Search papers, labs, and topics across Lattice.
This paper introduces a key-controlled inversion framework for diffusion models that addresses the security risks associated with publicly accessible model parameters. By injecting key-dependent noise into the inversion process, the authors ensure that only users with the correct key can reconstruct the original image, effectively transforming the error propagation characteristic of diffusion models into a security feature. The theoretical analysis confirms that the proposed method achieves IND-CPA security, while experimental results validate its robustness across different models and datasets without significantly degrading performance.
Only the right key can unlock the original image from diffusion models, turning a security risk into a robust feature against unauthorized reconstruction.
Diffusion models are often deployed in settings where model parameters are publicly accessible (e.g., open-source libraries or released checkpoints). This white-box scenario creates a serious security risk: any user who obtains an intermediate latent representation can invert the process to recover the original input image. Most prior work on access control for generative models assumes a black-box model (i.e., parameters are kept secret), typically under an honest-but-curious adversary. By contrast, we address the more challenging and realistic white-box setting where all parameters are public. We present a key-controlled inversion framework that turns the inherent error propagation of diffusion models, which exponentially amplifies small perturbations, into a security asset. By injecting key-dependent noise into the inversion formula, we ensure that only a user with the correct key can reconstruct the original image; any other key yields unrecognizable output. Theoretically, by leveraging existing error-propagation theory for diffusion models, we prove that the resulting ciphertext distribution is IND-CPA secure and derive that the adversary's advantage is exponentially small in a tunable security parameter, hence negligible for any probabilistic polynomial-time (PPT) adversary. Experimentally, we validate these security guarantees across several models and datasets and further demonstrate cross-model robustness, that the injected key noise does not amplify the performance drop caused by model discrepancies.