ML Security PapersModel Inversion Attacks Meet Cryptographic Fuzzy Extractors
Mallika Prabhakar , Louise Xu , Prateek Saxena
Published on arXiv
2510.25687
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
PIPE achieves over 89% success reconstructing faces from stored embeddings against prior schemes, while L2FE-Hash provides attack-agnostic security that nullifies both PIPE and prior state-of-the-art model inversion attacks without any ML model retraining.
PIPE / L2FE-Hash
Novel technique introduced
Model inversion attacks pose an open challenge to privacy-sensitive applications that use machine learning (ML) models. For example, face authentication systems use modern ML models to compute embedding vectors from face images of the enrolled users and store them. If leaked, inversion attacks can accurately reconstruct user faces from the leaked vectors. There is no systematic characterization of properties needed in an ideal defense against model inversion, even for the canonical example application of a face authentication system susceptible to data breaches, despite a decade of best-effort solutions. In this paper, we formalize the desired properties of a provably strong defense against model inversion and connect it, for the first time, to the cryptographic concept of fuzzy extractors. We further show that existing fuzzy extractors are insecure for use in ML-based face authentication. We do so through a new model inversion attack called PIPE, which achieves a success rate of over 89% in most cases against prior schemes. We then propose L2FE-Hash, the first candidate fuzzy extractor which supports standard Euclidean distance comparators as needed in many ML-based applications, including face authentication. We formally characterize its computational security guarantees, even in the extreme threat model of full breach of stored secrets, and empirically show its usable accuracy in face authentication for practical face distributions. It offers attack-agnostic security without requiring any re-training of the ML model it protects. Empirically, it nullifies both prior state-of-the-art inversion attacks as well as our new PIPE attack.
Key Contributions
- PIPE: a new model inversion attack achieving over 89% face reconstruction success rate against existing fuzzy extractor-based embedding protection schemes
- Formal characterization of the properties required for a provably strong defense against model inversion attacks, connecting the problem to cryptographic fuzzy extractors for the first time
- L2FE-Hash: the first fuzzy extractor supporting standard Euclidean distance comparators, with formal computational security guarantees under full-breach threat models and no ML model retraining required
🛡️ Threat Analysis
The paper's core contribution is both attacking and defending against model inversion: an adversary who obtains stored face embedding vectors reconstructs original face images. PIPE is a new embedding inversion attack; L2FE-Hash is a provably secure defense. This maps precisely to ML03's threat model of an adversary reverse-engineering private training/enrollment data from model representations.