pith. sign in

arxiv: 2604.12254 · v2 · pith:WRQINHTQnew · submitted 2026-04-14 · 💻 cs.CR · cs.AI

SpanKey: Dynamic Key Space Conditioning for Neural Network Access Control

WenBin Yan This is my paper

Pith reviewed 2026-05-21 00:43 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords SpanKeykey subspaceneural network access controlsubspace key injectiondeny lossesgating inferencekey absorption
0
0 comments X

The pith

A basis matrix defines a key subspace whose injection into network layers gates inference to valid keys only.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that defining a low-dimensional subspace via a basis matrix B, sampling valid keys inside it and invalid keys outside it, then injecting the keys into multiple activation layers allows a network to learn to grant correct inference only for valid keys. Training uses deny losses on the invalid samples to push separation in energy and margin terms. A sympathetic reader would care because the method offers a lightweight alternative to full weight encryption for controlling who can run inference on a deployed model. The approach includes analytical diagnostics for the absorption failure mode where the key signal gets ignored.

Core claim

SpanKey forms keys as k = alpha transpose B inside the span of basis matrix B and injects them additively or multiplicatively into intermediate activations with strength gamma; valid keys stay inside the subspace while invalid keys are drawn outside it, and deny losses train the network to separate them so that only valid keys produce usable outputs at inference time.

What carries the argument

The basis matrix B that spans the key subspace Span(B), which supplies the valid keys that are injected across multiple layers to condition activations.

If this is right

  • Multi-layer injection combined with deny losses produces measurable separation in Beta-energy and margin-tail diagnostics.
  • Modes A through C of injection together with their extensions allow different trade-offs between gating strength and accuracy on CIFAR-10 ResNet-18.
  • The same subspace conditioning works for MNIST ablations under Mode B.
  • Key absorption is diagnosed rather than assumed away, so the method includes explicit checks for when the network fails to use the injected signal.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the separation generalizes, the same subspace injection could be applied to control access to only certain classes or output features rather than the full inference.
  • The approach might combine with existing model-serving systems to add per-user key checks without changing the stored weights.
  • Scaling the subspace dimension or number of injection points could be tested directly on larger architectures to measure any added compute cost at inference.

Load-bearing premise

Training with invalid keys sampled outside the subspace will create reliable separation at inference time rather than the network simply absorbing or ignoring the key signal across layers.

What would settle it

After training, measuring output accuracy or denial rate on a held-out set of valid keys from Span(B) versus invalid keys sampled outside it and finding essentially identical performance on both sets would show the separation does not hold.

Figures

Figures reproduced from arXiv: 2604.12254 by WenBin Yan.

Figure 1
Figure 1. Figure 1: Example 05 on MNIST with Mode B: test-set [PITH_FULL_IMAGE:figures/full_fig_p012_1.png] view at source ↗
read the original abstract

SpanKey is a lightweight way to gate inference without encrypting weights or chasing leaderboard accuracy on gated inference. The idea is to condition activations on secret keys. A basis matrix $B$ defines a low-dimensional key subspace $Span(B)$; during training we sample coefficients $\alpha$ and form keys $k=\alpha^\top B$, then inject them into intermediate activations with additive or multiplicative maps and strength $\gamma$. Valid keys lie in $Span(B)$; invalid keys are sampled outside that subspace. We make three points. (i) Mechanism: subspace key injection and a multi-layer design space. (ii) Failure mode: key absorption, together with two analytical results (a Beta-energy split and margin-tail diagnostics), explains weak baseline separation in energy and margin terms -- these are not a security theorem. iii) Deny losses and experiments: Modes A--C and extensions, with CIFAR-10 ResNet-18 runs and MNIST ablations for Mode B. We summarize setup and first-order analysis, injectors, absorption, deny losses and ablations, a threat discussion that does not promise cryptography, and closing remarks on scale. Code: \texttt{https://github.com/mindmemory-ai/dksc}

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript presents SpanKey, a lightweight mechanism for gating neural network inference via dynamic key space conditioning. A basis matrix B defines a low-dimensional subspace Span(B); keys k = α^T B are formed from coefficients α and injected into intermediate activations via additive or multiplicative maps with strength γ. Valid keys lie in Span(B) while invalid keys are sampled outside it. The paper describes the multi-layer injection design, identifies key absorption as a failure mode with accompanying Beta-energy split and margin-tail diagnostics (explicitly not a security theorem), introduces deny losses in Modes A–C to enforce separation, and reports experiments on ResNet-18/CIFAR-10 together with MNIST ablations for Mode B. A threat discussion avoids cryptographic guarantees.

