The increasingly pervasive facial recognition (FR) systems raise serious concerns about personal privacy, especially for billions of users who have publicly shared their photos on social media. Several attempts have been made to protect individuals from being identified by unauthorized FR systems utilizing adversarial attacks to generate encrypted face images. However, existing methods suffer from poor visual quality or low attack success rates, which limit their utility. Recently, diffusion models have achieved tremendous success in image generation. In this work, we ask: can diffusion models be used to generate adversarial examples to improve both visual quality and attack performance? We propose DiffProtect, which utilizes a diffusion autoencoder to generate semantically meaningful perturbations on FR systems. Extensive experiments demonstrate that DiffProtect produces more natural-looking encrypted images than state-of-the-art methods while achieving significantly higher attack success rates, e.g., 24.5% and 25.1% absolute improvements on the CelebA-HQ and FFHQ datasets.

翻译：日益普及的人脸识别系统引发了严重的个人隐私担忧，特别是对于数十亿在社交媒体上公开分享照片的用户而言。现有研究尝试利用对抗攻击生成加密人脸图像，以保护个人不被未经授权的人脸识别系统识别。然而，现有方法普遍存在视觉质量差或攻击成功率低的问题，限制了其实用性。近年来，扩散模型在图像生成领域取得了巨大成功。本研究提出：能否利用扩散模型生成对抗样本，同时提升视觉质量与攻击性能？我们提出DiffProtect方法，通过扩散自编码器在人脸识别系统上生成语义上具有意义的扰动。大量实验表明，与现有最优方法相比，DiffProtect能够生成更自然的加密图像，同时实现显著更高的攻击成功率，例如在CelebA-HQ和FFHQ数据集上分别提升24.5%和25.1%的绝对性能。