A Fusion-Denoising Attack on InstaHide with Data Augmentation

TL;DR

This paper presents a new attack method that successfully recovers private images from InstaHide even with data augmentation, demonstrating that InstaHide's privacy protection can be compromised.

Contribution

It introduces a fusion-denoising attack leveraging a comparative network and data augmentation to break InstaHide's privacy guarantees.

Findings

The attack outperforms previous methods in image recovery accuracy.

InstaHide with data augmentation is vulnerable to the proposed attack.

Extensive experiments validate the attack's effectiveness.

Abstract

InstaHide is a state-of-the-art mechanism for protecting private training images, by mixing multiple private images and modifying them such that their visual features are indistinguishable to the naked eye. In recent work, however, Carlini et al. show that it is possible to reconstruct private images from the encrypted dataset generated by InstaHide. Nevertheless, we demonstrate that Carlini et al.'s attack can be easily defeated by incorporating data augmentation into InstaHide. This leads to a natural question: is InstaHide with data augmentation secure? In this paper, we provide a negative answer to this question, by devising an attack for recovering private images from the outputs of InstaHide even when data augmentation is present. The basic idea is to use a comparative network to identify encrypted images that are likely to correspond to the same private image, and then employ a fusion-denoising network for restoring the private image from the encrypted ones, taking into account the effects of data augmentation. Extensive experiments demonstrate the effectiveness of the proposed attack in comparison to Carlini et al.'s attack.