Model Inversion Attack Against Deep Hashing

TL;DR

This paper introduces DHMI, a diffusion-based model inversion attack that reconstructs high-quality images from deep hashing models, revealing significant privacy vulnerabilities even in black-box scenarios.

Contribution

DHMI is the first diffusion-based framework for model inversion attacks on deep hashing, effectively reconstructing images without access to training hash codes.

Findings

DHMI outperforms existing attacks in black-box settings.

It successfully reconstructs high-resolution, semantically consistent images.

The attack reveals critical privacy risks in deep hashing systems.

Abstract

Deep hashing improves retrieval efficiency through compact binary codes, yet it introduces severe and often overlooked privacy risks. The ability to reconstruct original training data from hash codes could lead to serious threats such as biometric forgery and privacy breaches. However, model inversion attacks specifically targeting deep hashing models remain unexplored, leaving their security implications unexamined. This research gap stems from the inaccessibility of genuine training hash codes and the highly discrete Hamming space, which prevents existing methods from adapting to deep hashing. To address these challenges, we propose DHMI, the first diffusion-based model inversion framework designed for deep hashing. DHMI first clusters an auxiliary dataset to derive semantic hash centers as surrogate anchors. It then introduces a surrogate-guided denoising optimization method that leverages a novel attack metric (fusing classification consistency and hash proximity) to dynamically select candidate samples. A cluster of surrogate models guides the refinement of these candidates, ensuring the generation of high-fidelity and semantically consistent images. Experiments on multiple datasets demonstrate that DHMI successfully reconstructs high-resolution, high-quality images even under the most challenging black-box setting, where no training hash codes are available. Our method outperforms the existing state-of-the-art model inversion attacks in black-box scenarios, confirming both its practical efficacy and the critical privacy risks inherent in deep hashing systems.