Breaking Euston: Recovering Private Inputs from Secure Inference by Exploiting Subspace Leakage
For users of secure inference systems, this work reveals a critical privacy flaw in a recently proposed protocol, undermining its security guarantees.
The paper identifies a subspace leakage vulnerability in the Euston secure transformer inference framework that allows the model owner to recover private input samples, despite the protocol's claimed 2.8x bandwidth reduction. The attack is validated on image and language datasets.
In the 47th IEEE Symposium on Security and Privacy (IEEE S&P 2026), Gao et al. proposed an efficient and user-friendly secure transformer inference framework, namely Euston. In Euston, a singular value decomposition-based matrix transmission protocol is designed to efficiently transmit input matrices, reducing communication bandwidth by approximately 2.8 times. In this manuscript, we show that this transmission protocol introduces subspace leakage of random masks, enabling the model owner to recover private samples easily. We further validate the effectiveness of the recovery attack through simple experiments on image and language datasets, highlighting a fundamental privacy risk of the protocol design.