Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Model Inversion Attacks Meet Cryptographic Fuzzy Extractors

Mallika Prabhakar, Louise Xu, Prateek Saxena

TL;DR

This work addresses privacy risks from model inversion on embeddings used in face-authentication by connecting cryptographic fuzzy extractors to practical defenses. It introduces the PIPE attack, which defeats existing post-processing protections, and formalizes an ideal post-processing primitive whose realization via a lattice-based fuzzy extractor (L2FE-Hash) supports Euclidean ($\ell_2$) comparators while maintaining full leakage security. The authors provide theoretical security analyses and extensive empirical evaluations across multiple face datasets, showing L2FE-Hash resists PIPE and prior inversion attacks while retaining usable authentication accuracy. Overall, the paper presents a principled, attack-agnostic defense framework for protected embeddings that has immediate implications for privacy-preserving biometric systems under breach scenarios.

Abstract

Model inversion attacks pose an open challenge to privacy-sensitive applications that use machine learning (ML) models. For example, face authentication systems use modern ML models to compute embedding vectors from face images of the enrolled users and store them. If leaked, inversion attacks can accurately reconstruct user faces from the leaked vectors. There is no systematic characterization of properties needed in an ideal defense against model inversion, even for the canonical example application of a face authentication system susceptible to data breaches, despite a decade of best-effort solutions. In this paper, we formalize the desired properties of a provably strong defense against model inversion and connect it, for the first time, to the cryptographic concept of fuzzy extractors. We further show that existing fuzzy extractors are insecure for use in ML-based face authentication. We do so through a new model inversion attack called PIPE, which achieves a success rate of over 89% in most cases against prior schemes. We then propose L2FE-Hash, the first candidate fuzzy extractor which supports standard Euclidean distance comparators as needed in many ML-based applications, including face authentication. We formally characterize its computational security guarantees, even in the extreme threat model of full breach of stored secrets, and empirically show its usable accuracy in face authentication for practical face distributions. It offers attack-agnostic security without requiring any re-training of the ML model it protects. Empirically, it nullifies both prior state-of-the-art inversion attacks as well as our new PIPE attack.

Model Inversion Attacks Meet Cryptographic Fuzzy Extractors

TL;DR

This work addresses privacy risks from model inversion on embeddings used in face-authentication by connecting cryptographic fuzzy extractors to practical defenses. It introduces the PIPE attack, which defeats existing post-processing protections, and formalizes an ideal post-processing primitive whose realization via a lattice-based fuzzy extractor (L2FE-Hash) supports Euclidean () comparators while maintaining full leakage security. The authors provide theoretical security analyses and extensive empirical evaluations across multiple face datasets, showing L2FE-Hash resists PIPE and prior inversion attacks while retaining usable authentication accuracy. Overall, the paper presents a principled, attack-agnostic defense framework for protected embeddings that has immediate implications for privacy-preserving biometric systems under breach scenarios.

Abstract

Model inversion attacks pose an open challenge to privacy-sensitive applications that use machine learning (ML) models. For example, face authentication systems use modern ML models to compute embedding vectors from face images of the enrolled users and store them. If leaked, inversion attacks can accurately reconstruct user faces from the leaked vectors. There is no systematic characterization of properties needed in an ideal defense against model inversion, even for the canonical example application of a face authentication system susceptible to data breaches, despite a decade of best-effort solutions. In this paper, we formalize the desired properties of a provably strong defense against model inversion and connect it, for the first time, to the cryptographic concept of fuzzy extractors. We further show that existing fuzzy extractors are insecure for use in ML-based face authentication. We do so through a new model inversion attack called PIPE, which achieves a success rate of over 89% in most cases against prior schemes. We then propose L2FE-Hash, the first candidate fuzzy extractor which supports standard Euclidean distance comparators as needed in many ML-based applications, including face authentication. We formally characterize its computational security guarantees, even in the extreme threat model of full breach of stored secrets, and empirically show its usable accuracy in face authentication for practical face distributions. It offers attack-agnostic security without requiring any re-training of the ML model it protects. Empirically, it nullifies both prior state-of-the-art inversion attacks as well as our new PIPE attack.

Paper Structure

This paper contains 85 sections, 7 theorems, 19 equations, 5 figures, 14 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Cryptographic post-processing defenses.
  3. Our Pipe attack.
  4. Towards an ideal defense.
  5. Generalizing beyond faces.
  6. Contributions.
  7. The Problem
  8. Application: ML Face Authentication
  9. Inversion of Unprotected ML Embeddings
  10. Protecting Embeddings via Post-processing
  11. Threat Model
  12. An Ideal Post-Processing Primitive
  13. Desired Properties
  14. Authentication based on the ideal primitive.
  15. Why these properties?
  16. ...and 70 more sections

Key Result

Lemma 1

For any $0<\epsilon < 1$ and any integer $k>0$, let $n$ be a positive integer such that $n\geq \frac{4\ln k}{\epsilon^2/2 - \epsilon^3/3}$. Then for any set $S$ of $k = |S|$ data points in $\mathbb{R}^m$ and the randomized map $f\colon \mathbb{R}^m\to\mathbb{R}^n$ given in eqn:mrp, with high probab

Figures (5)

  • Figure 1: An example inverting the FacialFE-protected embedding vector to obtain a face image similar to the original using Pipe.
  • Figure 2: A face authentication system with Enroll and Auth functions. $\mathcal{M}$ represents models that output unprotected embeddings and $\mathcal{M}_{prot}$ represents the models with post-processing protection mechanisms that output protected embeddings.
  • Figure 3: Reconstructed images by Pipe and Bob attacks against different protection schemes for Facenet embeddings. Check mark indicates successful authentication while cross indicates failure.
  • Figure 4: Images generated by attacking unprotected, FacialFE protected, MRP protected and L2FE-Hash protected Facenet embeddings. (a) Inversion using Pipe (b) Inversion using Bob. The first column in each subfigure shows the original image.
  • Figure 5: Images generated by attacking unprotected, FacialFE protected, MRP protected and L2FE-Hash protected ArcFace embeddings. (a) Inversion using Pipe (b) Inversion using Bob. The first column in each subfigure shows the original image.

Theorems & Definitions (22)

  • Lemma 1: Johnson–Lindenstrauss Lemma 2003:JLLemma-proof rephrased
  • Theorem 1
  • Theorem 2
  • Definition 3: Ideal primitive
  • Definition 4: Statistical indistinguishability
  • Definition 5: Computational indistinguishability
  • Definition 6: Fuzzy Extractor with Error
  • Definition 7: Strong extractor 2004:fe
  • Definition 8: $C_\epsilon$
  • Definition 9: Ambiguity
  • ...and 12 more