An Attack on InstaHide: Is Private Learning Possible with Instance Encoding?

Nicholas Carlini, Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Shuang Song, Abhradeep Thakurta, and Florian Tramèr   (alphabetical author ordering)

NeurIPS Privacy Preserving Machine Learning Workshop, 2020.
Oral Presentation.



A learning algorithm is private if the produced model does not reveal (too much) about its training
set. InstaHide [Huang, Song, Li, Arora, ICML’20] is a recent proposal that claims to preserve privacy
by an encoding mechanism that modifies the inputs before being processed by the normal learner.
We present a reconstruction attack on InstaHide that is able to use the encoded images to recover visually recognizable versions of the original images. Our attack is effective and efficient, and empirically
breaks InstaHide on CIFAR-10, CIFAR-100, and the recently released InstaHide Challenge.
We further formalize various privacy notions of learning through instance encoding and investigate
the possibility of achieving these notions. We prove barriers against achieving (indistinguishability
based notions of) privacy through any learning protocol that uses instance encoding.

  author   =   {Carlini, Nicholas and Deng, Samuel and Garg, Sanjam and Jha, Somesh and Mahloujifar, Saeed and Mahmoody, Mohammad and Song, Shuang and Thakurta, Abhradeep and Tram{\`e}r, Florian},
  title   =   {An Attack on {InstaHide}: Is Private Learning Possible with Instance Encoding?},
  booktitle   =   {NeurIPS Privacy Preserving Machine Learning Workshop},
  year   =   {2020},
  howpublished   =   {arXiv preprint arXiv:2011.05315},
  url   =   {}