Bitstream Collisions in Neural Image Compression via Adversarial Perturbations
Jordan Madden, Lhamo Dorje, Xiaohua Li
TL;DR
This work identifies a novel vulnerability in Neural Image Compression where semantically distinct images can share identical compressed bitstreams (bitstream collisions) under NIC. It introduces a whitebox attack, Masked Gradient Descent (MGD), that crafts adversarial inputs to force bitstream collisions, and a simple defense, Limited-Precision Defense (LPD), that disrupts convergence by reducing precision in latent representations. The authors provide theoretical bounds on collision distances and demonstrate the attack’s effectiveness across multiple NIC models and datasets, along with transferability analyses. Crucially, the LPD defense eliminates collision success in the tested settings, highlighting a practical mitigation path for deploying NIC in security-sensitive applications such as cryptographic protocols. The findings urge careful consideration of NIC robustness and precision choices in real-world systems.
Abstract
Neural image compression (NIC) has emerged as a promising alternative to classical compression techniques, offering improved compression ratios. Despite its progress towards standardization and practical deployment, there has been minimal exploration into it's robustness and security. This study reveals an unexpected vulnerability in NIC - bitstream collisions - where semantically different images produce identical compressed bitstreams. Utilizing a novel whitebox adversarial attack algorithm, this paper demonstrates that adding carefully crafted perturbations to semantically different images can cause their compressed bitstreams to collide exactly. The collision vulnerability poses a threat to the practical usability of NIC, particularly in security-critical applications. The cause of the collision is analyzed, and a simple yet effective mitigation method is presented.