tensorflow_privacy/research/instahide_attack_2020/README.md

Implementation of our reconstruction attack on InstaHide.

Is Private Learning Possible with Instance Encoding? Nicholas Carlini, Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Shuang Song, Abhradeep Thakurta, Florian Tramer https://arxiv.org/abs/2011.05315

Overview

InstaHide is a recent privacy-preserving machine learning framework. It takes a (sensitive) dataset and generates encoded images that are privacy-preserving. Our attack breaks InstaHide and shows it does not offer meaningful privacy. Given the encoded dataset, we can recover a near-identical copy of the original images.

This repository implements the attack described in our paper. It consists of a number of steps that shoul be run sequentially. It assumes access to pre-trained neural network classifiers that should be downloaded following the steps below.

Requirements

• Python, version ≥ 3.5
• jax
• jaxlib
• objax (https://github.com/google/objax)
• PIL
• sklearn

Running the attack

To reproduce our results and run the attack, each of the files should be run in turn.

0. Download the necessary dependency files:

• (encryption.npy)[https://www.dropbox.com/sh/8zdsr1sjftia4of/AAA-60TOjGKtGEZrRmbawwqGa?dl=0] and (labels.npy)[https://www.dropbox.com/sh/8zdsr1sjftia4of/AAA-60TOjGKtGEZrRmbawwqGa?dl=0] from the (InstaHide Challenge)[https://github.com/Hazelsuko07/InstaHide_Challenge]
• The (saved models)[https://drive.google.com/file/d/1YfKzGRfnnzKfUKpLjIRXRto8iD4FdwGw/view?usp=sharing] used to run the attack
• Set up all the requirements as above

1. Run step_1_create_graph.py. Produce the similarity graph to pair together encoded images that share an original image.

2. Run step_2_color_graph.py. Color the graph to find 50 dense cliques.

3. Run step_3_second_graph.py. Create a new bipartite similarity graph.

4. Run step_4_final_graph.py. Solve the matching problem to assign encoded images to original images.

5. Run step_5_reconstruct.py. Reconstruct the original images.

6. Run step_6_adjust_color.py. Adjust the color curves to match.

7. Run step_7_visualize.py. Show the final resulting images.

Citation

You can cite this attack at

@inproceedings{carlini2021private,
  title={Is Private Learning Possible with Instance Encoding?},
  author={Carlini, Nicholas and Deng, Samuel and Garg, Sanjam and Jha, Somesh and Mahloujifar, Saeed and Mahmoody, Mohammad and Thakurta, Abhradeep and Tram{\`e}r, Florian},
  booktitle={2021 IEEE Symposium on Security and Privacy (SP)},
  pages={410--427},
  year={2021},
  organization={IEEE}
}