The wide deployment of Face Recognition (FR) systems poses privacy risks. One countermeasure is adversarial attack, deceiving unauthorized malicious FR, but it also disrupts regular identity verification of trusted authorizers, exacerbating the potential threat of identity impersonation. To address this, we propose the first double identity protection scheme based on traceable adversarial watermarking, termed DIP-Watermark. DIP-Watermark employs a one-time watermark embedding to deceive unauthorized FR models and allows authorizers to perform identity verification by extracting the watermark. Specifically, we propose an information-guided adversarial attack against FR models. The encoder embeds an identity-specific watermark into the deep feature space of the carrier, guiding recognizable features of the image to deviate from the source identity. We further adopt a collaborative meta-optimization strategy compatible with sub-tasks, which regularizes the joint optimization direction of the encoder and decoder. This strategy enhances the representation of universal carrier features, mitigating multi-objective optimization conflicts in watermarking. Experiments confirm that DIP-Watermark achieves significant attack success rates and traceability accuracy on state-of-the-art FR models, exhibiting remarkable robustness that outperforms the existing privacy protection methods using adversarial attacks and deep watermarking, or simple combinations of the two. Our work potentially opens up new insights into proactive protection for FR privacy.

翻译：人脸识别系统的广泛部署带来了隐私风险。对抗性攻击是一种应对措施，可以欺骗未经授权的恶意人脸识别系统，但它同时也会干扰受信任授权方的常规身份验证，加剧了身份冒用的潜在威胁。为解决这一问题，我们提出了首个基于可追溯对抗性水印的双重身份保护方案，称为DIP-Watermark。DIP-Watermark采用一次性水印嵌入来欺骗未经授权的人脸识别模型，并允许授权方通过提取水印进行身份验证。具体而言，我们提出了一种针对人脸识别模型的信息引导对抗性攻击。编码器将身份特定的水印嵌入到载体的深度特征空间中，引导图像的可识别特征偏离源身份。我们进一步采用了一种与子任务兼容的协同元优化策略，该策略规范了编码器和解码器的联合优化方向。该策略增强了通用载体特征的表示能力，缓解了水印技术中的多目标优化冲突。实验证实，DIP-Watermark在先进的人脸识别模型上实现了显著的攻击成功率和可追溯准确性，展现出卓越的鲁棒性，其性能优于现有的使用对抗性攻击和深度水印技术或两者简单组合的隐私保护方法。我们的工作可能为主动保护人脸识别隐私开辟新的思路。