English

Adversarial collision attacks on image hashing functions

Computer Vision and Pattern Recognition 2020-11-19 v1

Abstract

Hashing images with a perceptual algorithm is a common approach to solving duplicate image detection problems. However, perceptual image hashing algorithms are differentiable, and are thus vulnerable to gradient-based adversarial attacks. We demonstrate that not only is it possible to modify an image to produce an unrelated hash, but an exact image hash collision between a source and target image can be produced via minuscule adversarial perturbations. In a white box setting, these collisions can be replicated across nearly every image pair and hash type (including both deep and non-learned hashes). Furthermore, by attacking points other than the output of a hashing function, an attacker can avoid having to know the details of a particular algorithm, resulting in collisions that transfer across different hash sizes or model architectures. Using these techniques, an adversary can poison the image lookup table of a duplicate image detection service, resulting in undefined or unwanted behavior. Finally, we offer several potential mitigations to gradient-based image hash attacks.

Keywords

Cite

@article{arxiv.2011.09473,
  title  = {Adversarial collision attacks on image hashing functions},
  author = {Brian Dolhansky and Cristian Canton Ferrer},
  journal= {arXiv preprint arXiv:2011.09473},
  year   = {2020}
}
R2 v1 2026-06-23T20:21:14.744Z