arxiv: 2604.12254 · v1 · submitted 2026-04-14 · 💻 cs.CR · cs.AI

Recognition: unknown

SpanKey: Dynamic Key Space Conditioning for Neural Network Access Control

WenBin Yan

Authors on Pith no claims yet

Pith reviewed 2026-05-10 15:54 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords neural network access controlkey subspace conditioninginference gatingdeny losseskey absorptionsubspace injectionactivation conditioning

0 comments

The pith

SpanKey gates neural network inference by conditioning activations on keys from a defined low-dimensional subspace.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces SpanKey to control access to neural network inference by injecting secret keys into intermediate activations without encrypting the model weights. A basis matrix defines a subspace from which valid keys are sampled as linear combinations, then added or multiplied into chosen layers at a controlled strength during both training and inference. To handle the risk that the network absorbs the key signal and erases the distinction, the method adds deny losses and uses analytical diagnostics based on energy distributions and margin tails. Experiments with ResNet-18 on CIFAR-10 and ablations on MNIST show that valid keys inside the subspace produce usable outputs while keys sampled outside it are effectively denied.

Core claim

Subspace key injection with a multi-layer design space, together with deny losses and margin-tail diagnostics, produces usable separation between valid keys lying in Span(B) and invalid keys lying outside it, allowing practical key-based gating of inference as measured on CIFAR-10 ResNet-18 and MNIST runs.

What carries the argument

Subspace key injection: a basis matrix B defines the key span, coefficients alpha are sampled to form keys k = alpha^T B, and these keys are injected into activations via additive or multiplicative maps scaled by gamma at selected layers.

If this is right

Valid keys sampled inside the subspace permit normal inference while keys outside the subspace are denied.
Deny losses during training reduce the chance that the network absorbs the key information into its weights.
Beta-energy splits and margin-tail diagnostics provide quantitative checks on whether separation is maintained.
The approach extends across multiple injection modes and works on standard architectures such as ResNet-18.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Model owners could issue different keys to different users or devices to enforce fine-grained inference access.
The same subspace-conditioning idea might be tested on larger transformer models or in settings where multiple independent keys are required.
The analytical diagnostics for absorption could be reused to evaluate other forms of input conditioning in neural networks.

Load-bearing premise

The network does not absorb the injected key signal into its weights so completely that valid and invalid keys become indistinguishable at deployment scale.

What would settle it

After training with deny losses, run inference on a held-out test set and measure that the energy or margin separation between valid and invalid keys collapses to chance levels.

Figures

Figures reproduced from arXiv: 2604.12254 by WenBin Yan.

read the original abstract

SpanKey is a lightweight way to gate inference without encrypting weights or chasing leaderboard accuracy on gated inference. The idea is to condition activations on secret keys. A basis matrix $B$ defines a low-dimensional key subspace $Span(B)$; during training we sample coefficients $\alpha$ and form keys $k=\alpha^\top B$, then inject them into intermediate activations with additive or multiplicative maps and strength $\gamma$. Valid keys lie in $Span(B)$; invalid keys are sampled outside that subspace. We make three points. (i) Mechanism: subspace key injection and a multi-layer design space. (ii) Failure mode: key absorption, together with two analytical results (a Beta-energy split and margin-tail diagnostics), explains weak baseline separation in energy and margin terms -- these are not a security theorem. iii) Deny losses and experiments: Modes A--C and extensions, with CIFAR-10 ResNet-18 runs and MNIST ablations for Mode B. We summarize setup and first-order analysis, injectors, absorption, deny losses and ablations, a threat discussion that does not promise cryptography, and closing remarks on scale. Code: \texttt{https://github.com/mindmemory-ai/dksc}

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

SpanKey gives a workable empirical method for key-gated NN inference via subspace injection and deny losses, but the separation claim rests on untested assumptions about absorption and random invalid keys.

