Encrypted-Input Obfuscation of Image Classifiers

Giovanni Di Crescenzo, Lisa Bahler, Brian A. Coan, Kurt Rohloff, David B. Cousins, Yuriy Polyakov

Research output: Chapter in Book/Report/Conference proceedingConference contribution


We consider the problem of protecting image classifiers simultaneously from inspection attacks (i.e., attacks that have read access to all details in the program’s code) and black-box attacks (i.e., attacks where have input/output access to the program’s code). Our starting point is cryptographic program obfuscation, which guarantees some provable security against inspection attacks, in the sense that any such attack is not significantly more successful than a related black-box attack. We actually consider the recent model of encrypted-input cryptographic program obfuscation, which uses a key shared between the obfuscation deployer and the input encryptor to generate the obfuscated program. In this model we design an image classifier program and an encrypted-input obfuscator for it, showing that the classifier program is secure against both inspection and black-box attacks, under the existence of symmetric encryption schemes. We evaluate the accuracy of our classifier and show that it is significantly better than the random classifier and not much worse than more powerful classifiers (e.g., k-nearest neighbor) for which however no efficient obfuscator is known.

Original languageEnglish (US)
Title of host publicationData and Applications Security and Privacy XXXV - 35th Annual IFIP WG 11.3 Conference, DBSec 2021, Proceedings
EditorsKen Barker, Kambiz Ghazinour
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages21
ISBN (Print)9783030812416
StatePublished - 2021
Event35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, DBSec 2021 - Virtual, Online
Duration: Jul 19 2021Jul 20 2021

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12840 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, DBSec 2021
CityVirtual, Online

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science


  • Black-box attacks
  • Image classifiers
  • Inspection attacks
  • Program obfuscation


Dive into the research topics of 'Encrypted-Input Obfuscation of Image Classifiers'. Together they form a unique fingerprint.

Cite this