Neural networks are commonly known to be vulnerable to adversarial attacks mounted through subtle perturbation on the input data. Recent development in voice-privacy protection has shown the positive use cases of the same technique to conceal speaker's voice attribute with additive perturbation signal generated by an adversarial network. This paper examines the reversibility property where an entity generating the adversarial perturbations is authorized to remove them and restore original speech (e.g., the speaker him/herself). A similar technique could also be used by an investigator to deanonymize a voice-protected speech to restore criminals' identities in security and forensic analysis. In this setting, the perturbation generative module is assumed to be known in the removal process. To this end, a joint training of perturbation generation and removal modules is proposed. Experimental results on the LibriSpeech dataset demonstrated that the subtle perturbations added to the original speech can be predicted from the anonymized speech while achieving the goal of privacy protection. By removing these perturbations from the anonymized sample, the original speech can be restored. Audio samples can be found in \url{https://voiceprivacy.github.io/Perturbation-Generation-Removal/}.

翻译：神经网络通常被认为容易受到通过对输入数据进行细微扰动而实施的对抗攻击。近期语音隐私保护的发展表明，通过对抗网络生成的加性扰动信号来隐藏说话人语音属性的技术具有积极应用前景。本文研究了可逆性特性，即生成对抗扰动的授权实体能够消除这些扰动并恢复原始语音（例如说话人自身）。类似技术也可被调查人员用于安全与取证分析中，对受语音保护的语音进行去匿名化以恢复犯罪者身份。在此设定中，假定扰动生成模块在消除过程中是已知的。为此，本文提出了扰动生成模块与消除模块的联合训练方法。在LibriSpeech数据集上的实验结果表明，添加到原始语音中的细微扰动能够从匿名化语音中被预测，同时实现隐私保护目标。通过从匿名化样本中消除这些扰动，原始语音得以恢复。音频样本可见于\url{https://voiceprivacy.github.io/Perturbation-Generation-Removal/}。