InstaHide is a state-of-the-art mechanism for protecting private training images in collaborative learning. It works by mixing multiple private images and modifying them in such a way that their visual features are no longer distinguishable to the naked eye, without significantly degrading the accuracy of training. In recent work, however, Carlini et al. show that it is possible to reconstruct private images from the encrypted dataset generated by InstaHide, by exploiting the correlations among the encrypted images. Nevertheless, Carlini et al.'s attack relies on the assumption that each private image is used without modification when mixing up with other private images. As a consequence, it could be easily defeated by incorporating data augmentation into InstaHide. This leads to a natural question: is InstaHide with data augmentation secure? This paper provides a negative answer to the above question, by present an attack for recovering private images from the outputs of InstaHide even when data augmentation is present. The basic idea of our attack is to use a comparative network to identify encrypted images that are likely to correspond to the same private image, and then employ a fusion-denoising network for restoring the private image from the encrypted ones, taking into account the effects of data augmentation. Extensive experiments demonstrate the effectiveness of the proposed attack in comparison to Carlini et al.'s attack.
翻译:InstaHide是保护合作学习中的私人培训图像的最先进机制。 它通过混合多个私人图像并修改这些图像来发挥作用,使得这些图像的视觉特征不再为肉眼所辨别,而不会大大降低培训的准确性。 然而,在最近的工作中,Carlini等人表明,通过利用加密图像之间的关联,可以从InstaHide生成的加密数据集中重建私人图像。 然而,Carlini等人的袭击依赖于以下假设:在与其他私人图像混合时,每张私人图像的使用都不作改动。因此,将数据增强纳入InstaHide很容易被击败。这导致一个自然问题:InstaHide是否拥有数据增强安全? 本文对上述问题作了否定的答复,因为即使有数据增强,也能够从InstaHide生成的加密数据集中恢复私人图像。 我们袭击的基本想法是使用比较网络来识别可能与同一私人图像相符的加密图像,然后使用一个将数据增强性网络进行整合到攻击性测试。 将移动性图像从加密数据中恢复内部图像的有效性。