Papers
Topics
Authors
Recent
Search
2000 character limit reached

Non-transferable Examples for AI Authorization

Updated 4 July 2026
  • Non-transferable Examples (NEs) are a model-specific authorization mechanism that recodes inputs to preserve performance for an authorized AI model while degrading usability for others.
  • They leverage a training-free, data-agnostic recoding based on low-sensitivity subspaces of the model's first linear layer, using singular value decomposition.
  • Empirical tests across vision and vision-language models show that NEs maintain nearly identical performance on the authorized model while causing unauthorized models to collapse.

Non-transferable Examples (NEs) are a model-specific authorization mechanism for AI systems in which an input-side recoding T:XXT:\mathcal X\to\mathcal X preserves usability for one authorized model ff^\star while degrading usability for unauthorized models fF{f}f'\in\mathcal F\setminus\{f^\star\}. In "Catch-Only-One: Non-Transferable Examples for Model-Specific Authorization," NEs are introduced as a training-free and data-agnostic method that recodes inputs within a model-specific low-sensitivity subspace of the authorized model’s first linear layer, so that the authorized model retains performance whereas non-target models fail because of subspace misalignment (Wang et al., 13 Oct 2025). The framework is motivated by the need for data that remain useful for innovation while resistant to misuse at the model level, and it differs from approaches that perturb data to make it unlearnable or retrain models to suppress transfer, because it acts at inference time and does not require control over training.

1. Problem formulation and core definition

The formal setting fixes an ambient input space XRn\mathcal X\subseteq\mathbb R^n, an authorized model f:XYf^\star:\mathcal X\to\mathcal Y, a family of models F\mathcal F trained on the same domain, and a scalar task metric m(f,x)m(f,x) in which smaller values mean better usability. The goal is to construct a recoding TT such that, for x~=T(x)\tilde x=T(x), authorized-utility retention holds: Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho, while unauthorized-utility degradation holds: ff^\star0 This formulation makes NEs an input-side usage-control mechanism rather than a training-time defense (Wang et al., 13 Oct 2025).

The construction uses the first linear layer of the authorized model. Writing that layer as ff^\star1, with bias absorbed into ff^\star2 by homogeneously augmenting ff^\star3, one computes the singular value decomposition

ff^\star4

For a threshold ff^\star5, the ff^\star6-insensitive subspace is

ff^\star7

A perturbation ff^\star8 then satisfies ff^\star9. An NE is formed as

fF{f}f'\in\mathcal F\setminus\{f^\star\}0

where fF{f}f'\in\mathcal F\setminus\{f^\star\}1 is obtained by zeroing coordinates fF{f}f'\in\mathcal F\setminus\{f^\star\}2 with fF{f}f'\in\mathcal F\setminus\{f^\star\}3 and sampling the remaining coordinates, for example fF{f}f'\in\mathcal F\setminus\{f^\star\}4, followed if needed by scaling to ensure fF{f}f'\in\mathcal F\setminus\{f^\star\}5 (Wang et al., 13 Oct 2025).

2. Recoding mechanism and model specificity

The same construction can be written as a projection. If fF{f}f'\in\mathcal F\setminus\{f^\star\}6 is the orthogonal projector onto the span of the fF{f}f'\in\mathcal F\setminus\{f^\star\}7 right singular vectors whose singular values satisfy fF{f}f'\in\mathcal F\setminus\{f^\star\}8, then

fF{f}f'\in\mathcal F\setminus\{f^\star\}9

This emphasizes that NEs are created by restricting perturbations to directions that are low-sensitivity for the authorized model (Wang et al., 13 Oct 2025).

The method is explicitly training-free. It does not retrain XRn\mathcal X\subseteq\mathbb R^n0 or any unauthorized model XRn\mathcal X\subseteq\mathbb R^n1; instead, it probes XRn\mathcal X\subseteq\mathbb R^n2’s first-layer SVD once on a small probe set and computes XRn\mathcal X\subseteq\mathbb R^n3 and XRn\mathcal X\subseteq\mathbb R^n4. It is also data-agnostic in the sense that the same projector XRn\mathcal X\subseteq\mathbb R^n5 applies to any XRn\mathcal X\subseteq\mathbb R^n6, including images and text tokens, without task-specific surrogate labels or losses. The private authorization information is therefore concentrated in the model-specific parameters XRn\mathcal X\subseteq\mathbb R^n7, while the recoding function XRn\mathcal X\subseteq\mathbb R^n8 can remain public (Wang et al., 13 Oct 2025).

