{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2026:ZASO2GJWIMG6YB7YOZKKBTFXS5","short_pith_number":"pith:ZASO2GJW","schema_version":"1.0","canonical_sha256":"c824ed1936430dec07f87654a0ccb79756d986ac26d660662d651e29431db1c0","source":{"kind":"arxiv","id":"2605.13115","version":1},"attestation_state":"computed","paper":{"title":"DiffusionHijack: Supply-Chain PRNG Backdoor Attack on Diffusion Models and Quantum Random Number Defense","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights.","cross_cats":["cs.LG"],"primary_cat":"cs.CR","authors_text":"Liling Zheng, Xiaoke Yang, Xuxing Lu, Ziyang You","submitted_at":"2026-05-13T07:34:04Z","abstract_excerpt":"Diffusion models depend on pseudo-random number generators (PRNGs) for latent noise sampling. We present DiffusionHijack, a supply-chain backdoor attack that hijacks the PRNG to deterministically control generated images. A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights. The attack is inherently undetectable by existing model auditing and content moderation mechanisms, as it operates entirely outside the neural network comput"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":false},"canonical_record":{"source":{"id":"2605.13115","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T07:34:04Z","cross_cats_sorted":["cs.LG"],"title_canon_sha256":"a6061325ac714a1193e599110a3f1d5c042a658a444cdc2828697943760191ac","abstract_canon_sha256":"79d921b277b868146739c917332e3a66adaf94adde0fe60d85d822d604352086"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T03:08:58.056791Z","signature_b64":"iJCRrrrlh0erUQyGSESPsXmxIGvLs/nhOsWAC2miECGtiaF2ZlFQIY34ifCn+lLUsVkzwbtNfvG2X0t8oBqaCQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"c824ed1936430dec07f87654a0ccb79756d986ac26d660662d651e29431db1c0","last_reissued_at":"2026-05-18T03:08:58.056219Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T03:08:58.056219Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"DiffusionHijack: Supply-Chain PRNG Backdoor Attack on Diffusion Models and Quantum Random Number Defense","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights.","cross_cats":["cs.LG"],"primary_cat":"cs.CR","authors_text":"Liling Zheng, Xiaoke Yang, Xuxing Lu, Ziyang You","submitted_at":"2026-05-13T07:34:04Z","abstract_excerpt":"Diffusion models depend on pseudo-random number generators (PRNGs) for latent noise sampling. We present DiffusionHijack, a supply-chain backdoor attack that hijacks the PRNG to deterministically control generated images. A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights. The attack is inherently undetectable by existing model auditing and content moderation mechanisms, as it operates entirely outside the neural network comput"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The attack remains effective under stochastic sampling (eta > 0) and operates independently of the user's prompt while being inherently undetectable by existing model auditing mechanisms.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Diffusion models are vulnerable to supply-chain PRNG hijacking that forces pixel-perfect attacker-chosen outputs, and QRNG eliminates the attack.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"83158d0687b0b973bf5c899d99d2fc491f00f6685b9bce149716e675e58e22d4"},"source":{"id":"2605.13115","kind":"arxiv","version":1},"verdict":{"id":"b90dca14-2d85-4f79-89c5-2e70e2bda470","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T18:57:02.933581Z","strongest_claim":"A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights.","one_line_summary":"Diffusion models are vulnerable to supply-chain PRNG hijacking that forces pixel-perfect attacker-chosen outputs, and QRNG eliminates the attack.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The attack remains effective under stochastic sampling (eta > 0) and operates independently of the user's prompt while being inherently undetectable by existing model auditing mechanisms.","pith_extraction_headline":"A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights."},"references":{"count":30,"sample":[{"doi":"","year":2022,"title":"High-resolution image synthesis with latent diffusion models,","work_id":"c8b87431-a94e-43c8-8768-1f86fd6a81d3","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2022,"title":"Photorealistic text-to-image diffusion models with deep language under- standing,","work_id":"12a8f869-d570-49fe-9126-a8651178286d","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Guardt2i: Defending text-to-image models from adversarial prompts,","work_id":"c6330eed-d8a0-4736-9dae-01872c2c2188","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2019,"title":"Badnets: Identifying vulnerabilities in the ma- chine learning model supply chain,","work_id":"5d62fcd1-91ac-48c0-9ada-91c39f14482c","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Backdoor learning: A survey,","work_id":"1faf473a-3c3e-4952-a3de-a2066eef46ce","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":30,"snapshot_sha256":"e3bd21b592974c8eac239528d890d3ba22fc556be1a8166db956c15c26b4ea5d","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2605.13115","created_at":"2026-05-18T03:08:58.056324+00:00"},{"alias_kind":"arxiv_version","alias_value":"2605.13115v1","created_at":"2026-05-18T03:08:58.056324+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13115","created_at":"2026-05-18T03:08:58.056324+00:00"},{"alias_kind":"pith_short_12","alias_value":"ZASO2GJWIMG6","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"ZASO2GJWIMG6YB7Y","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"ZASO2GJW","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":0,"internal_anchor_count":0,"sample":[]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/ZASO2GJWIMG6YB7YOZKKBTFXS5","json":"https://pith.science/pith/ZASO2GJWIMG6YB7YOZKKBTFXS5.json","graph_json":"https://pith.science/api/pith-number/ZASO2GJWIMG6YB7YOZKKBTFXS5/graph.json","events_json":"https://pith.science/api/pith-number/ZASO2GJWIMG6YB7YOZKKBTFXS5/events.json","paper":"https://pith.science/paper/ZASO2GJW"},"agent_actions":{"view_html":"https://pith.science/pith/ZASO2GJWIMG6YB7YOZKKBTFXS5","download_json":"https://pith.science/pith/ZASO2GJWIMG6YB7YOZKKBTFXS5.json","view_paper":"https://pith.science/paper/ZASO2GJW","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2605.13115&json=true","fetch_graph":"https://pith.science/api/pith-number/ZASO2GJWIMG6YB7YOZKKBTFXS5/graph.json","fetch_events":"https://pith.science/api/pith-number/ZASO2GJWIMG6YB7YOZKKBTFXS5/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/ZASO2GJWIMG6YB7YOZKKBTFXS5/action/timestamp_anchor","attest_storage":"https://pith.science/pith/ZASO2GJWIMG6YB7YOZKKBTFXS5/action/storage_attestation","attest_author":"https://pith.science/pith/ZASO2GJWIMG6YB7YOZKKBTFXS5/action/author_attestation","sign_citation":"https://pith.science/pith/ZASO2GJWIMG6YB7YOZKKBTFXS5/action/citation_signature","submit_replication":"https://pith.science/pith/ZASO2GJWIMG6YB7YOZKKBTFXS5/action/replication_record"}},"created_at":"2026-05-18T03:08:58.056324+00:00","updated_at":"2026-05-18T03:08:58.056324+00:00"}