{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:ZASO2GJWIMG6YB7YOZKKBTFXS5","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"79d921b277b868146739c917332e3a66adaf94adde0fe60d85d822d604352086","cross_cats_sorted":["cs.LG"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T07:34:04Z","title_canon_sha256":"a6061325ac714a1193e599110a3f1d5c042a658a444cdc2828697943760191ac"},"schema_version":"1.0","source":{"id":"2605.13115","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.13115","created_at":"2026-05-18T03:08:58Z"},{"alias_kind":"arxiv_version","alias_value":"2605.13115v1","created_at":"2026-05-18T03:08:58Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13115","created_at":"2026-05-18T03:08:58Z"},{"alias_kind":"pith_short_12","alias_value":"ZASO2GJWIMG6","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"ZASO2GJWIMG6YB7Y","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"ZASO2GJW","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:5d2ca3aea56acfbf7d15da85fd39523687d523694db7f5c2992f49669fd86caf","target":"graph","created_at":"2026-05-18T03:08:58Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"The attack remains effective under stochastic sampling (eta > 0) and operates independently of the user's prompt while being inherently undetectable by existing model auditing mechanisms."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Diffusion models are vulnerable to supply-chain PRNG hijacking that forces pixel-perfect attacker-chosen outputs, and QRNG eliminates the attack."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights."}],"snapshot_sha256":"83158d0687b0b973bf5c899d99d2fc491f00f6685b9bce149716e675e58e22d4"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Diffusion models depend on pseudo-random number generators (PRNGs) for latent noise sampling. We present DiffusionHijack, a supply-chain backdoor attack that hijacks the PRNG to deterministically control generated images. A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights. The attack is inherently undetectable by existing model auditing and content moderation mechanisms, as it operates entirely outside the neural network comput","authors_text":"Liling Zheng, Xiaoke Yang, Xuxing Lu, Ziyang You","cross_cats":["cs.LG"],"headline":"A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights.","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T07:34:04Z","title":"DiffusionHijack: Supply-Chain PRNG Backdoor Attack on Diffusion Models and Quantum Random Number Defense"},"references":{"count":30,"internal_anchors":0,"resolved_work":30,"sample":[{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":1,"title":"High-resolution image synthesis with latent diffusion models,","work_id":"c8b87431-a94e-43c8-8768-1f86fd6a81d3","year":2022},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":2,"title":"Photorealistic text-to-image diffusion models with deep language under- standing,","work_id":"12a8f869-d570-49fe-9126-a8651178286d","year":2022},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":3,"title":"Guardt2i: Defending text-to-image models from adversarial prompts,","work_id":"c6330eed-d8a0-4736-9dae-01872c2c2188","year":2024},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":4,"title":"Badnets: Identifying vulnerabilities in the ma- chine learning model supply chain,","work_id":"5d62fcd1-91ac-48c0-9ada-91c39f14482c","year":2019},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":"Backdoor learning: A survey,","work_id":"1faf473a-3c3e-4952-a3de-a2066eef46ce","year":2024}],"snapshot_sha256":"e3bd21b592974c8eac239528d890d3ba22fc556be1a8166db956c15c26b4ea5d"},"source":{"id":"2605.13115","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-14T18:57:02.933581Z","id":"b90dca14-2d85-4f79-89c5-2e70e2bda470","model_set":{"reader":"grok-4.3"},"one_line_summary":"Diffusion models are vulnerable to supply-chain PRNG hijacking that forces pixel-perfect attacker-chosen outputs, and QRNG eliminates the attack.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights.","strongest_claim":"A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights.","weakest_assumption":"The attack remains effective under stochastic sampling (eta > 0) and operates independently of the user's prompt while being inherently undetectable by existing model auditing mechanisms."}},"verdict_id":"b90dca14-2d85-4f79-89c5-2e70e2bda470"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:39fd548243f3aaea1e3e60d73104bcbc6870fca6b8af6d1d4bee3e8e1433ab8a","target":"record","created_at":"2026-05-18T03:08:58Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"79d921b277b868146739c917332e3a66adaf94adde0fe60d85d822d604352086","cross_cats_sorted":["cs.LG"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T07:34:04Z","title_canon_sha256":"a6061325ac714a1193e599110a3f1d5c042a658a444cdc2828697943760191ac"},"schema_version":"1.0","source":{"id":"2605.13115","kind":"arxiv","version":1}},"canonical_sha256":"c824ed1936430dec07f87654a0ccb79756d986ac26d660662d651e29431db1c0","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"c824ed1936430dec07f87654a0ccb79756d986ac26d660662d651e29431db1c0","first_computed_at":"2026-05-18T03:08:58.056219Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-18T03:08:58.056219Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"iJCRrrrlh0erUQyGSESPsXmxIGvLs/nhOsWAC2miECGtiaF2ZlFQIY34ifCn+lLUsVkzwbtNfvG2X0t8oBqaCQ==","signature_status":"signed_v1","signed_at":"2026-05-18T03:08:58.056791Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.13115","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:39fd548243f3aaea1e3e60d73104bcbc6870fca6b8af6d1d4bee3e8e1433ab8a","sha256:5d2ca3aea56acfbf7d15da85fd39523687d523694db7f5c2992f49669fd86caf"],"state_sha256":"b3a8bbb4bd7cc26571330eae5cb7889340a2766486f097aed0b60c057e2ded30"}