The Good, the Bad and the Ugly: Meta-Analysis of Watermarks, Transferable Attacks and Adversarial Defenses

TL;DR

This paper analyzes the fundamental trade-offs between watermarks, adversarial defenses, and transferable attacks in machine learning, revealing that at least one of these exists for all tasks and proposing cryptographic methods to construct transferable attacks.

Contribution

It introduces the concept of transferable attacks as a necessary third option in the trade-off and uses cryptographic techniques to construct such attacks, extending previous analyses.

Findings

At least one of watermark, defense, or transferable attack exists for all tasks.

Cryptographic techniques enable the construction of transferable attacks.

Certain task classes allow secure defenses or watermarks against specific adversaries.

Abstract

We formalize and analyze the trade-off between backdoor-based watermarks and adversarial defenses, framing it as an interactive protocol between a verifier and a prover. While previous works have primarily focused on this trade-off, our analysis extends it by identifying transferable attacks as a third, counterintuitive, but necessary option. Our main result shows that for all learning tasks, at least one of the three exists: a watermark, an adversarial defense, or a transferable attack. By transferable attack, we refer to an efficient algorithm that generates queries indistinguishable from the data distribution and capable of fooling all efficient defenders. Using cryptographic techniques, specifically fully homomorphic encryption, we construct a transferable attack and prove its necessity in this trade-off. Finally, we show that tasks of bounded VC-dimension allow adversarial defenses against all attackers, while a subclass allows watermarks secure against fast adversaries.