NDSS2026

The core contribution of this paper is the introduction of a new threat model that is highly aligned with real-world deployment practices: the adversary does not need to interfere with the training stage or poison the training data, but instead targets a ubiquitous step in modern model deployment—Post-Training Quantization (PTQ). Under this setting, a model can be trained in a completely “clean” manner, yet become compromised when it is later passed through a third-party quantization toolchain for deployment. By manipulating seemingly minor operations inside the quantization pipeline—especially rounding-related decisions—the attacker can implant a stealthy backdoor into the final quantized model while largely preserving normal accuracy, effectively exposing quantization as a practical deployment-time / supply-chain attack surface. Building on this threat model, the paper proposes the QURA attack framework, whose central insight is that the quantization process—particularly the “rounding/truncation” step—can serve as a subtle but powerful lever that gets amplified layer by layer through the network. The attack is designed around calibration data and critical parameters: by identifying weight locations that are most influential to trigger-driven behavior and then applying targeted rounding interventions in a layer-wise manner, QURA enables the model to behave normally on benign inputs while consistently producing attacker-desired misbehavior once the trigger appears. Overall, the results reveal that quantization is not merely a compression technique but a new and exploitable security channel: even when training is fully trusted, compromising the quantization stage alone can silently corrupt the deployed model, highlighting the urgent need for security and verifiability in quantization toolchains.