Atkscopes: Multiresolution Adversarial Perturbation as a Unified Attack on Perceptual Hashing and Beyond

Privacy and regulation are a long-lasting conflict in modern instant messaging, where the security community attempts to bridge this gap from a technological perspective. End-to-end encryption (E2EE) is a mathematically guaranteed privacy policy that has been widely built into commercial instant messaging applications. On the other hand, regulatory designs compatible with E2EE privacy are severely restricted, i.e., content auditing is (almost) impossible on ciphertext. For this reason, the community develops perceptual hash matching (PHM) as a regulation policy, where content-aware hash codes for media are computed prior to E2EE and matched against known sensitive media, e.g., child pornography images, on the server side.

In this paper, we systematically reveal a range of adversarial threats to such E2EE-PHM systems, leading to regulatory failures. Unlike previous case studies, our attack is a more realistic threat – uniformly fooling the famous Microsoft PhotoDNA, Facebook PDQ, Apple NeuralHash, and pHash, even with higher success rates and less training rounds. Here, we validate the above proposition in both scenarios of escaping and triggering regulation.

Our main contribution is a new idea of multiresolution perturbation, where each perturbation element can affect image regions of adjustable scales. With this new idea and its well-formalized design, our attack encapsulates previous attacks as special cases – in some scenarios, it exhibits a huge leap in convergence efficiency compared to previous ones. Based on the above technical insights, we also discuss possible countermeasures and recommendations for social good.