach. In USENIX Security'24."},{"key":"e_1_3_2_1_81_1","first-page":"4405","article-title":"zkllm: Zero knowledge proofs for large language models","author":"Sun Haochen","year":"2024","unstructured":"Haochen Sun, Jason Li, and Hongyang Zhang. 2024. zkllm: Zero knowledge proofs for large language models. In CCS. 4405-4419.","journal-title":"CCS."},{"key":"e_1_3_2_1_82_1","first-page":"697","article-title":"Hard-label black-box universal adversarial patch attack","volume":"23","author":"Tao Guanhong","year":"2023","unstructured":"Guanhong Tao, Shengwei An, Siyuan Cheng, Guangyu Shen, and Xiangyu Zhang. 2023. Hard-label black-box universal adversarial patch attack. In USENIX Security' 23. 697-714.","journal-title":"USENIX Security'"},{"key":"e_1_3_2_1_83_1","first-page":"1092","article-title":"SoK: Fully homomorphic encryption compilers","author":"Viand Alexander","year":"2021","unstructured":"Alexander Viand, Patrick Jattke, and Anwar Hithnawi. 2021. SoK: Fully homomorphic encryption compilers. In IEEE S&P. IEEE, 1092-1108.","journal-title":"IEEE S&P. IEEE"},{"key":"e_1_3_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1007\/s12530-020-09345-2"},{"key":"e_1_3_2_1_85_1","first-page":"1994","article-title":"Mm-bd: Posttraining detection of backdoor attacks with arbitrary backdoor pattern types using a maximum margin statistic","author":"Wang Hang","year":"2024","unstructured":"Hang Wang, Zhen Xiang, David J Miller, and George Kesidis. 2024. Mm-bd: Posttraining detection of backdoor attacks with arbitrary backdoor pattern types using a maximum margin statistic. In IEEE S&P. IEEE, 1994-2012.","journal-title":"IEEE S&P. IEEE"},{"key":"e_1_3_2_1_86_1","first-page":"919","article-title":"Checkdp: An automated and integrated approach for proving differential privacy or finding precise counterexamples","author":"Wang Yuxin","year":"2020","unstructured":"Yuxin Wang, Zeyu Ding, Daniel Kifer, and Danfeng Zhang. 2020. Checkdp: An automated and integrated approach for proving differential privacy or finding precise counterexamples. In CCS. 919-938.","journal-title":"CCS."},{"key":"e_1_3_2_1_87_1","unstructured":"Chong Xiang Saeed Mahloujifar and Prateek Mittal. 2022. PatchCleanser: Certifiably robust defense against adversarial patches for any image classifier. In USENIX Security'22. 2065-2082."},{"key":"e_1_3_2_1_88_1","volume-title":"MTZK: Testing and Exploring Bugs in Zero-Knowledge (ZK) Compilers. In NDSS.","author":"Xiao Dongwei","year":"2025","unstructured":"Dongwei Xiao, Zhibo Liu, Yiteng Peng, and Shuai Wang. 2025. MTZK: Testing and Exploring Bugs in Zero-Knowledge (ZK) Compilers. In NDSS."},{"key":"e_1_3_2_1_89_1","volume-title":"Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747","author":"Xiao Han","year":"2017","unstructured":"Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017)."},{"key":"e_1_3_2_1_90_1","unstructured":"Zama. 2022. Concrete ML: a Privacy-Preserving Machine Learning Library using Fully Homomorphic Encryption for Data Scientists. https:\/\/github.com\/zamaai\/concrete-ml."},{"key":"e_1_3_2_1_91_1","unstructured":"Zama. 2024. Concrete ML model builds quantization parameters based on the data ranges. https:\/\/community.zama.ai\/t\/simple-linreg-model-outputs-wrongresults\/902."}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765107","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:14:45Z","timestamp":1766441685000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765107"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":91,"alternative-id":["10.1145\/3719027.3765107","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765107","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}