Diff-Privacy: Diffusion-based Face Privacy Protection

Thank you for your comments and feedback. We address your concerns here.

Q1: The author learns a set of conditional embeddings through a few images. When using the LFW dataset for training, do different images under the same identity need to be trained separately or can they be trained together to obtain a set of conditional embeddings for encryption and decryption?

A1: Thank you for the opportunity to clarify. Our MSI module learns conditional embedding through a few images. When the training set is FFHQ or CelebA-HQ, each person has only one image, so we use a single image to learn conditional embedding. When the training set is an image from LFW, we use all images of the person to learn conditional embedding.

Q2: In Sec.2.2, the description of obtaining conditional embeddings seems unclear. Does each time step correspond to a unique time embedding?

A2: Thank you for the opportunity to clarify. According to previous work [1,2,3], we know that diffusion models focus on different-level information at different time steps. Generally, the model tends to generate the overall layout at the initial stage of the denoising process (corresponding to a large time step), the structure and content at the intermediate stage, and the detailed texture at the final stage. Therefore, we designed an MSI module to learn a set of conditional embeddings as conditions for different periods in the diffusion model. Specifically, we divide the generation process (1000 time steps) into ten time periods, so the output dimension of the time embedding layer is also 10, with each time embedding corresponding to a period.

Reference

[1] Wang, Jianyi, et al. "Exploiting Diffusion Prior for Real-World Image Super-Resolution." arXiv preprint arXiv:2305.07015 (2023).

[2] Zhang, Yuxin, et al. "ProSpect: Expanded Conditioning for the Personalization of Attribute-aware Image Generation." arXiv preprint arXiv:2305.16225 (2023).

[3] Balaji, Yogesh, et al. "ediffi: Text-to-image diffusion models with an ensemble of expert denoisers." arXiv preprint arXiv:2211.01324 (2022).

Thank you for your comments and feedback. We address your concerns here.

Q2: The energy function in Section 2.3.2 is introduced briefly - more details are needed on the formulation and how it enables identity guidance. In addition, the definition of $\epsilon$ which indicates energy function is not clearly defined.

A2: Thank you for your suggestion. We have provided more details about the formula below and added it to the revised manuscript.

Firstly, we provide a concise overview of Score-based Diffusion Models. Score-based Diffusion Models (SBDMs) [1,2] are a category of diffusion model rooted in score theory. It illuminates that the essence of diffusion models is to estimate the score function $\nabla_{x_t}\log_{}{p(x_t)}$, where $x_t$ is noisy data. During the sampling process, SBDMs predict $x_{t−1}$ from $x_t$ using the estimated score step by step. Its sampling formula is as follows:

$x_{t-1} = (1+\frac{1}{2}\beta_t)x_t+ \beta_t \nabla_{x_t}\log_{}{p(x_t)}+\sqrt \beta_t \epsilon,$

where $\epsilon \in N(0,I)$ is randomly sampled Gaussian noise and $\beta_t \in R$ is a pre-defined parameter. Given sufficient data and model capacity, the score function can be estimated by a score estimator $s(x_t, t)$, that is, $s(x_t, t) \approx \nabla_{x_t}\log_{}{p(x_t)}$. Nevertheless, the original diffusion process is limited to functioning solely as an unconditional generator, yielding randomly synthesized outcomes. To achieve controllable generation, SDE [2] proposed to control the generated results with a given condition $c$ by modifying the score function as $\nabla_{x_t}\log_{}{p(x_t|c)}$. Using the Bayesian formula $p(x_t|c) = \frac{p(c|x_t)p(x_t)}{p(c)}$, the conditional score function can be written as two terms:

$\nabla_{x_t}\log_{}{(x_t|c)} = \nabla_{x_t}\log_{}{p(x_t)}+ \nabla_{x_t}\log_{}{(c|x_t)},$

where the first term $\nabla_{x_t}\log_{}{p(x_t)}$ can be estimated using the pre-trained unconditional score estimator $s(·, t)$ and the second term $\nabla_{x_t}\log_{}{(c|x_t)}$ is the critical part of constructing conditional diffusion models. The second term can be interpreted as a correction gradient [3], directing $x_t$ towards a hyperplane in the data space where all data conform to the given condition $c$. Following [3], we used an energy function [4,5] to model the correction gradient:

