Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Unveiling Hidden Visual Information: A Reconstruction Attack Against Adversarial Visual Information Hiding

Jonggyu Jang, Hyeonsu Lyu, Seongjin Hwang, Hyun Jong Yang

TL;DR

The paper addresses privacy vulnerabilities in adversarial visual information hiding (AVIH) for cloud-based image recognition by introducing a data reconstruction attack that does not require access to the original key model. It trains an attacker key model to reproduce original gallery images from encrypted inputs while preserving the service model’s outputs, using a combination of $L_t$, $L_d$, $L_v$, and $L_r$ losses in AVIH and augmenting with augmented identity loss and a generative adversarial (GAN) framework constrained by the Jensen-Shannon divergence $D_{JS}$. The authors demonstrate an exact reconstruction attack and show that the attack’s effectiveness increases as more images share the same key model, with substantial gains from the proposed ablations, across face recognition and re-identification tasks. These results highlight significant privacy risks in AVIH-based systems and motivate stronger defenses, such as per-image unique keys or additional cryptographic protections, to prevent data reconstruction in cloud-based inference scenarios.

Abstract

This paper investigates the security vulnerabilities of adversarial-example-based image encryption by executing data reconstruction (DR) attacks on encrypted images. A representative image encryption method is the adversarial visual information hiding (AVIH), which uses type-I adversarial example training to protect gallery datasets used in image recognition tasks. In the AVIH method, the type-I adversarial example approach creates images that appear completely different but are still recognized by machines as the original ones. Additionally, the AVIH method can restore encrypted images to their original forms using a predefined private key generative model. For the best security, assigning a unique key to each image is recommended; however, storage limitations may necessitate some images sharing the same key model. This raises a crucial security question for AVIH: How many images can safely share the same key model without being compromised by a DR attack? To address this question, we introduce a dual-strategy DR attack against the AVIH encryption method by incorporating (1) generative-adversarial loss and (2) augmented identity loss, which prevent DR from overfitting -- an issue akin to that in machine learning. Our numerical results validate this approach through image recognition and re-identification benchmarks, demonstrating that our strategy can significantly enhance the quality of reconstructed images, thereby requiring fewer key-sharing encrypted images. Our source code to reproduce our results will be available soon.

Unveiling Hidden Visual Information: A Reconstruction Attack Against Adversarial Visual Information Hiding

TL;DR

The paper addresses privacy vulnerabilities in adversarial visual information hiding (AVIH) for cloud-based image recognition by introducing a data reconstruction attack that does not require access to the original key model. It trains an attacker key model to reproduce original gallery images from encrypted inputs while preserving the service model’s outputs, using a combination of , , , and losses in AVIH and augmenting with augmented identity loss and a generative adversarial (GAN) framework constrained by the Jensen-Shannon divergence . The authors demonstrate an exact reconstruction attack and show that the attack’s effectiveness increases as more images share the same key model, with substantial gains from the proposed ablations, across face recognition and re-identification tasks. These results highlight significant privacy risks in AVIH-based systems and motivate stronger defenses, such as per-image unique keys or additional cryptographic protections, to prevent data reconstruction in cloud-based inference scenarios.

Abstract

This paper investigates the security vulnerabilities of adversarial-example-based image encryption by executing data reconstruction (DR) attacks on encrypted images. A representative image encryption method is the adversarial visual information hiding (AVIH), which uses type-I adversarial example training to protect gallery datasets used in image recognition tasks. In the AVIH method, the type-I adversarial example approach creates images that appear completely different but are still recognized by machines as the original ones. Additionally, the AVIH method can restore encrypted images to their original forms using a predefined private key generative model. For the best security, assigning a unique key to each image is recommended; however, storage limitations may necessitate some images sharing the same key model. This raises a crucial security question for AVIH: How many images can safely share the same key model without being compromised by a DR attack? To address this question, we introduce a dual-strategy DR attack against the AVIH encryption method by incorporating (1) generative-adversarial loss and (2) augmented identity loss, which prevent DR from overfitting -- an issue akin to that in machine learning. Our numerical results validate this approach through image recognition and re-identification benchmarks, demonstrating that our strategy can significantly enhance the quality of reconstructed images, thereby requiring fewer key-sharing encrypted images. Our source code to reproduce our results will be available soon.
Paper Structure (19 sections, 13 equations, 8 figures, 6 tables)

This paper contains 19 sections, 13 equations, 8 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Our Findings
  3. Organization
  4. Related Works on Hiding Visual Information
  5. Methodology
  6. Preliminary: AVIH Encryption
  7. Proposed Data Reconstruction Attack
  8. Ablation Study of Key Features
  9. Experiments
  10. Experimental Details
  11. Accuracy and Similarity Metrics
  12. Results for Various Face Recognition Models
  13. Ablation Study
  14. Discussion
  15. Additional Experimental Results on Vehicle and Person Re-Identification
  16. ...and 4 more sections

Figures (8)

  • Figure 1: Examples of the encryption method and the proposed attacker model. The local server stores the original image data. In a cloud service system, the local server offloads the computation of image recognition tasks (such as face recognition in our example) to the cloud server. Before sending raw data of the private images to the cloud server, the local server encrypts the original image data into a noisy image. The service model then processes both the original and encrypted images similarly. Our focus in this scenario is to highlight the privacy vulnerabilities of the encryption method through data reconstruction attacks.
  • Figure 2: An illustration of the AVIH method and the objective of our work is shown. The left part demonstrates that the gallery set is safeguarded and provided to the DNN in the cloud server. The protected image shows altered visual information that is completely different from the original, yet remains accurately identifiable. In the local server, the protected images can be recovered using its key DNN model. The right part of the illustration highlights our proposed method, which aims to design a replica of the key model without accessing the actual key model.
  • Figure 3: Original images, encrypted images, reconstructed images, and our attack results. The numbers below the images refer the number of images sharing the same key model.
  • Figure 4: Adversarial visual information hiding method proposed in su2023hiding. Given a key model, the AVIH method aims to generate type-I adversarial examples (noisy images) that produce very similar outputs for the target service model. To achieve this, the adversarial image $x'$ is modified to minimize task loss ($L_t$), difference loss ($L_d$), recovery loss ($L_r$), and variance consistency loss ($L_v$). The details of these losses will be presented in \ref{['subsec:background']}.
  • Figure 5: Ablation study for the key features of our proposed work (augmented identity loss and GAN loss). Here, we assume that 3% of the encrypted data shares the same key model.
  • ...and 3 more figures

Theorems & Definitions (2)

  • Remark 1
  • Remark 2: JS divergence vs. KL divergence