Hard-label model extraction attacks against deep neural networks are commonly assumed to be polynomial-time solvable; however, this work reveals that they in fact suffer from exponential query complexity in practice. The conventional layer-by-layer extraction paradigm exacerbates this issue, leading to combinatorial explosion in query cost with depth. Method: We propose CrossLayer Extraction—a novel approach leveraging differential cryptanalysis techniques to model cross-layer neuronal dependencies solely from hard-label predictions, enabling indirect inversion of deep-layer parameters without explicit layerwise constraints. Contribution/Results: Our theoretical analysis and empirical evaluation demonstrate that existing methods incur exponential query growth w.r.t. network depth, whereas CrossLayer Extraction achieves sub-exponential (nearly polynomial) query complexity for effective model recovery under the hard-label setting—the first such result. This redefines the feasibility boundary of hard-label model extraction attacks and provides new insights into their fundamental limitations.

Deep Neural Networks (DNNs) have attracted significant attention, and their internal models are now considered valuable intellectual assets. Extracting these internal models through access to a DNN is conceptually similar to extracting a secret key via oracle access to a block cipher. Consequently, cryptanalytic techniques, particularly differential-like attacks, have been actively explored recently. ReLU-based DNNs are the most commonly and widely deployed architectures. While early works (e.g., Crypto 2020, Eurocrypt 2024) assume access to exact output logits, which are usually invisible, more recent works (e.g., Asiacrypt 2024, Eurocrypt 2025) focus on the hard-label setting, where only the final classification result (e.g., "dog" or "car") is available to the attacker. Notably, Carlini et al. (Eurocrypt 2025) demonstrated that model extraction is feasible in polynomial time even under this restricted setting. In this paper, we first show that the assumptions underlying their attack become increasingly unrealistic as the attack-target depth grows. In practice, satisfying these assumptions requires an exponential number of queries with respect to the attack depth, implying that the attack does not always run in polynomial time. To address this critical limitation, we propose a novel attack method called CrossLayer Extraction. Instead of directly extracting the secret parameters (e.g., weights and biases) of a specific neuron, which incurs exponential cost, we exploit neuron interactions across layers to extract this information from deeper layers. This technique significantly reduces query complexity and mitigates the limitations of existing model extraction approaches.