DiffusionHijack: Supply-Chain PRNG Backdoor Attack on Diffusion Models and Quantum Random Number Defense
Ziyang You, Liling Zheng, Xiaoke Yang, and Xuxing Lu
TL;DR
This paper introduces DiffusionHijack, a supply-chain backdoor attack on diffusion models that hijacks PRNGs to deterministically generate attacker-controlled images, and proposes QRNGs as an effective hardware-level defense.
Contribution
It reveals a novel supply-chain vulnerability in diffusion models and demonstrates that quantum random number generators can effectively mitigate this attack.
Findings
The attack achieves pixel-perfect reproduction of attacker-chosen images.
Existing model auditing cannot detect the attack as it operates outside the neural network graph.
QRNGs completely neutralize the attack, reducing output similarity to baseline levels.
Abstract
Diffusion models depend on pseudo-random number generators (PRNGs) for latent noise sampling. We present DiffusionHijack, a supply-chain backdoor attack that hijacks the PRNG to deterministically control generated images. A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights. The attack is inherently undetectable by existing model auditing and content moderation mechanisms, as it operates entirely outside the neural network computation graph. The attack remains effective under stochastic sampling (eta > 0), bypasses CLIP-based safety checkers (98-100% success), and operates independently of the user's prompt. As a countermeasure, we replace the PRNG with a quantum random number generator (QRNG), which provides…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.