Deep Privacy Funnel Model: From a Discriminative to a Generative Approach with an Application to Face Recognition

Behrooz Razeghi; Parsa Rahimi; S\'ebastien Marcel

arxiv: 2404.02696 · v2 · submitted 2024-04-03 · 💻 cs.LG

Deep Privacy Funnel Model: From a Discriminative to a Generative Approach with an Application to Face Recognition

Behrooz Razeghi , Parsa Rahimi , S\'ebastien Marcel This is my paper

Pith reviewed 2026-05-24 01:56 UTC · model grok-4.3

classification 💻 cs.LG

keywords privacy funnelface recognitionrepresentation learningvariational boundinformation leakagegenerative modelsprivacy utility tradeoff

0 comments

The pith

The deep variational privacy funnel model bounds information leakage in trainable face recognition systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper extends the information-theoretic privacy funnel to deep representation learning for face recognition. It proposes both a discriminative and a generative formulation, along with a variational approximation that makes the privacy-utility optimization tractable in end-to-end neural network training. The framework aims to minimize leakage of sensitive attributes while preserving recognition utility under logarithmic loss. It demonstrates compatibility with existing face recognition architectures and links the approach to generative modeling techniques.

Core claim

The DVPF framework, associated with both the DisPF and GenPF models, yields a tractable variational bound for measuring information leakage and enables optimization in deep representation-learning settings, providing a controllable privacy-utility trade-off while substantially reducing leakage about sensitive attributes.

What carries the argument

The deep variational privacy funnel (DVPF) that supplies a variational bound on mutual information leakage between representations and sensitive attributes.

If this is right

The framework supports end-to-end training of privacy-preserving face recognition networks.
It achieves a controllable trade-off between recognition utility and reduction in sensitive attribute leakage.
The approach integrates with modern networks such as AdaFace and ArcFace.
Connections are clarified between privacy funnels and models including VAEs, GANs, and diffusion models.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The generative formulation may enable creation of privacy-protected synthetic face data.
Similar variational bounds could be applied to privacy in other representation learning tasks such as speaker verification.
Optimization under the bound might reveal new ways to regularize deep networks against attribute inference attacks.

Load-bearing premise

The variational bound in the DVPF model accurately captures and bounds the true information leakage about sensitive attributes in the end-to-end trainable deep network setting.

What would settle it

Training a face recognition model with the DVPF objective and then measuring actual mutual information leakage that exceeds the reported variational bound.

Figures

Figures reproduced from arXiv: 2404.02696 by Behrooz Razeghi, Parsa Rahimi, S\'ebastien Marcel.

**Figure 2.** Figure 2: Comparative overview of generalized privacy funnel (PF) approaches: [PITH_FULL_IMAGE:figures/full_fig_p024_2.png] view at source ↗

**Figure 3.** Figure 3: Information diagrams for S−◦−X−◦−Z. (a) entropy H (S), H (X), H (Z), and revealed useful (preserved) information I(X; Z) and information leakage I(S; Z); (b) residual information I(X; Z | S) and residual information I(S; X | Z); (c) private attribute uncertainty H (S|X), useful information decoding uncertainty H (X|Z), and encoding uncertainty H (Z|X). (generator) PXe |Ze, which can function in either a p… view at source ↗

**Figure 4.** Figure 4: Visualization of the Generative Privacy Funnel in (a) face recognition systems and [PITH_FULL_IMAGE:figures/full_fig_p026_4.png] view at source ↗

**Figure 5.** Figure 5: Core architectural components of the (a) deep discriminative privacy funnel and [PITH_FULL_IMAGE:figures/full_fig_p029_5.png] view at source ↗

**Figure 6.** Figure 6: The training architectures associated with: (a) [PITH_FULL_IMAGE:figures/full_fig_p032_6.png] view at source ↗

**Figure 7.** Figure 7: Training the deep variational DisPF model for face recognition experiments, employing the learning scenario ‘Embedding-Based Data Learning’. Trained DisPF Module X Trained Encoder Z Trained Decoder Xutility (a) Trained GenPF Module X S Trained Encoder Z Trained Conditional Generator Xuncertainty (b) [PITH_FULL_IMAGE:figures/full_fig_p041_7.png] view at source ↗

**Figure 8.** Figure 8: The DisPF and GenPF modules have been trained and are designed for integration in a plug-and-play manner. These modules are characterized by a set of specific parameters: ‘dataset name’ (for example, FairFace), which denotes the dataset utilized; ‘sensitive attribute name’ (e.g., Race); ‘alpha’ (e.g., 0.1); ‘latent Z dimension’ (e.g., 128); ‘backbone’ (e.g., iResNet 50); ‘loss function’ (e.g., arcface); an… view at source ↗

**Figure 9.** Figure 9: Evaluating the performance of the deep variational [PITH_FULL_IMAGE:figures/full_fig_p042_9.png] view at source ↗

**Figure 10.** Figure 10: Trade-off between information utility and privacy leakage using DVPF models for [PITH_FULL_IMAGE:figures/full_fig_p044_10.png] view at source ↗

**Figure 11.** Figure 11: Trade-off between information utility and privacy leakage using DVPF models for [PITH_FULL_IMAGE:figures/full_fig_p045_11.png] view at source ↗

**Figure 12.** Figure 12: t-SNE visualizations of the FairFace dataset with [PITH_FULL_IMAGE:figures/full_fig_p046_12.png] view at source ↗

**Figure 13.** Figure 13: t-SNE visualizations of the FairFace dataset with [PITH_FULL_IMAGE:figures/full_fig_p047_13.png] view at source ↗

**Figure 14.** Figure 14: Normalized confusion matrices for the FairFace dataset, considering [PITH_FULL_IMAGE:figures/full_fig_p047_14.png] view at source ↗

**Figure 15.** Figure 15: t-SNE visualizations of 16 randomly selected identities on the IJB-C dataset: (a) [PITH_FULL_IMAGE:figures/full_fig_p047_15.png] view at source ↗

read the original abstract

In this study, we apply the information-theoretic Privacy Funnel (PF) model to face recognition and develop a method for privacy-preserving representation learning within an end-to-end trainable framework. Our approach addresses the trade-off between utility and obfuscation of sensitive information under logarithmic loss. We study the integration of information-theoretic privacy principles with representation learning, with a particular focus on face recognition systems. We also highlight the compatibility of the proposed framework with modern face recognition networks such as AdaFace and ArcFace. In addition, we introduce the Generative Privacy Funnel ($\mathsf{GenPF}$) model, which extends the traditional discriminative PF formulation, referred to here as the Discriminative Privacy Funnel ($\mathsf{DisPF}$). The proposed $\mathsf{GenPF}$ model extends the privacy-funnel framework to generative formulations under information-theoretic and estimation-theoretic criteria. Complementing these developments, we present the deep variational PF (DVPF) model, which yields a tractable variational bound for measuring information leakage and enables optimization in deep representation-learning settings. The DVPF framework, associated with both the $\mathsf{DisPF}$ and $\mathsf{GenPF}$ models, also clarifies connections with generative models such as variational autoencoders (VAEs), generative adversarial networks (GANs), and diffusion models. