• Stars
    star
    664
  • Rank 67,903 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created about 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Preimage attack against NeuralHash ๐Ÿ’ฃ

NeuralHash Collider

Find target hash collisions for Apple's NeuralHash perceptual hash function.

For example, starting from a picture of this cat, we can find an adversarial image that has the same hash as the picture of the dog in this post:

python collide.py --image cat.jpg --target 59a34eabe31910abfb06f308

Cat image with NeuralHash 59a34eabe31910abfb06f308 Dog image with NeuralHash 59a34eabe31910abfb06f308

We can confirm the hash collision using nnhash.py from AsuharietYgvar/AppleNeuralHash2ONNX:

$ python nnhash.py dog.png
59a34eabe31910abfb06f308
$ python nnhash.py adv.png
59a34eabe31910abfb06f308

How it works

NeuralHash is a perceptual hash function that uses a neural network. Images are resized to 360x360 and passed through a neural network to produce a 128-dimensional feature vector. Then, the vector is projected onto R^96 using a 128x96 "seed" matrix. Finally, to produce a 96-bit hash, the 96-dimensional vector is thresholded: negative entries turn into a 0 bit, and non-negative entries turn into a 1 bit.

This entire process, except for the thresholding, is differentiable, so we can use gradient descent to find hash collisions. This is a well-known property of neural networks, that they are vulnerable to adversarial examples.

We can define a loss that captures how close an image is to a given target hash: this loss is basically just the NeuralHash algorithm as described above, but with the final "hard" thresholding step tweaked so that it is "soft" (in particular, differentiable). Exactly how this is done (choices of activation functions, parameters, etc.) can affect convergence, so it can require some experimentation. After choosing the loss function, we can follow the standard method to find adversarial examples for neural networks: gradient descent.

Details

The implementation currently does an alternating projections style attack to find an adversarial example that has the intended hash and also looks similar to the original. See collide.py for the full details. The implementation uses two different loss functions: one measures the distance to the target hash, and the other measures the quality of the perturbation (l2 norm + total variation). We first optimize for a collision, focusing only on matching the target hash. Once we find a projection, we alternate between minimizing the perturbation and ensuring that the hash value does not change. The attack has a number of parameters; run python collide.py --help or refer to the code for a full list. Tweaking these parameters can make a big difference in convergence time and the quality of the output.

The implementation also supports a flag --blur [sigma] that blurs the perturbation on every step of the search. This can slow down or break convergence, but on some examples, it can be helpful for getting results that look more natural and less like glitch art.

Examples

Reproducing the Lena/Barbara result from this post:

The first image above is the original Lena image. The second was produced with --target a426dae78cc63799d01adc32 to collide with Barbara. The third was produced with the additional argument --blur 1.0. The fourth is the original Barbara image. Checking their hashes:

$ python nnhash.py lena.png
32dac883f7b91bbf45a48296
$ python nnhash.py lena-adv.png
a426dae78cc63799d01adc32
$ python nnhash.py lena-adv-blur-1.0.png
a426dae78cc63799d01adc32
$ python nnhash.py barbara.png
a426dae78cc63799d01adc32

Reproducing the Picard/Sidious result from this post:

The first image above is the original Picard image. The second was produced with --target e34b3da852103c3c0828fbd1 --tv-weight 3e-4 to collide with Sidious. The third was produced with the additional argument --blur 0.5. The fourth is the original Sidious image. Checking their hashes:

$ python nnhash.py picard.png
73fae120ad3191075efd5580
$ python nnhash.py picard-adv.png
e34b2da852103c3c0828fbd1
$ python nnhash.py picard-adv-blur-0.5.png
e34b2da852103c3c0828fbd1
$ python nnhash.py sidious.png
e34b2da852103c3c0828fbd1

Prerequisites

  • Get Apple's NeuralHash model following the instructions in AsuharietYgvar/AppleNeuralHash2ONNX and either put all the files in this directory or supply the --model / --seed arguments
  • Install Python dependencies: pip install -r requirements.txt

Usage

Run python collide.py --image [path to image] --target [target hash] to generate a hash collision. Run python collide.py --help to see all the options, including some knobs you can tweak, like the learning rate and some other parameters.

Limitations

The code in this repository is intended to be a demonstration, and perhaps a starting point for other exploration. Tweaking the implementation (choice of loss function, choice of parameters, etc.) might produce much better results than this code currently achieves.

