The increasingly pervasive facial recognition (FR) systems raise serious concerns about personal privacy, especially for billions of users who have publicly shared their photos on social media. Several attempts have been made to protect individuals from being identified by unauthorized FR systems utilizing adversarial attacks to generate encrypted face images. However, existing methods suffer from poor visual quality or low attack success rates, which limit their utility. Recently, diffusion models have achieved tremendous success in image generation. In this work, we ask: can diffusion models be used to generate adversarial examples to improve both visual quality and attack performance? We propose DiffProtect, which utilizes a diffusion autoencoder to generate semantically meaningful perturbations on FR systems. Extensive experiments demonstrate that DiffProtect produces more natural-looking encrypted images than state-of-the-art methods while achieving significantly higher attack success rates, e.g., 24.5% and 25.1% absolute improvements on the CelebA-HQ and FFHQ datasets.

翻译：日益普及的面部识别（FR）系统引发了严重的个人隐私担忧，尤其是对于数十亿在社交媒体上公开分享照片的用户。已有若干尝试通过利用对抗攻击生成加密人脸图像来保护个体免受未经授权的FR系统识别。然而，现有方法存在视觉质量差或攻击成功率低的问题，限制了其实用性。最近，扩散模型在图像生成领域取得了巨大成功。在本研究中，我们提出：能否利用扩散模型生成对抗样本，以同时提升视觉质量和攻击性能？我们提出了DiffProtect，该方法利用扩散自编码器在FR系统上生成具有语义意义的扰动。大量实验表明，与现有最先进方法相比，DiffProtect生成的加密图像视觉效果更自然，同时攻击成功率显著更高，例如在CelebA-HQ和FFHQ数据集上分别实现了24.5%和25.1%的绝对提升。