Unrecognizable Yet Identifiable: Image Distortion with Preserved Embeddings

TL;DR

The paper tackles biometric privacy by proposing a non-distortive image distortion framework that preserves neural-embedding identifiability while rendering images visually unrecognizable. It uses a fixed embedding model $oldsymbol{F}$ and a trainable generator $oldsymbol{G}$, optimized via a triplet-loss-inspired objective that trades off image-space distortion $d_{ ext{img}}$ with embedding-space preservation $d_{ ext{emb}}$, mediated by a loss $oldsymbol{ extell}$ combining $oldsymbol{ extell}_{ ext{img}}$ and $oldsymbol{ extell}_{ ext{emb}}$. Distances $d_{ ext{H}}$, $d_{ ext{E}}$, $d_{ ext{dssim}}$, and $d_{ ext{sobel}}$ are defined, with a final $d_{ ext{comb}}$ balancing pixel- and edge-level distortions; a Trainer Network ensures $oldsymbol{G}$ is optimized with $oldsymbol{F}$ fixed. Empirically, the method distorts images by more than 70% in appearance while maintaining recognition accuracy on MNIST and LFW, yields embeddings that remain close under $oldsymbol{F}$, and achieves competitive EERs (e.g., around 2.5% on MNIST and 4.8% on LFW). The work argues for practical privacy-preserving biometric templates with revocability, no secret-key management, and straightforward integration, while acknowledging limitations and directions for future adversarial or multi-modal extensions. Overall, the approach offers a scalable, AI-driven path to secure, non-invertible templates with preserved discriminative power in biometrics.

Abstract

Biometric authentication systems play a crucial role in modern security systems. However, maintaining the balance of privacy and integrity of stored biometrics derivative data while achieving high recognition accuracy is often challenging. Addressing this issue, we introduce an innovative image transformation technique that effectively renders facial images unrecognizable to the eye while maintaining their identifiability by neural network models, which allows the distorted photo version to be stored for further verification. While initially intended for biometrics systems, the proposed methodology can be used in various artificial intelligence applications to distort the visual data and keep the derived features close. By experimenting with widely used datasets LFW and MNIST, we show that it is possible to build the distortion that changes the image content by more than 70% while maintaining the same recognition accuracy. We compare our method with previously state-of-the-art approaches. We publically release the source code.

Figures (13)

• Figure 1: An example of using our proposed image distortion technique on images from MNISTmnist and LFWlfw datasets. While authentic and generated images significantly differ, the feature vectors of both images in pairs are relatively close.
• Figure 2: Two primary methods of storing biometric data: (a) -- storing distorted templates, (b) -- encryption an image via the secret key $\mathsf{sk}$.
• Figure 3: Facial recognition feature registration flow.
• Figure 4: Comparison of different login flows using biometrics data, where $\mathcal{G}$ denotes the generation function, $D(\mathsf{sk},\star)$ is a decryption function with a secret key $\mathsf{sk}$, $d$ denotes the traditional image distance metrics, while $d^*$ -- a secret one. In flow (a), we first generate and then compare a distorted image with a template. In flow (b), we find the inverse of a template and compare it with an input. In our proposed flow (c), we compare template and image directly.
• Figure 5: Triplet Network architecture. We input three images (anchor, positive, and negatives), then, using embedding model $\mathcal{F}$ with shared parameters, retrieve three feature vectors and concatenate them to get the loss value.