read the letter

The main takeaway is that this paper gives a practical, if limited, way to add key-based access control to neural nets by conditioning activations on keys from a specific subspace, backed by experiments on standard datasets. It does something new by combining dynamic sampling of keys from Span(B), multi-layer injection with modes A-C, deny losses to enforce separation, and an analysis of the key absorption failure mode using Beta-energy and margin-tail diagnostics. That failure-mode focus and the explicit multi-layer design set it apart from simpler conditioning approaches in the literature. The work is clear on the mechanism, provides ablations, shows results on CIFAR-10 ResNet-18 and MNIST, and correctly notes that the analytical parts are not a security theorem. The code release helps with reproducibility. Where it is softer is on the robustness side. The separation between valid and invalid keys could break if the network absorbs the key information into its weights, and the current tests sample invalid keys randomly rather than letting an adversary search for effective ones outside the span. The diagnostics are useful but derived from the same training loop, so they don't fully rule out absorption at scale. No evaluation against optimized attacks or larger models is reported. This is for folks interested in lightweight model protection in deployment scenarios, not for those needing cryptographic guarantees. Readers working on applied security for ML inference would get concrete ideas and diagnostics from it. The paper engages honestly with its own limits and has enough empirical grounding to merit a full review. I recommend putting it through peer review. The idea is implemented and tested, and the authors scope their claims appropriately.

Referee Report

3 major / 2 minor

Summary. The paper proposes SpanKey, a lightweight mechanism for gating neural network inference via dynamic key space conditioning. A low-dimensional subspace Span(B) is defined by a basis matrix B; during training, keys k = alpha^T B are sampled and injected additively or multiplicatively into intermediate activations with strength gamma. Valid keys lie in the subspace while invalid keys are sampled outside it. The work presents a multi-layer design space (Modes A-C), deny losses to counteract key absorption into weights, and post-hoc diagnostics (Beta-energy split and margin-tail statistics) to explain baseline failures. Empirical support comes from CIFAR-10 ResNet-18 experiments and MNIST ablations, with the paper explicitly noting that the analytical results do not constitute a security theorem. Code is provided.

Significance. If the separation between valid and invalid keys proves robust, the approach supplies a practical, low-overhead alternative to weight encryption for access-controlled model deployment. Strengths include reproducible code, explicit disclaimers on the non-theorem status of the diagnostics, and concrete empirical runs that demonstrate first-order feasibility of subspace injection plus deny losses.

major comments (3)

[Experiments] Experiments section (CIFAR-10 ResNet-18 runs): invalid-key evaluation uses only random sampling outside Span(B); no adversarial optimization of coefficients to recover high accuracy with out-of-span keys is reported. This directly bears on the central separation claim and the weakest assumption that absorption will not collapse the distinction at deployment scale.
[Analytical results] Analytical results on absorption and failure modes: the Beta-energy split and margin-tail diagnostics are computed from quantities defined within the same training loop used to fit the model. While the paper correctly states these are explanatory rather than a theorem, the load-bearing claim that multi-layer Modes A-C plus deny losses prevent absorption would be strengthened by an independent test set or cross-validation protocol.
[Threat discussion] Threat discussion: the model acknowledges key absorption as a risk and introduces deny losses and multi-layer injection to mitigate it, yet no quantitative bound or experiment shows that an adversary cannot still optimize outside the span to match valid-key accuracy after training completes.

minor comments (2)

[Mechanism] The notation for the basis matrix B, coefficient vector alpha, and the precise form of the injection maps (additive vs. multiplicative) would benefit from a single consolidated equation early in the mechanism section.
[Diagnostics] Margin-tail diagnostic plots lack error bars or statistics over multiple random seeds, making it difficult to assess variability of the reported separation.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback and for acknowledging the paper's contributions, including the reproducible code and explicit disclaimers. We address each of the major comments below, proposing revisions where appropriate to strengthen the manuscript.

read point-by-point responses

Referee: [Experiments] Experiments section (CIFAR-10 ResNet-18 runs): invalid-key evaluation uses only random sampling outside Span(B); no adversarial optimization of coefficients to recover high accuracy with out-of-span keys is reported. This directly bears on the central separation claim and the weakest assumption that absorption will not collapse the distinction at deployment scale.

