Model Inversion Attacks Meet Cryptographic Fuzzy Extractors

TL;DR

This paper formalizes a cryptographic defense against model inversion attacks in machine learning, introduces a new attack method called PIPE, and proposes L2FE-Hash, a secure fuzzy extractor for face authentication applications.

Contribution

It connects cryptographic fuzzy extractors to ML privacy, introduces a new inversion attack, and presents a novel fuzzy extractor supporting Euclidean distance for face authentication.

Findings

PIPE attack achieves over 89% success rate against prior schemes

L2FE-Hash provides provable security guarantees in extreme breach scenarios

L2FE-Hash effectively nullifies previous and new inversion attacks in experiments

Abstract

Model inversion attacks pose an open challenge to privacy-sensitive applications that use machine learning (ML) models. For example, face authentication systems use modern ML models to compute embedding vectors from face images of the enrolled users and store them. If leaked, inversion attacks can accurately reconstruct user faces from the leaked vectors. There is no systematic characterization of properties needed in an ideal defense against model inversion, even for the canonical example application of a face authentication system susceptible to data breaches, despite a decade of best-effort solutions. In this paper, we formalize the desired properties of a provably strong defense against model inversion and connect it, for the first time, to the cryptographic concept of fuzzy extractors. We further show that existing fuzzy extractors are insecure for use in ML-based face authentication. We do so through a new model inversion attack called PIPE, which achieves a success rate of over 89% in most cases against prior schemes. We then propose L2FE-Hash, the first candidate fuzzy extractor which supports standard Euclidean distance comparators as needed in many ML-based applications, including face authentication. We formally characterize its computational security guarantees, even in the extreme threat model of full breach of stored secrets, and empirically show its usable accuracy in face authentication for practical face distributions. It offers attack-agnostic security without requiring any re-training of the ML model it protects. Empirically, it nullifies both prior state-of-the-art inversion attacks as well as our new PIPE attack.