p(c|x_t) = \frac{\exp\left\\{-\lambda \varepsilon(c,x_t) \right\\}}{Z},

where $\lambda$ denotes the positive temperature coefficient and $Z>0$ denotes a normalizing constant, computed as Z = \int_{c \in c_d} \exp\left\\{− \lambda \varepsilon (c, x_t) \right\\} where $c_d$ denotes the domain of the given conditions. $\varepsilon (c, x_t)$ is an energy function that measures the compatibility between the condition $c$ and the noisy image $x_t$. When $x_t$ aligns more closely with $c$, the value of $\varepsilon (c, x_t)$ decreases. If $x_t$ satisfies the constraint of $c$ perfectly, the energy value should be zero. Any function satisfying the above property can serve as a feasible energy function, and we can adjust the coefficient $\lambda$ to obtain $p(c|x_t)$.

Therefore, the correction gradient $\nabla_{x_t}\log_{}{(c|x_t)}$ can be implemented with the following:

$\nabla_{x_t}\log_{}{(c|x_t)} \propto - \nabla_{x_t}\varepsilon(c,x_t).$

Based on the above theories and formulas, classifier guidance methods [4,6,7,8] trained a classifier by using noisy data to calculate the correction gradient for conditional guidance. Unlike the classifier guidance approach, we aim to use pre-trained models to calculate the correction gradient. Therefore, we need to estimate clean data $\hat x_0$ from noisy data $x_t$. we use Eq.10 to estimate clean latent codes $\hat z_0$ from noisy latent codes $z_t$ and decode $\hat z_0$ to obtain clean image $\hat x_0$. Once we have a clean image $\hat x_0$, we can use existing facial recognition models to calculate the distance between the clean image and condition and construct an energy function.

$\varepsilon(c,x_t) \approx D_\theta(\hat x_0, x),$

where $D_\theta$ is a distance measure function and $x$ is the actual condition (original image $x$).

Then, we can perform gradient correction on the DDIM sampling process according to the above formula.

$z_{t-1}= \sqrt{\frac{\alpha_{t-1}}{\alpha_t}}z_t + \left(\sqrt{\frac{1}{\alpha_{t-1}}-1}-\sqrt{\frac{1}{\alpha_t}-1}\right)\cdot \epsilon_\theta\left(z_t,t,C_t\right),$

$z_{t-1}' = z_{t-1} - \lambda_t \nabla_{\hat{z}_0} D\_\theta(x,\hat{x}_0),$

where $z_{t-1}$ is obtained through the original ddim sampling (Eq.2). $z_{t-1}'$ is the result obtained after our gradient correction and $\lambda_t$ is a scale factor.

Thank you for carefully reviewing the discussions and deciding to raise the score. We are glad that we can modify the manuscript with your suggestion to make it easier to read and understand.

Thank you for your comments and feedback. We address your concerns here.

Q1: Although the author has significantly reduced the training cost of the model (including the need for high-quality facial datasets), the diffusion-based method for inference is still inefficient compared to the GAN-based method.

A1: Thank you for pointing out this issue. Our method inherits the diffusion model's intrinsic drawbacks, notably its sluggish inference speed. Nevertheless, noteworthy strides have been made in expediting sampling by constructing specialized samplers. This development aligns with our objectives, and we can leverage these advancements to enhance the sampling speed of our method in future implementations.

Q2: I noticed that the author conducted an experiment on the security of keys. I think more interesting experiments can be conducted on key-I and key-E to explore their role in image generation.

A2: Thank you for your suggestion. We have followed your advice and conducted more experiments on the role of keys (as shown in Fig.7). While ensuring the correctness of key-I, we used the unconditional embedding of the diffusion model as the key-E for image recovery. The results indicate that the image can not be recovered correctly as long as there is a password error. Furthermore, key-I serves as the starting point for denoising, preserving some global information about the original image (such as background and human skin color). On the contrary, key-E contains more detailed information on the face.

Q4: Similarly, in the case of identity recovery, it is not sufficient to show that reconstructed images have high perceptual similarity to the original images. It must shown that the reconstructed image matches with the original images with high probability using a face recognition system.

