forked from 626_privacy/tensorflow_privacy
51 lines
2.1 KiB
Markdown
51 lines
2.1 KiB
Markdown
Implementation of our reconstruction attack on InstaHide.
|
|
|
|
An Attack on InstaHide: Is Private Learning Possible with Instance Encoding?
|
|
Nicholas Carlini, Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Shuang Song, Abhradeep Thakurta, Florian Tramer
|
|
https://arxiv.org/abs/2011.05315
|
|
|
|
|
|
## Overview
|
|
|
|
InstaHide is a recent privacy-preserving machine learning framework.
|
|
It takes a (sensitive) dataset and generates encoded images that are privacy-preserving.
|
|
Our attack breaks InstaHide and shows it does not offer meaningful privacy.
|
|
Given the encoded dataset, we can recover a near-identical copy of the original images.
|
|
|
|
This repository implements the attack described in our paper. It consists of a number of
|
|
steps that shoul be run sequentially. It assumes access to pre-trained neural network
|
|
classifiers that should be downloaded following the steps below.
|
|
|
|
|
|
### Requirements
|
|
|
|
* Python, version ≥ 3.5
|
|
* jax
|
|
* jaxlib
|
|
* objax (https://github.com/google/objax)
|
|
* PIL
|
|
* sklearn
|
|
|
|
|
|
### Running the attack
|
|
|
|
To reproduce our results and run the attack, each of the files should be run in turn.
|
|
|
|
0. Download the necessary dependency files:
|
|
- (encryption.npy)[https://www.dropbox.com/sh/8zdsr1sjftia4of/AAA-60TOjGKtGEZrRmbawwqGa?dl=0] and (labels.npy)[https://www.dropbox.com/sh/8zdsr1sjftia4of/AAA-60TOjGKtGEZrRmbawwqGa?dl=0] from the (InstaHide Challenge)[https://github.com/Hazelsuko07/InstaHide_Challenge]
|
|
- The (saved models)[https://drive.google.com/file/d/1YfKzGRfnnzKfUKpLjIRXRto8iD4FdwGw/view?usp=sharing] used to run the attack
|
|
- Set up all the requirements as above
|
|
|
|
1. Run `step_1_create_graph.py`. Produce the similarity graph to pair together encoded images that share an original image.
|
|
|
|
2. Run `step_2_color_graph.py`. Color the graph to find 50 dense cliques.
|
|
|
|
3. Run `step_3_second_graph.py`. Create a new bipartite similarity graph.
|
|
|
|
4. Run `step_4_final_graph.py`. Solve the matching problem to assign encoded images to original images.
|
|
|
|
5. Run `step_5_reconstruct.py`. Reconstruct the original images.
|
|
|
|
6. Run `step_6_adjust_color.py`. Adjust the color curves to match.
|
|
|
|
7. Run `step_7_visualize.py`. Show the final resulting images.
|