InstaHide's Sample Complexity When Mixing Two Private Images

Baihe Huang,Zhao Song,Runzhou Tao,Junze Yin,Ruizhe Zhang,Danyang Zhuo
2024-02-06
Abstract:Training neural networks usually require large numbers of sensitive training data, and how to protect the privacy of training data has thus become a critical topic in deep learning research. InstaHide is a state-of-the-art scheme to protect training data privacy with only minor effects on test accuracy, and its security has become a salient question. In this paper, we systematically study recent attacks on InstaHide and present a unified framework to understand and analyze these attacks. We find that existing attacks either do not have a provable guarantee or can only recover a single private image. On the current InstaHide challenge setup, where each InstaHide image is a mixture of two private images, we present a new algorithm to recover all the private images with a provable guarantee and optimal sample complexity. In addition, we also provide a computational hardness result on retrieving all InstaHide images. Our results demonstrate that InstaHide is not information-theoretically secure but computationally secure in the worst case, even when mixing two private images.
Machine Learning,Computational Complexity,Cryptography and Security,Data Structures and Algorithms
What problem does this paper attempt to address?
The core problem that this paper attempts to solve is to evaluate and improve the security of the InstaHide scheme, especially in the case of mixing two private images. Specifically, the researchers focus on how to protect the privacy of training data under the premise of ensuring that the test accuracy is not significantly affected. InstaHide is a technique aimed at protecting the privacy of training data, which achieves this by mixing multiple images and randomly flipping pixel signs. However, the security of InstaHide has been questioned. Existing attack methods either lack provable guarantees or can only recover a single private image. Therefore, the research focus of this paper is as follows: 1. **Propose a new algorithm**: For the current InstaHide challenge setting (each InstaHide image is a mixture of two private images), the author proposes a new algorithm that can recover all private images with provable guarantees and optimal sample complexity. 2. **Computational hardness results**: The author also provides computational hardness results regarding the retrieval of all InstaHide images, indicating that even in the case of mixing two private images, InstaHide is not information - theoretically secure, but is computationally secure in the worst - case. In addition, this paper also explores the following issues: - **Minimum sample complexity**: That is, the minimum number of InstaHide images required to recover a private image. This issue is crucial for measuring the security of InstaHide. In summary, the main contributions of this paper include: - Proposing a new algorithm. In the case of mixing two private images, all private images can be recovered with only \( \Omega(n_{\text{priv}} \log n_{\text{priv}}) \) samples, which is a significant improvement compared to the previous best result of \( O(n_{\text{priv}}^{4/3}) \). - Summarizing existing attack methods and providing a unified framework to understand these attacks, revealing the limitations of existing methods in recovering all private images. These achievements not only enhance the understanding of the security of InstaHide, but also provide guidance for the future application of deep - learning algorithms on sensitive data.