Raw Output-Based Parameter Recovery Attack

• Raw output-based parameter recovery attacks are a class of side-channel methods that exploit unprocessed system outputs to infer hidden parameters and keys.
• They integrate techniques from cryptography, physical side-channel analysis, and machine learning to recover secret values via adaptive queries and statistical modeling.
• Countermeasures include output masking, obfuscation, and architectural adjustments, though these defenses often involve trade-offs between performance and security.

A raw output-based parameter recovery attack is a class of cryptanalytic or side-channel attack in which an adversary uses “raw output” information provided by a system—such as unprocessed ciphertexts, output vectors (e.g., logits), physical traces, or fault-induced behavior—to recover secret parameters, keys, or otherwise protected values. The defining characteristic of this attack paradigm is the adversary’s reliance on observable outputs (often produced under natural or adversarial conditions) rather than direct access to internal computations, gradients, or memory contents. The following sections survey foundational principles, representative methodologies, applications in both cryptography and machine learning, key theoretical frameworks, and ongoing challenges.

1. Foundational Principles and Definitions

Raw output-based parameter recovery attacks operate by exploiting the inherent relationship between hidden parameters of a system and the observable outputs generated under typical or adversarial queries. A central assumption is that, given enough observable data—whether from cryptosystems (ciphertexts, error syndromes, or fault-influenced outputs), machine learning models (raw logits, hard-label outputs, or decision boundaries), or physical systems (power, impedance, or timing traces)—an adversary can use analytical or statistical methods to infer or reconstruct the underlying secret parameters.

These attacks distinguish themselves from classic chosen-plaintext, chosen-ciphertext, or gradient-based inversion attacks by neither requiring direct internal memory access nor gradient or score vectors. In cryptography, prominent examples include key recovery in code- and lattice-based schemes via algebraic or fault-induced observations. In machine learning, the paradigm encompasses inversion and model extraction via only output labels or logits.

2. Cryptographic Instantiations: Code-Based and Lattice-Based Schemes

Several cryptosystem designs, particularly those in post-quantum cryptography, have been shown to be susceptible to raw output-based parameter recovery attacks:

Rank-metric and Gabidulin Code Schemes

The Faure–Loidreau scheme and related rank-metric systems encode secret keys via Gabidulin codes and publish transformed output matrices. Attacks in this space (e.g., (Gaborit et al., 2016)) use the Frobenius operator and trace mappings to define public subcodes. The key step involves defining operators such as $\Lambda_i(U) = U + U^q + \cdots + U^{q^i}$ and distinguishing structured Gabidulin components from random linear codes. When certain rank and parameter conditions are met (e.g., $w \leq (u/(u+1))(n-k)$), polynomial-time attacks recover the secret key in seconds by uniquely solving for masked error vectors and secret codewords.

GRS-Based Encryption and RLCE

RLCE and similar schemes (e.g., (Couvreur et al., 2018)) exhibit vulnerabilities when output generator matrices and random column insertions are insufficiently masked. By analyzing the Schur square dimensions and using code shortening, one can distinguish regions of the public code that “behave” as GRS codes, and then recover secret parameters (support, multipliers, and mixing matrices) through structural algebraic attacks. The query and computational complexity in such attacks is $O(w n^2 k^2)$ in field operations.

Fault-Induced Attacks on LWE KEMs

Attacks such as Rowhammer-induced key recovery (Mondal et al., 2023, Derya et al., 11 Jun 2024) inject faults at the hardware level, causing specific internal comparisons or variables to fail under decapsulation mechanisms, such as those involved in Fujisaki–Okamoto transforms. By observing output differences under repeated, purposeful faults—often via sophisticated oracles that maximize per-query leakage—the adversary reduces uncertainty about secret key coefficients and achieves rapid recovery, even with countermeasures like “verify-after-sign” in cryptographic libraries.

3. Side-Channel and Physical Attacks Leveraging Raw Output

Side-channel attacks also utilize raw output traces, especially when physical computations leak parameter-dependent information:

Power and Impedance Analysis of Microprocessors

The PARAM processor (F et al., 2019) is engineered to resist parameter recovery via power analysis by obfuscating both data in the register/file paths and deterministic address mappings in caches, using techniques like Feistel networks for lightweight obfuscation and periodic re-keying/remapping to break correlations. Similarly, the LeakyOhm methodology (Monfared et al., 2023) introduces impedance analysis as a new leakage vector, measuring the frequency-dependent S-parameters of a chip to independently and non-invasively probe register contents. The attack uses RF scattering parameter measurements such as $$Z_{\text{DUT}} = Z_0 \cdot \frac{1+S_{11}}{1-S_{11}}$$ and infers secret bits via statistical modeling (template attacks on frequency bins). Notably, single-trace recovery is possible in profiled settings.

