pith. the verified trust layer for science. sign in
Pith Number

pith:ZASO2GJW

pith:2026:ZASO2GJWIMG6YB7YOZKKBTFXS5
not attested not anchored not stored refs resolved

DiffusionHijack: Supply-Chain PRNG Backdoor Attack on Diffusion Models and Quantum Random Number Defense

Liling Zheng, Xiaoke Yang, Xuxing Lu, Ziyang You

A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights.

arxiv:2605.13115 v1 · 2026-05-13 · cs.CR · cs.LG

Open paper page JSON Open Graph Bundle Merged state What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{ZASO2GJWIMG6YB7YOZKKBTFXS5}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights.

C2weakest assumption

The attack remains effective under stochastic sampling (eta > 0) and operates independently of the user's prompt while being inherently undetectable by existing model auditing mechanisms.

C3one line summary

Diffusion models are vulnerable to supply-chain PRNG hijacking that forces pixel-perfect attacker-chosen outputs, and QRNG eliminates the attack.

References

30 extracted · 30 resolved · 0 Pith anchors

[1] High-resolution image synthesis with latent diffusion models, 2022
[2] Photorealistic text-to-image diffusion models with deep language under- standing, 2022
[3] Guardt2i: Defending text-to-image models from adversarial prompts, 2024
[4] Badnets: Identifying vulnerabilities in the ma- chine learning model supply chain, 2019
[5] Backdoor learning: A survey, 2024
Receipt and verification
First computed 2026-05-18T03:08:58.056219Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

c824ed1936430dec07f87654a0ccb79756d986ac26d660662d651e29431db1c0

Aliases

arxiv: 2605.13115 · arxiv_version: 2605.13115v1 · doi: 10.48550/arxiv.2605.13115 · pith_short_12: ZASO2GJWIMG6 · pith_short_16: ZASO2GJWIMG6YB7Y · pith_short_8: ZASO2GJW
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/ZASO2GJWIMG6YB7YOZKKBTFXS5 \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: c824ed1936430dec07f87654a0ccb79756d986ac26d660662d651e29431db1c0
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "79d921b277b868146739c917332e3a66adaf94adde0fe60d85d822d604352086",
    "cross_cats_sorted": [
      "cs.LG"
    ],
    "license": "http://arxiv.org/licenses/nonexclusive-distrib/1.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-13T07:34:04Z",
    "title_canon_sha256": "a6061325ac714a1193e599110a3f1d5c042a658a444cdc2828697943760191ac"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.13115",
    "kind": "arxiv",
    "version": 1
  }
}