The key structural hypothesis is subspace misalignment. Different models, whether due to different architectures or different random initializations, have distinct first-layer singular bases XRn\mathcal X\subseteq\mathbb R^n9. Directions that are low-sensitivity for f:XYf^\star:\mathcal X\to\mathcal Y0 typically correspond to moderate- or high-sensitivity directions in an unauthorized model f:XYf^\star:\mathcal X\to\mathcal Y1. Under that condition, a perturbation that is nearly invisible to the authorized model can create a large first-layer feature shift for a non-target model (Wang et al., 13 Oct 2025).

3. Theoretical guarantees

The first guarantee concerns retention for the authorized model. If f:XYf^\star:\mathcal X\to\mathcal Y2 is formed with f:XYf^\star:\mathcal X\to\mathcal Y3 nonzero Gaussian entries of variance f:XYf^\star:\mathcal X\to\mathcal Y4, then for any f:XYf^\star:\mathcal X\to\mathcal Y5, with probability at least f:XYf^\star:\mathcal X\to\mathcal Y6,

f:XYf^\star:\mathcal X\to\mathcal Y7

The proof sketch given in the paper uses

f:XYf^\star:\mathcal X\to\mathcal Y8

then bounds f:XYf^\star:\mathcal X\to\mathcal Y9, and controls F\mathcal F0 with Chebyshev’s inequality because it is a chi-squared sum with mean F\mathcal F1 and variance F\mathcal F2. The paper further states that small first-layer changes are typically attenuated by ReLU or truncation and later layers, so F\mathcal F3, which realizes the retention constraint (Wang et al., 13 Oct 2025).

The second guarantee concerns degradation for unauthorized models. For another model F\mathcal F4 with first layer F\mathcal F5, a perturbation drawn from F\mathcal F6 will generally not lie in F\mathcal F7. The analysis invokes the Hoffman–Wielandt inequality on singular vectors. If F\mathcal F8, F\mathcal F9, and m(f,x)m(f,x)0 uses the m(f,x)m(f,x)1-th right singular direction with m(f,x)m(f,x)2, and if

m(f,x)m(f,x)3

is the nearest gap between m(f,x)m(f,x)4 and the singular values of m(f,x)m(f,x)5, then for any m(f,x)m(f,x)6,

m(f,x)m(f,x)7

The proof sketch decomposes m(f,x)m(f,x)8 into a singular-vector difference term and a singular-value difference term, bounds m(f,x)m(f,x)9, uses TT0, and exploits TT1. The paper then states that when TT2 and TT3 arise from different random initializations or architectures, TT4 is TT5 and TT6 is TT7, so the right-hand side can be large even if TT8 itself is small, causing a substantial feature shift at layer 1 for the unauthorized model (Wang et al., 13 Oct 2025).

A plausible implication is that the theory is strongest at the interface between linearized first-layer geometry and practical model mismatch: the formal bounds are stated for first-layer feature deviation, while the downstream prediction failure is argued through propagation of that shift.

4. Empirical behavior across vision backbones and vision-LLMs

The empirical results are reported for image classification and vision-LLMs, with perturbations set to a TT9 dB PSNR regime. The classification experiments use ResNet-50, ViT-B/p16, SwinV2-T, DeiT-B, and MambaVision-T on CIFAR-10 and ImageNet-1K; the vision-language evaluation uses InternVL3-1B as the authorized model and Qwen2.5-VL-3B as the unauthorized model on MMBench (Wang et al., 13 Oct 2025).

Setting Authorized model behavior Unauthorized model behavior
ImageNet cross-architecture transfer ResNet-50 retains 80.2% top-1 vs. 80.3% clean All other models collapse to x~=T(x)\tilde x=T(x)0 top-1
Weight-variant transfer Target ResNet-50 remains usable Second ResNet-50 with different random seed yields x~=T(x)\tilde x=T(x)1 accuracy
MMBench VLM evaluation InternVL3 overall 72.7% x~=T(x)\tilde x=T(x)2 72.6% Qwen2.5 overall 78.8% x~=T(x)\tilde x=T(x)3 18.3%

For cross-architecture transfer on ImageNet, the paper reports that x~=T(x)\tilde x=T(x)4 generated for ResNet-50 retains x~=T(x)\tilde x=T(x)5 top-1 accuracy on ResNet-50, compared with x~=T(x)\tilde x=T(x)6 on clean inputs, while all other models collapse to approximately x~=T(x)\tilde x=T(x)7 top-1. It further states that similar behavior holds for each authorized target, with diagonal entries close to clean accuracy within x~=T(x)\tilde x=T(x)8 and off-diagonal transfer near chance. For weight-variant transfer, two ResNet-50 instances trained from different random seeds are sufficient for model specificity: NEs for one model yield approximately x~=T(x)\tilde x=T(x)9 accuracy on the other (Wang et al., 13 Oct 2025).

