Neural networks face dual threats from cryptographic backdoors—both as attack vectors and as tools for security mechanisms like watermarking and intellectual property protection—yet existing approaches lack provable security guarantees and post-quantum resilience. Method: We propose the first unified cryptographic framework integrating Goldwasser-Micali–style symmetric encryption with backdoor embedding, augmented with post-quantum cryptographic primitives to ensure quantum resistance. Our design supports both stealthy, robust backdoor attacks and formally verifiable defenses—including model watermarking, user authentication, and provenance tracking—within a single architecture. Contribution/Results: We implement all protocols on mainstream CNN and Transformer models. Experiments confirm theoretical security properties, high attack stealth under white-box and gray-box settings, and effectiveness of defense mechanisms even in black-box scenarios. This work establishes the first end-to-end, provably secure, post-quantum–ready cryptographic backdoor paradigm for machine learning security.

In this paper we show that cryptographic backdoors in a neural network (NN) can be highly effective in two directions, namely mounting the attacks as well as in presenting the defenses as well. On the attack side, a carefully planted cryptographic backdoor enables powerful and invisible attack on the NN. Considering the defense, we present applications: first, a provably robust NN watermarking scheme; second, a protocol for guaranteeing user authentication; and third, a protocol for tracking unauthorized sharing of the NN intellectual property (IP). From a broader theoretical perspective, borrowing the ideas from Goldwasser et. al. [FOCS 2022], our main contribution is to show that all these instantiated practical protocol implementations are provably robust. The protocols for watermarking, authentication and IP tracking resist an adversary with black-box access to the NN, whereas the backdoor-enabled adversarial attack is impossible to prevent under the standard assumptions. While the theoretical tools used for our attack is mostly in line with the Goldwasser et. al. ideas, the proofs related to the defense need further studies. Finally, all these protocols are implemented on state-of-the-art NN architectures with empirical results corroborating the theoretical claims. Further, one can utilize post-quantum primitives for implementing the cryptographic backdoors, laying out foundations for quantum-era applications in machine learning (ML).