Breaking Euston: Recovering Private Inputs from Secure Inference by Exploiting Subspace Leakage

TL;DR

This paper reveals a privacy vulnerability in the Euston secure inference framework, showing that subspace leakage can be exploited to recover private inputs, posing a fundamental security risk.

Contribution

The authors demonstrate that the matrix transmission protocol in Euston leaks subspace information, enabling private input recovery, which was previously unrecognized.

Findings

Subspace leakage enables input recovery in Euston.

Recovery attack is effective on image and language datasets.

Highlights a fundamental privacy risk in the protocol design.

Abstract

In the 47th IEEE Symposium on Security and Privacy (IEEE S&P 2026), Gao et al. proposed an efficient and user-friendly secure transformer inference framework, namely Euston. In Euston, a singular value decomposition-based matrix transmission protocol is designed to efficiently transmit input matrices, reducing communication bandwidth by approximately 2.8 times. In this manuscript, we show that this transmission protocol introduces subspace leakage of random masks, enabling the model owner to recover private samples easily. We further validate the effectiveness of the recovery attack through simple experiments on image and language datasets, highlighting a fundamental privacy risk of the protocol design.