Research Artifact of:
Research Artifact of:
CipherSteal: Stealing Input Data from TEE-Shielded Neural Networks with Ciphertext Side Channels
CipherSteal: Stealing Input Data from TEE-Shielded Neural Networks with Ciphertext Side Channels
Embedded Files
Part-3. More examples of recovery results of CipherSteal
Below we show (thousands of) examples of recovered videos and images. We did NOT cherry pick the examples; they were randomly selected. Failed cases also exist in the present examples, but their occurrence frequency is very low.Â
With these examples (both successful and failed ones), we hope readers can better assess the threat of ciphertext side channel leakage in neural networks and the capability of our attack.
Below are recovered videos (left) and ground truth videos (right). The human IDs in attacker's videos and NN owner/user's videos do NOT overlap.
Recovered (video batch 1)
Ground truth (video batch 1)
Recovered (video batch 2)
Ground truth (video batch 2)
Recovered (video batch 3)
Ground truth (video batch 3)
Recovered (video batch 4)
Ground truth (video batch 4)
Recovered (video batch 5)
Ground truth (video batch 5)
Below are recovered face photos (left) and ground truth face photos (right). The human IDs in attacker's images and NN owner/user's images do NOT overlap.
Recovered (face batch 1)
Ground truth (face batch 1)
Recovered (face batch 2)
 Ground truth (face batch 2)
Recovered (face batch 3)
Ground truth (face batch 3)
Recovered (face batch 4)
Ground truth (face batch 4)
 Recovered (face batch 5)
Ground truth (face batch 5)
Recovered (face batch 6)
Ground truth (face batch 6)
Recovered (face batch 7)
Ground truth (face batch 7)
Recovered (face batch 8)
Ground truth (face batch 8)
Recovered (face batch 9)
Ground truth (face batch 9)
Recovered (face batch 10)
Ground truth (face batch 10)
Below are recovered chest X-ray images (left) and ground truth chest X-ray images (right). Attacker only has images of benign chest X-ray images.
Recovered (chest batch 1)
Ground truth (chest batch 1)
Recovered (chest batch 2)
Ground truth (chest batch 2)
Recovered (chest batch 3)
Ground truth (chest batch 3)
 Recovered (chest batch 4)
Ground truth (chest batch 4)
 Recovered (chest batch 5)
Ground truth (chest batch 5)
Recovered (chest batch 6)
Ground truth (chest batch 6)
Recovered (chest batch 7)
Ground truth (chest batch 7)
Recovered (chest batch 8)
Ground truth (chest batch 8)
Recovered (chest batch 9)
Ground truth (chest batch 9)
Recovered (chest batch 10)
Ground truth (chest batch 10)
Below are recovered ImageNet images images (left) and ground truth ImageNet images (right).Â
Recovered (ImageNet batch 1)
Ground truth (ImageNet batch 1)
Recovered (ImageNet batch 2)
Ground truth (ImageNet batch 2)
 Recovered (ImageNet batch 3)
Ground truth (ImageNet batch 3)
Recovered (ImageNet batch 4)
Ground truth (ImageNet batch 4)
Recovered (ImageNet batch 5)
Ground truth (ImageNet batch 5)
Below are recovered (left) and ground truth (right) digits under the full-knowledge (FK) setting.
Recovered (FK)
Ground truth (FK)
Recovered (FK)
Ground truth (FK)
Recovered (FK)
Ground truth (FK)
Recovered (FK)
Ground truth (FK)
Recovered (FK)
Ground truth (FK)
Recovered (FK)
Ground truth (FK)
Recovered (FK)
Ground truth (FK)
Recovered (FK)
Ground truth (FK)
Recovered (FK)
Ground truth (FK)
Recovered (FK)
Ground truth (FK)
Below are recovered (left) and ground truth (right) digits under the partial-knowledge (PK) setting. The attacker only has images of digit 0-4.
Recovered (PK)
Ground truth (PK)
Recovered (PK)
Ground truth (PK)
Recovered (PK)
Ground truth (PK)
Recovered (PK)
Ground truth (PK)
Recovered (PK)
Ground truth (PK)
Recovered (PK)
Ground truth (PK)
Recovered (PK)
Ground truth (PK)
Recovered (PK)
Ground truth (PK)
Recovered (PK)
Ground truth (PK)
Recovered (PK)
Ground truth (PK)
Below are recovered (left) and ground truth (right) digits under the zero-knowledge (ZK) setting. The victim NN under ZK setting only takes inputs of digit 0-4, whereas the attacker only has images of digit 5-9.
Recovered (ZK)
Ground truth (ZK)
Recovered (ZK)
Ground truth (ZK)
Recovered (ZK)
Ground truth (ZK)
Recovered (ZK)
Ground truth (ZK)
Recovered (ZK)
Ground truth (ZK)
Page updated
Google Sites
Report abuse