Citation

If you use this implementation in your work, please cite the following:

@misc{athalye2021neuralhashcollider,
  author = {Anish Athalye},
  title = {NeuralHash Collider},
  year = {2021},
  howpublished = {\url{https://github.com/anishathalye/neural-hash-collider}},
}

More Repositories

1

dotbot

A tool that bootstraps your dotfiles โšก๏ธ
Python
7,030
star
2

neural-style

Neural style in TensorFlow! ๐ŸŽจ
Python
5,539
star
3

git-remote-dropbox

A transparent bridge between Git and Dropbox - use a Dropbox (shared) folder as a Git remote! ๐ŸŽ
Python
3,055
star
4

lumen

Magic auto brightness based on screen contents ๐Ÿ’ก
Objective-C
2,286
star
5

gemini

Gemini is a modern LaTex beamerposter theme ๐Ÿ–ผ
TeX
982
star
6

porcupine

A fast linearizability checker written in Go ๐Ÿ”Ž
Go
883
star
7

obfuscated-gradients

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples
Jupyter Notebook
881
star
8

seashells

The official client for seashells.io ๐Ÿš
Python
707
star
9

dotfiles

~anish โ€ข powered by https://github.com/anishathalye/dotbot ๐Ÿ’พ
Shell
704
star
10

gavel

A project expo judging system ๐Ÿ“Š
Python
433
star
11

periscope

Periscope gives you "duplicate vision" to help you organize and de-duplicate your files without losing data ๐Ÿ”ญ
Go
379
star
12

auriga

Auriga is a minimalist LaTeX beamer presentation theme ๐Ÿ“ฝ
TeX
328
star
13

offix

"Who is in the office?" ๐Ÿ‘€
JavaScript
186
star
14

dotfiles_template

A template for structuring dotfiles (using Dotbot as an installer) ๐Ÿ“œ
PowerShell
184
star
15

ribosome

Synthesize photos from PhotoDNA using machine learning ๐ŸŒฑ
Python
141
star
16

imagenet-simple-labels

Simpler human-readable labels for ImageNet ๐Ÿท
122
star
17

dotfiles-local

~anish [local config] โ€ขย powered by https://github.com/anishathalye/dotbot ๐Ÿ 
Shell
75
star
18

mathematics-of-deep-learning

The Mathematics of Deep Learning, SIPB IAP 2018
Jupyter Notebook
74
star
19

proof-html

A GitHub Action to validate HTML, check links, and more โœ…
Ruby
57
star
20

seashells-server

The seashells.io server ๐Ÿš
Go
53
star
21

knox

A framework for formally verifying hardware security modules to be free of hardware, software, and timing side-channel vulnerabilities ๐Ÿ”
Racket
29
star
22

notary

Notary: A Device for Secure Transaction Approval ๐Ÿ“Ÿ
Verilog
28
star
23

hubot-group

A hubot script that expands mentions of groups ๐Ÿ‘ซ
CoffeeScript
26
star
24

synox

Rust library for program synthesis of string transformations from input-output examples ๐Ÿ”ฎ
Rust
26
star
25

knox-hsm

Circuits and hardware security modules formally verified with Knox ๐Ÿ”
Verilog
23
star
26

disposable

Create a Reddit throwaway account with the click of a button! ๐Ÿšฎ
JavaScript
23
star
27

skipchat

SkipChat - MHacks V
C
20
star
28

rtlv

Tools for reasoning about circuits in Rosette/Racket ๐Ÿ”Œ
Racket
18
star
29

micro-wwvb

A tiny WWVB station ๐Ÿ“ก
C
17
star
30

linux-bootstrap

get a debian-based system set up the way I like it, with minimal effort on my part
17
star
31

hubot-shortcut

A macro system for hubot ๐Ÿ’จ
JavaScript
16
star
32

bin2coe

A tool to convert binary files to COE files ๐Ÿ’ซ
Python
14
star
33

anishathalye

A self-updating GitHub profile ๐Ÿฏ
Python
12
star
34

hubot-conf

A simple configuration management system for hubot ๐Ÿ”ง
JavaScript
11
star
35

gitlive

the source code that powered gitlive.net
Java
11
star
36

chroniton

A tool for formally verifying constant-time software against hardware ๐Ÿ•ฐ๏ธ
Racket
10
star
37

unblock

A tiny utility to make shell pipes behave as if they have unlimited buffering โ™พ
Go
7
star
38

countdown

A simple countdown timer you can set as your homepage โฐ
HTML
5
star
39

coqioa

A formalization of IO automata in the Coq proof assistant
Coq
5
star
40

x

playground for testing stuff on github
4
star
41

assets

README assets for my GitHub projects ๐ŸŽญ
4
star
42

easy-security

Slides from the SIPB Cluedump on Low Effort High Impact Security
HTML
3
star
43

learn-pgp

Slides from the SIPB Cluedump on PGP
HTML
3
star
44

learn-git

An introduction to using Git - prepared for HackMIT / Hack Week 2015
HTML
2
star
45

deterministic-start-benchmark

Verilog
2
star
46

ipr

A formalization of information-preserving refinement (IPR) in the Coq Proof Assistant ๐Ÿงฉ
Coq
2
star
47

xclips

Rust
1
star
48

scripts

Python
1
star
49

formal-methods-tutorial-2022-10-11

Racket
1
star