Authors: We agree that our evaluation of invalid keys relies on random sampling from outside the subspace Span(B). This demonstrates a baseline separation but does not test against an adversary who optimizes the coefficients to maximize accuracy. As the manuscript already states that the analytical results do not constitute a security theorem, we view this as a limitation of the current experiments. In the revised version, we will add experiments optimizing invalid keys via gradient-based methods (e.g., maximizing the model's output accuracy or minimizing the deny loss) and report the accuracy achieved compared to valid keys. This will directly address the robustness of the separation claim. revision: yes
Referee: [Analytical results] Analytical results on absorption and failure modes: the Beta-energy split and margin-tail diagnostics are computed from quantities defined within the same training loop used to fit the model. While the paper correctly states these are explanatory rather than a theorem, the load-bearing claim that multi-layer Modes A-C plus deny losses prevent absorption would be strengthened by an independent test set or cross-validation protocol.

Authors: The referee is correct that the Beta-energy split and margin-tail statistics are computed using training-loop quantities. These diagnostics are intended to provide post-hoc insight into why baselines fail in terms of energy and margin, rather than to prove security. To strengthen the presentation, we will recompute these diagnostics on a held-out validation set (not used in training or the original diagnostics) and include the results in the revised manuscript. This will serve as an independent check and better support the claims regarding the effectiveness of the multi-layer modes and deny losses. revision: yes
Referee: [Threat discussion] Threat discussion: the model acknowledges key absorption as a risk and introduces deny losses and multi-layer injection to mitigate it, yet no quantitative bound or experiment shows that an adversary cannot still optimize outside the span to match valid-key accuracy after training completes.

Authors: We acknowledge that the threat discussion does not provide a quantitative security bound or post-training adversarial experiment, consistent with our disclaimer that this work does not claim cryptographic security. The deny losses and Modes A-C are shown empirically to reduce absorption during training, with the diagnostics explaining the mechanism. We will expand the threat discussion section to explicitly discuss the potential for post-training optimization of out-of-span keys and include a small-scale experiment demonstrating the accuracy gap under such optimization (building on the new experiments from the first comment). This will better delineate the limitations without overstating the guarantees. revision: partial

Circularity Check

1 steps flagged

Beta-energy split and margin-tail diagnostics derived from training setup

specific steps

fitted input called prediction [Abstract (failure mode paragraph)]
"Failure mode: key absorption, together with two analytical results (a Beta-energy split and margin-tail diagnostics), explains weak baseline separation in energy and margin terms -- these are not a security theorem."

The Beta-energy split and margin-tail diagnostics are obtained by analyzing activations and losses from the identical training loop and model weights used to fit the gated network. This makes the 'explanation' of separation a post-hoc diagnostic on fitted quantities rather than an independent first-principles result.

full rationale

The paper's central empirical claims rest on CIFAR-10 ResNet-18 and MNIST runs with subspace injection and deny losses. The failure-mode analysis invokes a Beta-energy split and margin-tail diagnostics to explain baseline weaknesses, but these quantities are computed from the same trained activations and losses. This creates moderate circularity in the explanatory layer without reducing the main mechanism to a fitted parameter by construction. No self-citation chains, self-definitional reductions, or ansatz smuggling appear in the provided text. The paper explicitly notes these are not a security theorem.

