End-to-end encryption (E2EE) by messaging platforms enable people to securely and privately communicate with one another. Its widespread adoption however raised concerns that illegal content might now be shared undetected. Following the global pushback against key escrow systems, client-side scanning based on perceptual hashing has been recently proposed by tech companies, governments and researchers to detect illegal content in E2EE communications. We here propose the first framework to evaluate the robustness of perceptual hashing-based client-side scanning to detection avoidance attacks and show current systems to not be robust. More specifically, we propose three adversarial attacks--a general black-box attack and two white-box attacks for discrete cosine transform-based algorithms--against perceptual hashing algorithms. In a large-scale evaluation, we show perceptual hashing-based client-side scanning mechanisms to be highly vulnerable to detection avoidance attacks in a black-box setting, with more than 99.9% of images successfully attacked while preserving the content of the image. We furthermore show our attack to generate diverse perturbations, strongly suggesting that straightforward mitigation strategies would be ineffective. Finally, we show that the larger thresholds necessary to make the attack harder would probably require more than one billion images to be flagged and decrypted daily, raising strong privacy concerns. Taken together, our results shed serious doubts on the robustness of perceptual hashing-based client-side scanning mechanisms currently proposed by governments, organizations, and researchers around the world.
翻译:通过电文平台进行端对端加密(E2EE),通过信息平台使人们能够安全地和私下地相互沟通。但是,其广泛采用使人们担心非法内容现在可能会被共享而不被发现。在全球对主要代管系统进行回击后,技术公司、政府和研究人员最近提议对客户端进行基于视觉散射的扫描,以探测E2E通信中的非法内容。我们在此提出第一个框架,用以评价以感知性散射为基础的客户端扫描是否稳健,以探测避免袭击,并显示当前的系统是否不稳。更具体地说,我们提议进行三次对抗性攻击-一般黑箱攻击和两次白箱攻击,以对付离散的代管系统。在进行全球反感知性散射后,最近技术公司、政府和研究人员提出了基于感知性散射的客户端扫描方法。在大规模评价中,我们显示了以感知性散射的客户端扫描机制非常容易在黑箱环境中发现避免袭击,超过99.9%的图像被成功攻击,同时保存图像的内容。我们进一步表明我们的攻击是为了制造多样的反向端攻击性攻击性攻击性攻击性攻击,强烈性攻击性攻击性攻击性攻击性攻击,强烈性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性,强烈性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性