Significance. If the deny losses reliably force subspace-dependent gating rather than allowing the network to absorb or normalize the injected signal, the approach offers a practical alternative to weight encryption for inference access control. The explicit treatment of the key absorption failure mode and the associated diagnostics provide explanatory value, while the empirical results on standard benchmarks and the public code repository support reproducibility. The absence of a formal security theorem is appropriately noted, so significance hinges on the robustness of the separation claim under varied architectures and invalid-key distributions.

major comments (2)
  1. §4 (Failure mode and diagnostics): The Beta-energy split and margin-tail diagnostics usefully explain weak baselines but do not demonstrate that deny losses (Modes A–C) prevent the network from satisfying the objective by absorbing the γ-scaled injection into generic activation statistics or by learning a key-independent path; this remains a load-bearing assumption for the separation claim at inference.
  2. Experiments section (CIFAR-10 ResNet-18 runs and MNIST Mode B ablations): Results are reported only for invalid keys sampled from the same distribution family used in training; without additional trials using out-of-distribution invalid keys (e.g., different coefficient ranges or orthogonal sampling), it is unclear whether the observed separation generalizes to true subspace membership or collapses under the absorption failure mode.
minor comments (2)
  1. Abstract: The disclaimer that the analytical results are not a security theorem is clear; repeating a concise version of this caveat in the threat discussion would help set reader expectations.
  2. Mechanism description: Explicit equations for the additive versus multiplicative injection maps (including how γ is applied across layers) would improve clarity and reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The comments highlight important aspects of the empirical nature of our separation claims and the need for broader validation of invalid-key distributions. We respond to each major comment below and indicate planned revisions.

read point-by-point responses

  1. Referee: §4 (Failure mode and diagnostics): The Beta-energy split and margin-tail diagnostics usefully explain weak baselines but do not demonstrate that deny losses (Modes A–C) prevent the network from satisfying the objective by absorbing the γ-scaled injection into generic activation statistics or by learning a key-independent path; this remains a load-bearing assumption for the separation claim at inference.

    Authors: We agree that the Beta-energy split and margin-tail diagnostics primarily characterize absorption in the baseline (no-deny-loss) setting. The deny losses in Modes A–C are explicitly designed to penalize the model whenever it fails to produce subspace-dependent behavior, thereby discouraging absorption into generic activation statistics or key-independent paths. The reported CIFAR-10 and MNIST results show that these losses produce large accuracy drops on invalid keys together with improved diagnostic margins. Nevertheless, we acknowledge that the observed separation remains an empirical outcome rather than a formal guarantee against every conceivable absorption strategy. In the revised manuscript we will expand the discussion in §4 to state this assumption explicitly and outline its implications for the separation claim. revision: partial

  2. Referee: Experiments section (CIFAR-10 ResNet-18 runs and MNIST Mode B ablations): Results are reported only for invalid keys sampled from the same distribution family used in training; without additional trials using out-of-distribution invalid keys (e.g., different coefficient ranges or orthogonal sampling), it is unclear whether the observed separation generalizes to true subspace membership or collapses under the absorption failure mode.

    Authors: Invalid keys are generated during both training and testing by sampling coefficients outside the span of B; the reported numbers therefore evaluate performance under the same sampling family used to train the deny losses. We argue that the losses enforce separation on the basis of subspace membership rather than on the precise coefficient distribution. To strengthen the evidence, we will add new experimental trials in the revised version that employ out-of-distribution invalid keys (orthogonal sampling and expanded coefficient ranges) and report the corresponding accuracy and diagnostic metrics for both ResNet-18/CIFAR-10 and the MNIST Mode B ablations. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivation is self-contained with empirical grounding

full rationale

The paper describes a subspace key injection mechanism using basis matrix B, coefficient sampling for valid keys, and deny losses (Modes A-C) to enforce separation at inference. Analytical tools such as the Beta-energy split and margin-tail diagnostics are introduced explicitly as explanatory for observed failure modes like key absorption, not as definitional or predictive reductions. Experiments on ResNet-18/CIFAR-10 and MNIST ablations provide independent empirical support rather than fitting parameters that are then relabeled as predictions. No self-citations, uniqueness theorems, or ansatzes are invoked in a load-bearing way that collapses the central claim to prior inputs by construction. The setup remains falsifiable through external sampling of invalid keys and larger-scale tests.

