Generalization of identity extraction to PPFR methods without frequency-domain obfuscation

Determine whether the identity-extraction vulnerability demonstrated by FaceLinkGen under a minimal-knowledge attack setting extends to privacy-preserving face recognition systems whose template generation does not rely on frequency-domain obfuscation (i.e., systems that do not primarily preserve high-frequency information while obfuscating low-frequency content).

Background

The paper introduces FaceLinkGen, an identity-centric attack that extracts identity information from privacy-preserving face recognition (PPFR) templates and regenerates faces without reconstructing original pixels. Beyond the main threat model where the attacker can query the conversion process, the authors also examine an extreme minimal-knowledge scenario in which the attacker lacks access to the conversion mechanism and uses a generic Gaussian-blur-based high-pass filter as a universal proxy to train a student model aligning templates with ArcFace embeddings.

In this constrained setting, a single model trained without system-specific knowledge still achieves high linkage and regeneration success across three PPFR methods (PartialFace, MinusFace, and FracFace). The authors hypothesize that these systems’ template representations are strongly coupled with simple high-pass operations. They explicitly state uncertainty about whether this vulnerability persists for future PPFR designs that do not rely on frequency-domain obfuscation, raising a broader question about the generalization of FaceLinkGen-style identity extraction to alternative protection paradigms.