{"id":33418,"date":"2021-08-18T16:55:54","date_gmt":"2021-08-18T20:55:54","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=33418"},"modified":"2021-09-08T11:23:00","modified_gmt":"2021-09-08T15:23:00","slug":"neuralhash-implementation-and-collision","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/08\/18\/neuralhash-implementation-and-collision\/","title":{"rendered":"NeuralHash Implementation and Collision"},"content":{"rendered":"

Joseph Cox et al.<\/a> (Slashdot<\/a>, Hacker<\/a> News<\/a>, Reddit<\/a>):<\/p>\n

On Wednesday, GitHub user AsuharietYgvar published details<\/a> of what they claim is an implementation of NeuralHash<\/a>, a hashing technology in the anti-CSAM system announced<\/a> by Apple at the beginning of August. Hours later, someone else claimed to have been able to create a collision<\/a>, meaning he tricked the system into giving two different images the same hash.<\/p><\/blockquote>\n\n

Juli Clover<\/a>:<\/p>\n

In a statement to Motherboard<\/a><\/em>, Apple said that the version of the NeuralHash that Yvgar reverse-engineered is not the same as the final implementation that will be used with the CSAM system.<\/p>

[…]<\/p>

Matthew Green, who teaches cryptography at Johns Hopkins University and who has been a vocal critic of Apple’s CSAM system, told Motherboard<\/em> that if collisions “exist for this function,” then he expects “they’ll exist in the system Apple eventually activates.”<\/p>

“Of course, it’s possible that they will re-spin the hash function before they deploy,” he said. “But as a proof of concept, this is definitely valid,” he said of the information shared on GitHub.<\/p><\/blockquote>\n\n

Hector Martin<\/a>:<\/p>\n

“Early tests show that it can tolerate image resizing and compression, but not cropping or rotations.”<\/p>

Like every other perceptual image hash. It’ll also have collisions. Keep in mind that the matching is fuzzy (you have to allow some wrong bits).<\/p>

It’s not hard at all to attack such a hash to make it produce false positives.<\/p>

Say I am law enforcement and I want access to your photos. I send you >30 messages with non-CSAM but colliding images. Your phone now thinks you have CSAM and grants Apple access to your data.<\/p>

Then I just have to subpoena Apple for the data they already have, and I have your photos.<\/p>

Meanwhile the people who actually have CSAM just have to add a frame to their images to completely neuter the system.<\/p><\/blockquote>\n

A lot rests on how much we can trust Apple’s human reviewers.<\/p>\n

\n

Also, apparently Apple’s neural network, by virtue of having 200+ (!) layers and due to floating point rounding issues, actually produces wildly different hashes on different hardware (9 bits difference between iPad and M1 Mac!). That’s... garbage. That’s 9 bits of match noise.<\/p>\n

[…]<\/p>\n

Actually, how does this even work at all<\/em>? You have<\/em> to do fuzzy matching of perceptual image hashes like NeuralHash. But they’re doing some PSI crypto stuff after that that would seem to be incompatible with it, and at no<\/em> point do they talk about this.<\/p>

This is not a thing. This cannot mathematically be a thing. There is no way to design a perceptual image hash to always result in the same<\/em> hash when the image is altered in small ways. This is trivial to prove.<\/p><\/blockquote>\n\n

Bruce Schneier<\/a>:<\/p>\n

This was a bad idea from the start, and Apple never seemed to consider the adversarial context of the system as a whole, and not just the cryptography.<\/p><\/blockquote>\n\n

Russell Brandom<\/a>:<\/p>\n

In a call with reporters regarding the new findings, Apple said its CSAM-scanning system had been built with collisions in mind, given the known limitations of perceptual hashing algorithms. In particular, the company emphasized a secondary server-side hashing algorithm, separate from NeuralHash, the specifics of which are not public. If an image that produced a NeuralHash collision were flagged by the system, it would be checked against the secondary system and identified as an error before reaching human moderators.<\/p>\n

[…]<\/p>\n

But actually generating that alert would require access to the NCMEC hash database, generating more than 30 colliding images, and then smuggling all of them onto the target’s phone. <\/p><\/blockquote>\n\n

Previously:<\/p>\n