NeuraCrypt is not private
Nicholas Carlini, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad, Mahmoody, Florian Tramer
TL;DR
This paper demonstrates that NeuraCrypt, a privacy-preserving data encoding method, fails to meet its claimed privacy guarantees by presenting a complete attack that exploits design flaws, thus compromising sensitive data.
Contribution
We provide the first complete attack on NeuraCrypt, disproving its privacy claims and highlighting critical vulnerabilities in its design.
Findings
NeuraCrypt's privacy claims are invalidated by our attack.
The attack achieves a 100% success rate in revealing original data.
Design flaws in NeuraCrypt enable complete privacy breaches.
Abstract
NeuraCrypt (Yara et al. arXiv 2021) is an algorithm that converts a sensitive dataset to an encoded dataset so that (1) it is still possible to train machine learning models on the encoded data, but (2) an adversary who has access only to the encoded dataset can not learn much about the original sensitive dataset. We break NeuraCrypt privacy claims, by perfectly solving the authors' public challenge, and by showing that NeuraCrypt does not satisfy the formal privacy definitions posed in the original paper. Our attack consists of a series of boosting steps that, coupled with various design flaws, turns a 1% attack advantage into a 100% complete break of the scheme.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data · Adversarial Robustness in Machine Learning · Advanced Neural Network Applications