Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Robustness of Practical Perceptual Hashing Algorithms to Hash-Evasion and Hash-Inversion Attacks

Jordan Madden, Moxanki Bhavsar, Lhamo Dorje, Xiaohua Li

TL;DR

This paper evaluates the robustness of three practical perceptual hashing algorithms—PhotoDNA, PDQ, and NeuralHash—against hash-evasion and hash-inversion under realistic constraints. It introduces a query-efficient blackbox hash-evasion method, JSHA, and a data-efficient hash-inversion GAN, along with a defense based on random hash perturbation. Experiments across ImageNet, MNIST, CelebA, and STL-10 show substantial practical robustness, with targeted hash-evasion yielding near-zero success and inversion largely ineffective on diverse data; robustness is partly due to random hash variations. The random-hash-perturbation defense further reduces attack success and degrades inversion quality, offering a practical augmentation to PHAs in sensitive deployments.

Abstract

Perceptual hashing algorithms (PHAs) are widely used for identifying illegal online content and are thus integral to various sensitive applications. However, due to their hasty deployment in real-world scenarios, their adversarial security has not been thoroughly evaluated. This paper assesses the security of three widely utilized PHAs - PhotoDNA, PDQ, and NeuralHash - against hash-evasion and hash-inversion attacks. Contrary to existing literature, our findings indicate that these PHAs demonstrate significant robustness against such attacks. We provide an explanation for these differing results, highlighting that the inherent robustness is partially due to the random hash variations characteristic of PHAs. Additionally, we propose a defense method that enhances security by intentionally introducing perturbations into the hashes.

Robustness of Practical Perceptual Hashing Algorithms to Hash-Evasion and Hash-Inversion Attacks

TL;DR

This paper evaluates the robustness of three practical perceptual hashing algorithms—PhotoDNA, PDQ, and NeuralHash—against hash-evasion and hash-inversion under realistic constraints. It introduces a query-efficient blackbox hash-evasion method, JSHA, and a data-efficient hash-inversion GAN, along with a defense based on random hash perturbation. Experiments across ImageNet, MNIST, CelebA, and STL-10 show substantial practical robustness, with targeted hash-evasion yielding near-zero success and inversion largely ineffective on diverse data; robustness is partly due to random hash variations. The random-hash-perturbation defense further reduces attack success and degrades inversion quality, offering a practical augmentation to PHAs in sensitive deployments.

Abstract

Perceptual hashing algorithms (PHAs) are widely used for identifying illegal online content and are thus integral to various sensitive applications. However, due to their hasty deployment in real-world scenarios, their adversarial security has not been thoroughly evaluated. This paper assesses the security of three widely utilized PHAs - PhotoDNA, PDQ, and NeuralHash - against hash-evasion and hash-inversion attacks. Contrary to existing literature, our findings indicate that these PHAs demonstrate significant robustness against such attacks. We provide an explanation for these differing results, highlighting that the inherent robustness is partially due to the random hash variations characteristic of PHAs. Additionally, we propose a defense method that enhances security by intentionally introducing perturbations into the hashes.
Paper Structure (21 sections, 4 equations, 7 figures, 13 tables)

This paper contains 21 sections, 4 equations, 7 figures, 13 tables.

Table of Contents

  1. Introduction
  2. Literature Review
  3. Attack Algorithms and Defense Method
  4. A Query-Efficient Adversarial Blackbox Attack Algorithm for Hash Evasion
  5. A Data-Efficient Hash-Inversion Attack Algorithm
  6. A Defense Method based on Random Hash Perturbation
  7. Experiment
  8. Performance Metrics
  9. Experiment on Hash-Evasion Attack and Defense
  10. Experiment on Hash-Inversion Attack and Defense
  11. Conclusions
  12. Appendix / supplemental material
  13. Proof of Proposition 1 of Section 3.3
  14. Robustness Problem of PHAs to Normal Image Editing
  15. Extra Experiment Data of Targeted Hash-Evasion Attacks in Section 4.2
  16. ...and 6 more sections

Figures (7)

  • Figure 1: (a) Hash inversion attack model (left: for Celeb Dataset. Right: for STL-10 dataset). (b) Architecture of residual block.
  • Figure 2: Samples of true/original images and reconstructed images by the hash inversion algorithm.
  • Figure 3: Samples of an original image and the adversarial images created by the proposed untargeted blackbox attack algorithm JSHA (NES+HSJA).
  • Figure 4: Samples of an original image and the adversarial images created by the proposed untargeted blackbox attack algorithm JSHA (NES+HSJA).
  • Figure 5: Samples of true MNIST images and adversarial images generated by hash inversion attacks based on hashes of (a) PhotoDNA, and (b) NeuralHash. The numbers are ($L_2$, SSIM, LPIPS) measures.
  • ...and 2 more figures