The increasingly pervasive facial recognition (FR) systems raise serious concerns about personal privacy, especially for billions of users who have publicly shared their photos on social media. Several attempts have been made to protect individuals from being identified by unauthorized FR systems utilizing adversarial attacks to generate encrypted face images. However, existing methods suffer from poor visual quality or low attack success rates, which limit their utility. Recently, diffusion models have achieved tremendous success in image generation. In this work, we ask: can diffusion models be used to generate adversarial examples to improve both visual quality and attack performance? We propose DiffProtect, which utilizes a diffusion autoencoder to generate semantically meaningful perturbations on FR systems. Extensive experiments demonstrate that DiffProtect produces more natural-looking encrypted images than state-of-the-art methods while achieving significantly higher attack success rates, e.g., 24.5% and 25.1% absolute improvements on the CelebA-HQ and FFHQ datasets.

翻译：日益普及的人脸识别系统对个人隐私构成了严重威胁，尤其对数十亿在社交媒体上公开分享照片的用户而言。现有研究尝试利用对抗攻击生成加密人脸图像，以保护个体免受未授权人脸识别系统的识别。然而，现有方法存在视觉质量差或攻击成功率低的问题，限制了其实际应用价值。近年来，扩散模型在图像生成领域取得了巨大成功。本研究提出疑问：扩散模型能否用于生成对抗样例，以同时提升视觉质量与攻击性能？为此，我们提出DiffProtect方法，利用扩散自编码器在人脸识别系统上生成具有语义意义的扰动。大量实验表明，与现有最优方法相比，DiffProtect生成的加密图像更自然，同时攻击成功率显著提升——例如在CelebA-HQ和FFHQ数据集上分别获得24.5%和25.1%的绝对性能提升。