NeuraCrypt is not private

Nicholas Carlini, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody and Florian Tramèr   (alphabetical author ordering)

CRYPTO Workshop on Privacy-Preserving Machine Learning 2021



Abstract

NeuraCrypt (Yara et al. arXiv 2021) is an algorithm that converts a sensitive dataset to an encoded dataset so that (1) it is still possible to train machine learning models on the encoded data, but (2) an adversary who has access only to the encoded dataset can not learn much about the original sensitive dataset. We break NeuraCrypt privacy claims, by perfectly solving the authors’ public challenge, and by showing that NeuraCrypt does not satisfy the formal privacy definitions posed in the original paper. Our attack consists of a series of boosting steps that, coupled with various design flaws, turns a 1% attack advantage into a 100% complete break of the scheme.


BibTeX
@inproceedings{CGJM+21,
  author   =   {Carlini, Nicholas and Garg, Sanjam and Jha, Somesh and Mahloujifar, Saeed and Mahmoody, Mohammad and Tram{\`e}r, Florian},
  title   =   {{NeuraCrypt} is not private},
  booktitle   =   {CRYPTO Workshop on Privacy-Preserving Machine Learning},
  year   =   {2021},
  url   =   {https://arxiv.org/abs/2108.07256}
}