Axiom & Free-Parameter Ledger

3 free parameters · 2 axioms · 1 invented entities

The approach rests on the assumption that a low-dimensional subspace can be maintained as a secret key space without the network learning to ignore it, plus standard neural network training assumptions.

free parameters (3)

gamma
Strength of key injection into activations, chosen during training.
basis matrix B
Defines the low-dimensional key subspace; learned or fixed during training.
alpha coefficients
Sampled to form keys inside Span(B).

axioms (2)

domain assumption Neural networks can learn to respond differently to inputs conditioned on a subspace versus outside it.
Invoked in the mechanism description and experiments.
ad hoc to paper Key absorption can be diagnosed via Beta-energy split and margin-tail statistics.
Introduced as analytical results to explain weak separation.

invented entities (1)

Span(B) key subspace no independent evidence
purpose: Defines the valid key space for conditioning activations.
New construct for access control; no independent evidence outside the training setup.

pith-pipeline@v0.9.0 · 5504 in / 1475 out tokens · 31991 ms · 2026-05-10T15:54:32.601623+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

13 extracted references · 4 canonical work pages

[1]

Intel sgx explained

Victor Costan and Srinivas Devadas. Intel sgx explained. InIACR Cryptology ePrint Archive, 2016

2016
[2]

Dauphin, Angela Fan, Michael Auli, and David Grangier

Yann N. Dauphin, Angela Fan, Michael Auli, and David Grangier. Language modeling with gated convolutional networks. InICML, 2017

2017
[3]

Model lock: Locking your model with a spell.arXiv preprint arXiv:2405.16285, 2024

Yifeng Gao, Yuhua Sun, Xingjun Ma, Zuxuan Wu, and Yu-Gang Jiang. Model lock: Locking your model with a spell.arXiv preprint arXiv:2405.16285, 2024

work page arXiv 2024
[4]

Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy

Ran Gilad-Bachrach et al. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. InICML, 2016

2016
[5]

Explaining and harnessing adversarial examples

Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. In ICLR, 2015

2015
[6]

Key-conditioned orthonormal transform gating (k-otg): Multi-key access control with hidden-state scrambling for lora-tuned models.arXiv preprint arXiv:2512.17519, 2025

Muhammad Haris Khan. Key-conditioned orthonormal transform gating (k-otg): Multi-key access control with hidden-state scrambling for lora-tuned models.arXiv preprint arXiv:2512.17519, 2025

work page arXiv 2025
[7]

Aiwei Liu, Leyi Pan, Yijian Lu, Jingjing Li, Xuming Hu, Xi Zhang, Lijie Wen, Irwin King, Hui Xiong, and Philip S. Yu. A survey of text watermarking in the era of large language models.ACM Computing Surveys, 2024

2024
[8]

Secureml: A system for scalable privacy-preserving machine learning

Payman Mohassel and Yupeng Zhang. Secureml: A system for scalable privacy-preserving machine learning. IEEE Symposium on Security and Privacy, 2017

2017
[9]

Encryip: A practical encryption-based framework for model intellectual property protection.arXiv preprint arXiv:2312.12049, 2023

Xin Mu, Yu Wang, Zhengan Huang, Junzuo Lai, Yehong Zhang, Hui Wang, and Yue Yu. Encryip: A practical encryption-based framework for model intellectual property protection.arXiv preprint arXiv:2312.12049, 2023

work page arXiv 2023
[10]

Film: Visual reasoning with a general conditioning layer.AAAI, 2018

Ethan Perez, Florian Strub, Harm de Vries, Vincent Dumoulin, and Aaron Courville. Film: Visual reasoning with a general conditioning layer.AAAI, 2018

2018
[11]

Deep intellectual property protection: A survey

Yuchen Sun et al. Deep intellectual property protection: A survey.arXiv preprint arXiv:2304.14613, 2023

work page arXiv 2023
[12]

Protecting intellectual property of deep neural networks with watermarking.ACM Multimedia, 2017

Yoshiki Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin’ichi Satoh. Protecting intellectual property of deep neural networks with watermarking.ACM Multimedia, 2017

2017
[13]

Cam- bridge University Press, 2018

Roman Vershynin.High-Dimensional Probability: An Introduction with Applications in Data Science. Cam- bridge University Press, 2018. 15

2018