A4: We included the recognition rate of the recovered image in Table 1 of the previous manuscript, demonstrating that the recovered image generated by our method closely matches the original images when using the face recognition system. By speculating on the reviewer's intention, we have further calculated the perceptual similarity between the recovered image and the original image in the recognition model. Specifically, we input both images into the face recognition model to extract identity embedding and then calculate their Cosine similarity (Cos-IE). Cos-IE has higher precision than the recognition rate, which can better reflect the similarity between the recovered image and the original image in the embedding space of the recognition model. As shown in the table below, our method produces a high Cos-IE value compared to existing anonymization methods, indicating its superiority. In terms of visual identity information hiding task, our method achieves comparable performance in Cos-IE with AVIH.

Quantitative comparison of recovered results. We compared our method with other anonymization methods (FIT, RIDDLE) and visual identity information hiding method (AVIH) in terms of image recovery performance. (F) and (A) represent that we use FaceNet and ArcFace as face recognition models, respectively.

Q5: The diversity component of the proposed solution is not well-motivated. What is the application need for ensuring diversity? If the diversity loss is removed completely, will the same facial identity be generated every time irrespective of the input noise pattern (added to the initial latent code). If yes, is the model learning a one-to-one mapping between the latent code and generated image irrespective of the noise?

A5: Diversity is crucial. If diversity is not emphasized, like some existing methods [1,2,3] do, the anonymous faces tend to look similar for different individuals. This makes it easy for an attacker to recognize that these faces are anonymized. Moreover, in certain situations, such as online conferences [4], the de-identified faces of participants should be distinct from one another. To ensure reliable identity protection, it is also important to consider variations in ethnicity, age, gender, and other facial features. Even after removing diversity loss (as shown in Fig.14), the model can still generate images with different identities because the noise added to the initial latent code varies. However, when a specific noisy latent code is used, the diversity of image identities generated decreases due to the identity dissimilarity loss guiding the anonymous image towards a subspace that is least similar to the original image.

Thank you for your comments and feedback. We address your concerns here.

Q1: The paper is extremely hard to read and understand. A number of mathematical notations and terms (e.g., key-E, conditional embedding, etc.) are not defined clearly, which makes the proposed approach hard to follow.

A1: We have made our best efforts to explain mathematical notations and terms to make our manuscript easy to read and understand. In the revised manuscript, we have furnished a comprehensive introduction to the definition of conditional embeddings and the method for acquiring them in Sections 2.1 and 2.2. In brief, conditional embedding is the learnable vector in stable diffusion model's text conditional space, which can help the diffusion model reconstruct a given image. We designed the MSI module to learn the conditional embedding of the given image in the text conditional space (Eq.6 and Eq.7).

Q2: First and foremost, the most basic requirement in a security/privacy paper is stating the threat model and assumptions explicitly. What information is being protected and from whom? What are the capabilities of the adversary? In this paper, no clear threat model has been presented. For example, the goals of anonymization and visual information hiding appear to be quite different. Is the proposed framework designed to meet both these objectives simultaneously? Or is the paper trying to propose a common framework that can achieve either one of these objectives at a time by slighting tweaking some parameter/loss?

A2: Thanks for your suggestion. Our privacy protection method aims to safeguard personal identity information and prevent its collection and misuse by threat models, such as illegal snoopers, unauthorized automatic recognition models, and malicious facial manipulation models. As you mentioned in your comment, there are notable distinctions between the objectives of anonymization and visual identity information hiding tasks. Consequently, existing methods can only accomplish one of these goals. In this paper, we propose a unified framework that can achieve either anonymization or visual identity information hiding tasks by slightly tweaking some parameters during inference.

Q3: For anonymization (de-identification), it is not sufficient to show that "anonymized" faces cannot be recognized by a standard face recognition system. It is necessary to prove that the face cannot be "deanonymized" by a malicious adversary. In the proposed approach, it appears that complete recovery is possible provided the so-called "keys" are available. This makes the privacy dependent on the confidentiality of the "key". Even in the absence of the "key", it may be possible for an adversary to learn the inverse mapping between the original and anonymized faces if many training pairs of (original, anonymized) faces are available. Contrarily, if the face recognition system is finetuned with a few examples of anonymized faces as an augmentation, may be it will start recognizing anonymized faces correctly. It is important to discuss the feasibility of such attacks.

A3: Potential attackers lack the incentive to recover the original image as they are unaware that it is encrypted. This is especially true when the encrypted image closely resembles a real face image. Even if malicious adversaries are aware of encryption, they can not access paired data (only have the anonymized version). Only in the event of our model being fully leaked can these adversaries obtain paired data. However, it is widely agreed among all anonymization methods that encryption models remain invisible to attackers.