4. Raw Output Attacks in Machine Learning: Inversion and Extraction

Model extraction and inversion attacks on neural networks often work with only raw outputs—hard labels, logits, or probability scores:

Hard-Label Cryptanalytic Extraction

Recent advances (Chen et al., 18 Sep 2024) have established that functionally equivalent extraction of ReLU networks is theoretically achievable with access only to hard-label outputs (e.g., the final class label). The attack identifies decision boundary points by binary search in the input space, reconstructs piecewise-affine regions through model activation patterns, and then recursively solves for unknown weights and biases using systems such as:

$f_{\theta}(x) = A^{(1)}x + b^{(1)}$

for affine models, and, for deeper ones,

$$f_{\theta}(x) = \Gamma_{\mathcal{P}} x + B_{\mathcal{P}}$$

The procedure extends, with adaptations, to networks using PReLU activations (Chen et al., 20 Sep 2025), requiring additional steps for slope and sign recovery through SOE-based differential attacks and neuron splitting. These approaches exhibit polynomial query complexity in typical settings ($O(d_0 2^n \log_2(1/\varepsilon))$), with high accuracy reported in MNIST and CIFAR10 benchmarks.

Logits-Based Inversion: Input Reconstruction

Forensic inversion (e.g., (Skapars et al., 2 Jul 2025)) addresses the problem of reconstructing the exact prompt/input from the raw output (next-token logits) of an LLM, using an optimization strategy (SODA) that operates on a continuous relaxation of the input space, searches for a unique global minimum, and employs restarts with parameter decay for efficient exploration. Empirical results show 79.5% exact input recovery for short prompts using full logits, with recovery rates rapidly decreasing for longer inputs.

Federated Learning and Logit Attacks

Federated learning systems that share only logits (rather than gradients) are still vulnerable, as demonstrated in FedMD settings (Takahashi et al., 2023); paired-logits inversion attacks exploit the “confidence gap” between sensitive (private data-trained) clients and the public server. A malicious server uses inversion neural networks trained on paired outputs to reconstruct private images with high SSIM and near-perfect attack accuracy, demonstrating that even gradient-free schemes can leak sensitive training data.

5. Query and Leakage Analysis: Incremental and Adaptive Attacks

Attacks that integrate symbolic execution, model counting, and adaptive input selection systematically reduce uncertainty about secret parameters:

Incremental Adaptive Attack Synthesis

The two-phase procedure (Saha et al., 2019) involves symbolic execution to extract path constraints encoding the relationship between secret parameters and raw outputs, followed by meta-heuristic search (simulated annealing) to maximize Shannon information gain per query, formalized via mutual information metrics such as:

$$\mathcal{I}(H;O|L=l_{\text{val}}) = \mathcal{H}(H) - \mathcal{H}(H|O, L=l_{\text{val}})$$

Automata-based model counting is used for efficient entropy and conditional probability calculation, yielding an attack pipeline adaptable to both classic side-channel and raw output-based settings.

Query Recovery in Encrypted Search Systems

In searchable symmetric encryption (SSE), similar-data recovery (e.g., Jigsaw attack (Nie et al., 2 Mar 2024)) leverages volume, frequency, and co-occurrence statistics—raw leakage observed across queries—to pair and recover user queries in stages. Algorithms use differential distances, modular bootstrap identification, iterative refinement, and scoring with logarithmic transformations to achieve high recovery rates (90–95%). The approach remains robust against standard padding and obfuscation countermeasures and scales particularly well with large keyword universes (showing ≥20% improvement over previous methods for universes ≥3k).

6. Countermeasures, Trade-Offs, and Open Challenges

Countermeasures against raw output-based parameter recovery attacks involve masking, obfuscation, memory randomization, or architectural changes:

• In cryptography, adjusting masking parameters (e.g., Gabidulin code parameters or RLCE randomization), increasing randomness, and deploying robust error-checking logic (e.g., within FO transforms) are common responses, but often induce a security-efficiency trade-off (Gaborit et al., 2016, Couvreur et al., 2018).
• In hardware, processor-wide obfuscation of data and addresses (as in PARAM) or randomization of physical routing (to counteract impedance leakage) are necessary, but may incur area or frequency costs (F et al., 2019, Monfared et al., 2023).
• In machine learning, limiting output detail—e.g., avoiding exposure of raw logits or only providing hard labels—reduces inversion risk (Skapars et al., 2 Jul 2025, Chen et al., 18 Sep 2024). For federated settings, strategies include differential privacy noise or homomorphic encryption on shared outputs (Takahashi et al., 2023).
• In backdooring, parameter-space stealth (e.g., Grond with ABI (Xu et al., 10 Jan 2025)) demonstrates that distributed, low-magnitude parameter changes evade detection by raw output analysis, highlighting a blind spot in classic defenses that focus on prominent, high-activation neurons.

A plausible implication is that the continued evolution in both attack and defense requires an integrated consideration of structure, output distribution, and physical/algorithmic randomness, and ongoing work must address cross-domain vulnerabilities—especially as cryptanalytic, side-channel, and ML extraction techniques converge.

7. Future Directions

Ongoing research addresses extraction attacks on a wider variety of activation functions, architectures, and cryptosystems; the design of learning models and cryptographic primitives must increasingly be cognizant of raw output leaks under adversarial queries, hardware-level faults, and forensic inversion contexts. The balance between functionality, efficiency, and leakage minimization remains fundamental, motivating advances in adaptive defense strategies, secure output protocols, and robust metrics for parameter-space health. Further paper into the interplay between raw output information and theoretical security proofs will be instrumental in future system design.