defense 2025

Secure and Scalable Face Retrieval via Cancelable Product Quantization

Haomiao Tang 1,2, Wenjie Li 1, Yixiang Qiu 1,2, Genping Wang 1,2, Shu-Tao Xia 1

1 Tsinghua University

2 Qiji Technology

0 citations
α

Published on arXiv

2509.00781

Model Inversion Attack

OWASP ML Top 10 — ML03

Key Finding

Achieves a stronger effectiveness-efficiency-security balance than HE-only baselines (HERS) and hashing-based methods (ELSEIR) on face retrieval benchmarks, with substantially reduced computational overhead.

Cancelable Product Quantization (CPQ)

Novel technique introduced

Despite the ubiquity of modern face retrieval systems, their retrieval stage is often outsourced to third-party entities, posing significant risks to user portrait privacy. Although homomorphic encryption (HE) offers strong security guarantees by enabling arithmetic computations in the cipher space, its high computational inefficiency makes it unsuitable for real-time, real-world applications. To address this issue, we propose Cancelable Product Quantization, a highly efficient framework for secure face representation retrieval. Our hierarchical two-stage framework comprises: (i) a high-throughput cancelable PQ indexing module for fast candidate filtering, and (ii) a fine-grained cipher-space retrieval module for final precise face ranking. A tailored protection mechanism is designed to secure the indexing module for cancelable biometric authentication while ensuring efficiency. Experiments on benchmark datasets demonstrate that our method achieves an decent balance between effectiveness, efficiency and security.

Key Contributions

  • Two-stage secure face retrieval framework combining a fast cancelable PQ indexing module (random permutation/projection on codebook) with a fine-grained FHE cipher-space re-ranking module
  • Cancelable PQ indexing that satisfies formal biometric template protection properties (invertibility and unlinkability) while dramatically reducing retrieval latency vs. pure HE approaches
  • Empirical demonstration of improved balance among retrieval effectiveness, efficiency, and security over state-of-the-art methods (HERS, ELSEIR) on face retrieval benchmarks

🛡️ Threat Analysis

Model Inversion Attack

The paper defends against embedding inversion: a malicious third-party server holding face feature vectors could reconstruct the original face images (citing mai2018reconstruction). The primary security contribution — Cancelable Product Quantization with random permutation/projection and FHE — is specifically designed to prevent this reconstruction while enabling retrieval. Embedding inversion (recovering face images from embedding vectors) is squarely within ML03 scope.

Details

Domains
vision
Model Types
cnntraditional_ml
Threat Tags
inference_timegrey_box
Datasets
benchmark face retrieval datasets (unnamed in excerpt)
Applications
face retrievalbiometric authenticationprivacy-preserving image retrieval
Read PDF arXiv

Similar Papers

defense

Adversary-Aware Private Inference over Wireless Channels

2025 0 cit.
Model Inversion Attack
90%
defense

How Breakable Is Privacy: Probing and Resisting Model Inversion Attacks in Collaborative Inference

2025 1 cit.
Model Inversion Attack
82%
defense

Ensuring superior learning outcomes and data security for authorized learner

2025 1 cit.
Model Inversion Attack
73%
defense

InfoDecom: Decomposing Information for Defending Against Privacy Leakage in Split Inference

2025 0 cit.
Model Inversion Attack
73%
defense

Robust Privacy: Inference-Time Privacy through Certified Robustness

2026 0 cit.
Model Inversion Attack
69%
attack

Data Reconstruction: Identifiability and Optimization with Sample Splitting

2026 0 cit.
Model Inversion Attack
67%
attack

Revisiting the Privacy Risks of Split Inference: A GAN-Based Data Reconstruction Attack via Progressive Feature Optimization

2025 0 cit.
Model Inversion Attack
67%
defense

PrivDFS: Private Inference via Distributed Feature Sharing against Data Reconstruction Attacks

2025 0 cit.
Model Inversion Attack
67%