NeuraCrypt is not private
This work exposes critical vulnerabilities in a privacy-preserving method, which is significant for researchers and practitioners in secure machine learning as it shows the scheme is not private as claimed.
The authors tackled the problem of NeuraCrypt's privacy claims by demonstrating that the algorithm fails to protect sensitive data, achieving a 100% complete break of the scheme through an attack that turned a 1% advantage into perfect recovery.
NeuraCrypt (Yara et al. arXiv 2021) is an algorithm that converts a sensitive dataset to an encoded dataset so that (1) it is still possible to train machine learning models on the encoded data, but (2) an adversary who has access only to the encoded dataset can not learn much about the original sensitive dataset. We break NeuraCrypt privacy claims, by perfectly solving the authors' public challenge, and by showing that NeuraCrypt does not satisfy the formal privacy definitions posed in the original paper. Our attack consists of a series of boosting steps that, coupled with various design flaws, turns a 1% attack advantage into a 100% complete break of the scheme.