Model inversion attacks pose an open challenge to privacy-sensitive applications that use machine learning (ML) models. For example, face authentication systems use modern ML models to compute embedding vectors from face images of the enrolled users and store them. If leaked, inversion attacks can accurately reconstruct user faces from the leaked vectors. There is no systematic characterization of properties needed in an ideal defense against model inversion, even for the canonical example application of a face authentication system susceptible to data breaches, despite a decade of best-effort solutions. In this paper, we formalize the desired properties of a provably strong defense against model inversion and connect it, for the first time, to the cryptographic concept of fuzzy extractors. We further show that existing fuzzy extractors are insecure for use in ML-based face authentication. We do so through a new model inversion attack called PIPE, which achieves a success rate of over 89% in most cases against prior schemes. We then propose L2FE-Hash, the first candidate fuzzy extractor which supports standard Euclidean distance comparators as needed in many ML-based applications, including face authentication. We formally characterize its computational security guarantees, even in the extreme threat model of full breach of stored secrets, and empirically show its usable accuracy in face authentication for practical face distributions. It offers attack-agnostic security without requiring any re-training of the ML model it protects. Empirically, it nullifies both prior state-of-the-art inversion attacks as well as our new PIPE attack.

翻译：模型反演攻击对使用机器学习（ML）模型的隐私敏感应用构成了一个开放性挑战。例如，人脸认证系统采用现代ML模型从注册用户的人脸图像中计算嵌入向量并存储这些向量。一旦泄露，反演攻击能够从泄露的向量中精确重构用户人脸。尽管已有十年来的最佳努力解决方案，但对于理想防御模型反演所需特性的系统化描述仍然缺失，即使对于易受数据泄露影响的人脸认证系统这一典型应用场景也是如此。本文首次形式化了对模型反演可证明强防御的期望特性，并将其与密码学中的模糊提取器概念联系起来。我们进一步证明，现有的模糊提取器在基于ML的人脸认证中使用是不安全的。为此，我们提出了一种名为PIPE的新型模型反演攻击，该攻击在大多数情况下对先前方案的攻击成功率超过89%。随后，我们提出了L2FE-Hash——首个支持标准欧氏距离比较器的候选模糊提取器，该比较器是包括人脸认证在内的许多基于ML的应用所必需的。我们形式化地描述了其计算安全性保证，即使在存储秘密完全泄露的极端威胁模型下，并通过实验展示了其在实用人脸分布下的人脸认证可用精度。该方案提供与攻击无关的安全性，且无需对其保护的ML模型进行任何重新训练。实验表明，它能够完全抵消先前最先进的反演攻击以及我们新提出的PIPE攻击。