For Transformer models, cryptographically secure inference ensures that the client learns only the final output, while the server learns nothing about the client's input. However, securely computing nonlinear layers remains a major efficiency bottleneck due to the substantial communication rounds and data transmission required. To address this issue, prior works reveal intermediate activations to the client, allowing nonlinear operations to be computed in plaintext. Although this approach significantly improves efficiency, exposing activations enables adversaries to extract model weights. To mitigate this risk, existing works employ a shuffling defense that reveals only randomly permuted activations to the client. In this work, we show that the shuffling defense is not as robust as previously claimed. We propose an attack that aligns differently shuffled activations to a common permutation and subsequently exploits them to extract model weights. Experiments on Pythia-70m and GPT-2 demonstrate that the proposed attack can align shuffled activations with mean squared errors ranging from $10^{-9}$ to $10^{-6}$. With a query cost of approximately \$1, the adversary can recover model weights with L1-norm differences ranging from $10^{-4}$ to $10^{-2}$ compared to the oracle weights.

翻译：对于 Transformer 模型，加密安全推理确保客户端仅能获知最终输出结果，而服务端无法获知客户端输入的任何信息。然而，由于需要大量的通信轮次和数据传输，安全计算非线性层仍是主要的效率瓶颈。为解决该问题，先前的工作将中间激活值暴露给客户端，使得非线性运算可在明文状态下计算。尽管该方法显著提升了效率，但暴露激活值使得攻击者可提取模型权重。为缓解此风险，现有工作采用乱序防御机制，仅向客户端展示经过随机重排的激活值。本研究证明该乱序防御机制并不如先前声称的那样鲁棒。我们提出一种攻击方法，可将不同乱序排列的激活值对齐至统一置换，进而利用对齐后的激活值提取模型权重。在 Pythia-70m 和 GPT-2 上的实验表明，所提攻击能以均方误差 $10^{-9}$ 至 $10^{-6}$ 的量级对齐乱序激活值。以约 1 美元的查询成本，攻击者可恢复与预言机权重相比 L1 范数差异在 $10^{-4}$ 至 $10^{-2}$ 范围内的模型权重。