Based on work presented in Squint Hard Enough:
Attacking Perceptual Hashing with Adversarial Machine Learning

Authored by Jonathan Prokos*, Neil Fendley, Matthew Green,
Roei Schuster§, Eran Tromer, Tushar Jois, Yinzhi Cao

*Two Six Technologies, Johns Hopkins University Applied Physics Laboratory,
Johns Hopkins University, §Vector Institute, Tel Aviv University, Columbia University, City College of New York

tldr; End-to-end (e2e) encrypted messaging systems are becoming increasingly popular. Perceptual hashing is being used to detect illicit content in these systems. We show perceptual hashing is vulnerable to adversarial attacks, introducing a side-channel in these e2e systems.

Perceptual hashing?

To start, a hash function is a function that takes an arbitrary input of and produces an output of a fixed length. This is useful for compressing data or verifying its integrity. Most people are familiar with cryptographic hash functions such as SHA-256 or MD5. Cryptographic hash functions are one-way functions meaning that it is computationally infeasible to find an input that produces a given output. Additionally, these algorithms are designed to be collision resistant meaning that it is computationally infeasible to find two inputs that produce the same output. Perceptual hash functions share neither of these properties.

Below you can find two gifs showing the progress of our attack over time when utilizing PhotoDNA or PDQ as the target perceptual hash function. Attack progression is shown on the left and the target image & its hash is shown on the right.


USENIX Slides (there are speaker notes!)

The following figures are pulled from our USENIX submission. These will be included in the soon to come ePrint update.

Figure 1 shows the results of our targeted second-preimage attack at both low and high threshold levels. Figure 2 shows our detection avoidance attack at the baseline collision threshold as well as at a significantly higher threshold. Figures 3 & 4 show the progress of our targeted second-preimage attack as the collision threshold is lowered. Figures 5 & 6 show a comparison of the performance of this attack using various gradient optimization methods.