tensorflow_privacy

forked from 626_privacy/tensorflow_privacy

History

Nicholas Carlini 28b8a80924 Add InstaHide Attack paper to research folder		2020-12-05 01:20:49 +00:00
..
README.md	Add InstaHide Attack paper to research folder	2020-12-05 01:20:49 +00:00
step_1_create_graph.py	Add InstaHide Attack paper to research folder	2020-12-05 01:20:49 +00:00
step_2_color_graph.py	Add InstaHide Attack paper to research folder	2020-12-05 01:20:49 +00:00
step_3_second_graph.py	Add InstaHide Attack paper to research folder	2020-12-05 01:20:49 +00:00
step_4_final_graph.py	Add InstaHide Attack paper to research folder	2020-12-05 01:20:49 +00:00
step_5_reconstruct.py	Add InstaHide Attack paper to research folder	2020-12-05 01:20:49 +00:00
step_6_adjust_color.py	Add InstaHide Attack paper to research folder	2020-12-05 01:20:49 +00:00
step_7_visualize.py	Add InstaHide Attack paper to research folder	2020-12-05 01:20:49 +00:00

README.md

Implementation of our reconstruction attack on InstaHide.

An Attack on InstaHide: Is Private Learning Possible with Instance Encoding? Nicholas Carlini, Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Shuang Song, Abhradeep Thakurta, Florian Tramer https://arxiv.org/abs/2011.05315

Overview

InstaHide is a recent privacy-preserving machine learning framework. It takes a (sensitive) dataset and generates encoded images that are privacy-preserving. Our attack breaks InstaHide and shows it does not offer meaningful privacy. Given the encoded dataset, we can recover a near-identical copy of the original images.

This repository implements the attack described in our paper. It consists of a number of steps that shoul be run sequentially. It assumes access to pre-trained neural network classifiers that should be downloaded following the steps below.

Requirements

Python, version ≥ 3.5
jax
jaxlib
objax (https://github.com/google/objax)
PIL
sklearn

Running the attack

To reproduce our results and run the attack, each of the files should be run in turn.

Download the necessary dependency files:

(encryption.npy)[https://www.dropbox.com/sh/8zdsr1sjftia4of/AAA-60TOjGKtGEZrRmbawwqGa?dl=0] and (labels.npy)[https://www.dropbox.com/sh/8zdsr1sjftia4of/AAA-60TOjGKtGEZrRmbawwqGa?dl=0] from the (InstaHide Challenge)[https://github.com/Hazelsuko07/InstaHide_Challenge]
The (saved models)[https://drive.google.com/file/d/1YfKzGRfnnzKfUKpLjIRXRto8iD4FdwGw/view?usp=sharing] used to run the attack
Set up all the requirements as above

Run step_1_create_graph.py. Produce the similarity graph to pair together encoded images that share an original image.
Run step_2_color_graph.py. Color the graph to find 50 dense cliques.
Run step_3_second_graph.py. Create a new bipartite similarity graph.
Run step_4_final_graph.py. Solve the matching problem to assign encoded images to original images.
Run step_5_reconstruct.py. Reconstruct the original images.
Run step_6_adjust_color.py. Adjust the color curves to match.
Run step_7_visualize.py. Show the final resulting images.