Diffusion models have recently gained significant attention in both academia and industry due to their impressive generative performance in terms of both sampling quality and distribution coverage. Accordingly, proposals are made for sharing pre-trained diffusion models across different organizations, as a way of improving data utilization while enhancing privacy protection by avoiding sharing private data directly. However, the potential risks associated with such an approach have not been comprehensively examined. In this paper, we take an adversarial perspective to investigate the potential privacy and fairness risks associated with the sharing of diffusion models. Specifically, we investigate the circumstances in which one party (the sharer) trains a diffusion model using private data and provides another party (the receiver) black-box access to the pre-trained model for downstream tasks. We demonstrate that the sharer can execute fairness poisoning attacks to undermine the receiver's downstream models by manipulating the training data distribution of the diffusion model. Meanwhile, the receiver can perform property inference attacks to reveal the distribution of sensitive features in the sharer's dataset. Our experiments conducted on real-world datasets demonstrate remarkable attack performance on different types of diffusion models, which highlights the critical importance of robust data auditing and privacy protection protocols in pertinent applications.

翻译：近年来，扩散模型因其在采样质量和分布覆盖方面卓越的生成性能，在学术界和工业界获得了广泛关注。因此，有研究者提出跨组织共享预训练扩散模型的方案，以期在避免直接共享私有数据以增强隐私保护的同时提高数据利用率。然而，此类方法可能带来的潜在风险尚未得到全面审视。本文从对抗视角出发，系统研究了扩散模型共享过程中可能存在的隐私与公平性风险。具体而言，我们探讨了以下场景：一方（共享方）使用私有数据训练扩散模型，并向另一方（接收方）提供对该预训练模型的黑盒访问权限以完成下游任务。研究表明，共享方可通过操纵扩散模型的训练数据分布实施公平性投毒攻击，从而破坏接收方的下游模型；与此同时，接收方可通过属性推断攻击揭示共享方数据集中敏感特征的分布特征。我们在真实数据集上开展的实验表明，针对不同类型扩散模型的攻击均展现出显著的攻击性能，这凸显了在相关应用中建立稳健数据审计与隐私保护协议的迫切重要性。