The baseline comparison in the same study positions NEs against Differential Privacy training, Fully Homomorphic Encryption, and AlgoSpec. The reported comparison is that Differential Privacy training with Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho,0 drops authorized accuracy by Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho,1–Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho,2 and is inapplicable to Transformers; Fully Homomorphic Encryption preserves accuracy but incurs Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho,3–Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho,4 latency; AlgoSpec collapses authorized accuracy to near-zero. By contrast, NEs preserve authorized accuracy within Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho,5, deny unauthorized models with Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho,6–Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho,7 top-1, and incur zero inference overhead beyond one input-side matrix multiplication (Wang et al., 13 Oct 2025).

For vision-LLMs on MMBench, the reported metrics include AR, CP, FP-C, FP-S, LR, RR, and overall. The authorized InternVL3-1B changes from Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho,8 to Ex[m(f,x~)]Ex[m(f,x)]ρ,\mathbb E_x[m(f^\star,\tilde x)]-\mathbb E_x[m(f^\star,x)]\le \rho,9 overall, whereas unauthorized Qwen2.5-VL-3B changes from ff^\star00 to ff^\star01, with all sub-metrics collapsing into the teens. The paper also states that NEs survive standard resizing, cropping, JPEG, blurring, and the complex, model-specific preprocessing pipelines of modern VLMs (Wang et al., 13 Oct 2025).

5. Implementation details and operational limits

The implementation described in the paper is intentionally lightweight. Basis estimation uses a probe set of approximately ff^\star02 samples to compute the SVD of the first linear map, whether fully connected or im2col-unfolded convolution. A threshold ff^\star03 selects ff^\star04 insensitive directions. The vector ff^\star05 is i.i.d. Gaussian on those ff^\star06 coordinates and zero elsewhere. The perturbation is then scaled according to

ff^\star07

so that ff^\star08 dB, corresponding to approximately ff^\star09–ff^\star10 of the image norm. The recoding function ff^\star11 can be public, while the model-specific parameters ff^\star12 remain private (Wang et al., 13 Oct 2025).

The limitations are also explicit. A strong adaptive attacker might approximate ff^\star13 using massive queries or side-channels and then project ff^\star14 back onto its complement, partially restoring utility. Extremely aggressive preprocessing, including heavy cropping or extreme JPEG, can shrink the relative energy of ff^\star15. The formal analysis focuses on first-layer effects, and extending provable bounds through deeper nonlinear layers remains open. The paper notes that dynamic defenses such as randomized ff^\star16 and time-varying bases can raise attacker cost, but at the expense of occasional authorized jitter (Wang et al., 13 Oct 2025).

A common misconception is to treat NEs as a universal obfuscation mechanism. The paper does not claim that; the mechanism is model-specific, its strongest guarantees are first-layer guarantees, and its resistance to adaptive recovery is presented as conditional rather than absolute.

6. Relation to adjacent literatures and terminological ambiguity

The acronym “NEs” is not unique across the literature. In "Transferable Unlearnable Examples," the phrase “non-transferable” appears in a different sense: Error-Minimizing Noise perturbations are described as non-transferable because their unlearnable effect fails to transfer across training algorithms and across datasets. That paper introduces Classwise Separability Discriminant and a contrastive bi-level objective to produce Transferable Unlearnable Examples, with the goal of making perturbations transferable to multiple training settings and datasets (Ren et al., 2022). This is conceptually distinct from model-specific authorization, where non-transferability is the intended property and operates at inference rather than training.

The term also appears in an unrelated domain in "Targeting Without Transfers," where “non-transferable examples (NEs)” refers to canonical menu constructions in multidimensional screening without money, including pure options and, in the two-good symmetric case, at most one mixed bundle (Tokarski, 31 Jan 2026). This usage belongs to mechanism design rather than machine learning.

Within AI security and data governance, the significance of the 2025 NEs proposal is therefore specific: it reframes non-transferability as a desirable authorization primitive. Instead of making data globally unusable, it makes data selectively usable by exactly one authorized model. The paper’s own summary states that NEs leverage model-specific low-sensitivity subspaces of the first linear layer to produce a simple, training-free, data-agnostic recoding that “ciphers” data for exactly one authorized model while rendering it unusable for any other (Wang et al., 13 Oct 2025).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (3)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Non-transferable Examples (NEs).