Asymmetric Invertible Threat: Learning Reversible Privacy Defense for Face Recognition

TL;DR

This paper introduces ARFP, a reversible face protection framework that enhances privacy by integrating key-based recovery, tamper detection, and robustness against inversion attacks.

Contribution

It proposes a novel reversible face protection method combining privacy, key-controlled recovery, and tamper indication, addressing reversibility vulnerabilities in existing methods.

Findings

ARFP improves resistance to inverse purification attacks.

ARFP enables authorized face recovery with the correct key.

ARFP provides tamper indication through nonce-based signals.

Abstract

Face Recognition systems are widely deployed in real-world applications, but they also raise privacy concerns due to unauthorized collection and misuse of facial data. Existing adversarial privacy protection methods rely on input-space perturbations to obfuscate identity information, yet their protection can degrade when adversaries learn restoration or purification mappings that partially invert the transformation. We study this setting as an asymmetric adversarial attack, in which reverse manipulation becomes feasible because existing defense paradigms do not control reversibility. To address this problem, we propose Asymmetric Reversible Face Protection (ARFP), a restoration-aware extension of personalized face cloaking that integrates privacy protection, keyed recovery, and tamper indication in a single framework. ARFP consists of three components: Key-Conditioned Manifold Binding, which ties the protection transformation to a user-provided key; Adversarial Restoration-Aware Training, which introduces a surrogate restoration adversary during training to improve robustness against evaluated inverse purification attacks; and Authorized Reversible Restoration, which supports recovery with the correct key while providing nonce-based tamper indication. Extensive experiments under the threat models considered in this work show that ARFP improves resistance to the evaluated restoration attacks while preserving authorized recovery utility. These results provide empirical evidence of key-sensitive recovery behavior and tamper awareness in the tested settings.