Axiom & Free-Parameter Ledger

2 free parameters · 1 axioms · 0 invented entities

The central claim rests on the existence of a learnable low-dimensional subspace that can be injected without destroying task performance and on the empirical separability of in-subspace versus out-of-subspace keys after training.

free parameters (2)
  • basis matrix B dimension
    Low-dimensional key subspace size chosen to balance expressivity and separation; value not specified in abstract.
  • injection strength gamma
    Scaling factor for additive or multiplicative key injection; appears as a tunable hyperparameter.
axioms (1)
  • domain assumption Valid keys lie exactly in Span(B) while invalid keys are sampled outside it
    Core modeling choice stated in the mechanism description.

pith-pipeline@v0.9.0 · 5735 in / 1283 out tokens · 25204 ms · 2026-05-21T00:43:49.060472+00:00 · methodology

Review history (2 revisions) →

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

13 extracted references · 13 canonical work pages

  1. [1]

    Intel sgx explained

    Victor Costan and Srinivas Devadas. Intel sgx explained. InIACR Cryptology ePrint Archive, 2016

    work page 2016

  2. [2]

    Dauphin, Angela Fan, Michael Auli, and David Grangier

    Yann N. Dauphin, Angela Fan, Michael Auli, and David Grangier. Language modeling with gated convolutional networks. InICML, 2017

    work page 2017

  3. [3]

    Model lock: Locking your model with a spell.arXiv preprint arXiv:2405.16285, 2024

    Yifeng Gao, Yuhua Sun, Xingjun Ma, Zuxuan Wu, and Yu-Gang Jiang. Model lock: Locking your model with a spell.arXiv preprint arXiv:2405.16285, 2024

    work page arXiv 2024

  4. [4]

    Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy

    Ran Gilad-Bachrach et al. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. InICML, 2016

    work page 2016

  5. [5]

    Explaining and harnessing adversarial examples

    Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. In ICLR, 2015

    work page 2015

  6. [6]

    Key-conditioned orthonormal transform gating (k-otg): Multi-key access control with hidden-state scrambling for lora-tuned models.arXiv preprint arXiv:2512.17519, 2025

    Muhammad Haris Khan. Key-conditioned orthonormal transform gating (k-otg): Multi-key access control with hidden-state scrambling for lora-tuned models.arXiv preprint arXiv:2512.17519, 2025

    work page arXiv 2025

  7. [7]

    Aiwei Liu, Leyi Pan, Yijian Lu, Jingjing Li, Xuming Hu, Xi Zhang, Lijie Wen, Irwin King, Hui Xiong, and Philip S. Yu. A survey of text watermarking in the era of large language models.ACM Computing Surveys, 2024

    work page 2024

  8. [8]

    Secureml: A system for scalable privacy-preserving machine learning

    Payman Mohassel and Yupeng Zhang. Secureml: A system for scalable privacy-preserving machine learning. IEEE Symposium on Security and Privacy, 2017

    work page 2017

  9. [9]

    Encryip: A practical encryption-based framework for model intellectual property protection.arXiv preprint arXiv:2312.12049, 2023

    Xin Mu, Yu Wang, Zhengan Huang, Junzuo Lai, Yehong Zhang, Hui Wang, and Yue Yu. Encryip: A practical encryption-based framework for model intellectual property protection.arXiv preprint arXiv:2312.12049, 2023

    work page arXiv 2023

  10. [10]

    Film: Visual reasoning with a general conditioning layer.AAAI, 2018

    Ethan Perez, Florian Strub, Harm de Vries, Vincent Dumoulin, and Aaron Courville. Film: Visual reasoning with a general conditioning layer.AAAI, 2018

    work page 2018

  11. [11]

    Deep intellectual property protection: A survey.arXiv preprint arXiv:2304.14613, 2023

    Yuchen Sun et al. Deep intellectual property protection: A survey.arXiv preprint arXiv:2304.14613, 2023

    work page arXiv 2023

  12. [12]

    Protecting intellectual property of deep neural networks with watermarking.ACM Multimedia, 2017

    Yoshiki Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin’ichi Satoh. Protecting intellectual property of deep neural networks with watermarking.ACM Multimedia, 2017

    work page 2017

  13. [13]

    Cam- bridge University Press, 2018

    Roman Vershynin.High-Dimensional Probability: An Introduction with Applications in Data Science. Cam- bridge University Press, 2018. 15

    work page 2018