Adversarial Attack on CryptoEyes from INFOCOM 2021
摘要
Privacy-Preserving classification of Machine Learning (PPML) models has gained traction, owing to strict data privacy regulations. One such work, CryptoEyes (Wenbo et al., INFOCOM 2021) enables users to encrypt images using AES in ECB mode and store it at the server for processing. The authors claimed that their protocol have two advantages: (i) service provider could extract enough information in the form of (encrypted) contour, which gives it the ability to perform machine learning classification on encrypted images, and (ii) use of secret permutation known only to user and server, this prevents man-in-the-middle adversary from reconstructing meaningful image content or accurately map encrypted data to its original class distribution even after having access to a train dataset, thereby achieving privacy. However, in this paper we demonstrate an adversarial attack, which surpass claimed classification accuracy for an adversary against CryptoEyes. Our attack approach uses new data transformation techniques for better feature identification and then train an ML model on image pixels encrypted and permuted. We identify the key vulnerabilities enabling this data leakage and show how an adversary can exploit these weaknesses. The training of our learning model is key agnostic. The results show that with our attack the adversary is able to train a model on MNIST dataset with at least \(74.2\%\) classification accuracy on encrypted and permuted image pixels.