Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Perceptual Hash Inversion Attacks on Image-Based Sexual Abuse Removal Tools

Sophie Hawkes, Christian Weinert, Teresa Almeida, Maryam Mehrnezhad

TL;DR

Perceptual hashes underpin IBSA removal tools but are vulnerable to low-cost GAN-based hash inversion attacks across several popular PHFs, threatening user privacy. The authors demonstrate a Pix2Pix-style inversion pipeline trained on a CelebA subset that reconstructs recognizable features from hashes for aHash, PDQ, NeuralHash, and PhotoDNA on consumer hardware. They quantify perceptual similarity and show best-case reconstructions reaching near-complete similarity, challenging the reversibility and safety claims of tools such as Take It Down. To mitigate risk, they propose secure hash matching via private set intersection, including outsourced and unbalanced PSI variants, and call for privacy-preserving designs in IBSA content removal. The work highlights urgent need for cryptographic protections and user-centric usability considerations.

Abstract

We show that perceptual hashing, crucial for detecting and removing image-based sexual abuse (IBSA) online, faces vulnerabilities from low-budget inversion attacks based on generative AI. This jeopardizes the privacy of users, especially vulnerable groups. We advocate to implement secure hash matching in IBSA removal tools to mitigate potentially fatal consequences.

Perceptual Hash Inversion Attacks on Image-Based Sexual Abuse Removal Tools

TL;DR

Perceptual hashes underpin IBSA removal tools but are vulnerable to low-cost GAN-based hash inversion attacks across several popular PHFs, threatening user privacy. The authors demonstrate a Pix2Pix-style inversion pipeline trained on a CelebA subset that reconstructs recognizable features from hashes for aHash, PDQ, NeuralHash, and PhotoDNA on consumer hardware. They quantify perceptual similarity and show best-case reconstructions reaching near-complete similarity, challenging the reversibility and safety claims of tools such as Take It Down. To mitigate risk, they propose secure hash matching via private set intersection, including outsourced and unbalanced PSI variants, and call for privacy-preserving designs in IBSA content removal. The work highlights urgent need for cryptographic protections and user-centric usability considerations.

Abstract

We show that perceptual hashing, crucial for detecting and removing image-based sexual abuse (IBSA) online, faces vulnerabilities from low-budget inversion attacks based on generative AI. This jeopardizes the privacy of users, especially vulnerable groups. We advocate to implement secure hash matching in IBSA removal tools to mitigate potentially fatal consequences.

Paper Structure

This paper contains 19 sections, 1 equation, 6 figures, 2 tables.

Table of Contents

  1. RELATED WORK
  2. Server-Side Scanning
  3. Client-Side Scanning
  4. PERCEPTUAL HASH FUNCTIONS
  5. Attacks on Perceptual Hashes
  6. Case Study: Take It Down
  7. PERCEPTUAL HASH INVERSION ATTACKS
  8. Dataset
  9. Computing Perceptual Hashes
  10. Generative Adversarial Network Pipeline
  11. Training and Evaluation Setup
  12. Results
  13. Ethical Considerations
  14. Limitations
  15. Secure Hash Matching via Private Set Intersection
  16. ...and 4 more sections

Figures (6)

  • Figure 1: Landing page for the "Take It Down" service (left), and when "Under 18" is chosen for age verification (middle two), and FAQs regarding the security of hash values (right).
  • Figure 2: Pix2Pix GAN architecture. Given an input hash, the U-Net style generator creates fake images, while the PatchGAN discriminator attempts to determine which image pairs are real or fake.
  • Figure 3: Training and testing pipeline for hash inversion attacks using Pix2Pix-style GAN.
  • Figure 4: Example Results: Each triplet shows (left to right) the visual hash representation, the inverted image generated by our attack model, and the target image; from (top to bottom rows) aHash, PDQ, NeuralHash, and PhotoDNA. All hash inversion attacks used Pix2Pix GAN models trained on 1000 images for 500 epochs.
  • Figure 5: Histograms of perceptual similarity for pre-images reconstructed from aHash, PDQ, NeuralHash, and PhotoDNA hashes (rows) as evaluated using aHash, PDQ, and NeuralHash (columns).
  • ...and 1 more figures