This work investigates the problem of efficiently recovering the parameters of a black-box linear model using factual, counterfactual, and robust counterfactual queries. It introduces the first general mathematical framework capable of characterizing the model’s decision regions without explicitly reconstructing its parameters, and systematically analyzes how different distance metrics affect query complexity. Theoretically, the study establishes that under differentiable distance functions, a single counterfactual query suffices to fully recover the model; in contrast, under polyhedral distances, the required number of queries grows linearly with the input dimension, doubling in the robust setting. These findings highlight the pivotal role of the choice of distance function in determining both the extractability and security of linear models.

In model extraction attacks, the goal is to reveal the parameters of a black-box machine learning model by querying the model for a selected set of data points. Due to an increasing demand for explanations, this may involve counterfactual queries besides the typically considered factual queries. In this work, we consider linear models and three types of queries: factual, counterfactual, and robust counterfactual. First, for an arbitrary set of queries, we derive novel mathematical formulations for the classification regions for which the decision of the unknown model is known, without recovering any of the model parameters. Second, we derive bounds on the number of queries needed to extract the model's parameters for (robust) counterfactual queries under arbitrary norm-based distances. We show that the full model can be recovered using just a single counterfactual query when differentiable distance measures are employed. In contrast, when using polyhedral distances for instance, the number of required queries grows linearly with the dimension of the data space. For robust counterfactuals, the latter number of queries doubles. Consequently, the applied distance function and robustness of counterfactuals have a significant impact on the model's security.