Attack GAN (AGAN ): A new Security Evaluation Tool for Perceptual Encryption

TL;DR

The paper addresses privacy leakage in data-driven DL by evaluating perceptual encryption methods, notably AVIH, which aims to preserve task performance on encrypted data. It introduces Attack GAN (AGAN), a security-evaluation framework that learns a master key model $G_a$ from surrogate data to reconstruct the original image $x$ from its AVIH-encrypted form $x'$, highlighting two vulnerabilities: incomplete decoupling via variance loss and weak secrecy of the secret GAN seed. Empirically, AGAN reconstructs high-fidelity content across multiple AVIH seeds and extends to traditional PE schemes LE and EtC, showing transferability across service-model families (ArcFace/CosFace/SphereFace) and outperforming prior GAN-based attacks. The work proposes AGAN as a practical benchmark for assessing and strengthening PE privacy, guiding the design of more robust privacy-preserving perceptual encryption methods.

Abstract

Training state-of-the-art (SOTA) deep learning models requires a large amount of data. The visual information present in the training data can be misused, which creates a huge privacy concern. One of the prominent solutions for this issue is perceptual encryption, which converts images into an unrecognizable format to protect the sensitive visual information in the training data. This comes at the cost of a significant reduction in the accuracy of the models. Adversarial Visual Information Hiding (AV IH) overcomes this drawback to protect image privacy by attempting to create encrypted images that are unrecognizable to the human eye while keeping relevant features for the target model. In this paper, we introduce the Attack GAN (AGAN ) method, a new Generative Adversarial Network (GAN )-based attack that exposes multiple vulnerabilities in the AV IH method. To show the adaptability, the AGAN is extended to traditional perceptual encryption methods of Learnable encryption (LE) and Encryption-then-Compression (EtC). Extensive experiments were conducted on diverse image datasets and target models to validate the efficacy of our AGAN method. The results show that AGAN can successfully break perceptual encryption methods by reconstructing original images from their AV IH encrypted images. AGAN can be used as a benchmark tool to evaluate the robustness of encryption methods for privacy protection such as AV IH.

Figures (6)

• Figure 1: Overview of collecting dataset $S$ to train master key model $G_a$. (A) data $GAN$s model train with different seeds to learn reconstruction for original $\hat{G}(\hat{x})\rightarrow \hat{x}$. (B) Encryption method to take each of trained data $GAN$ model as a secret $GAN$ model and generate $N$ number of sample pair of ($\hat{x},\hat{x}^\prime$) (C) Collected different seed-based data pair samples in Dataset $S$ to train master key model $G_a$.
• Figure 2: Overview of the proposed method to train the master key model $G_a$
• Figure 3: Master key model cosine similarity, SSIM and LPIPS score for reconstructed image $\widetilde{x}$ from encrypted image $x^\prime$ corresponding to the original image $x$.
• Figure 4: Performance of Master key model on different key encrypted images
• Figure 5: LPIPS score based comparison between $SIA-GAN$, $GAN$-Based attack and our attack method to decrypted the tradition $PE$ method $LE$, $EtC$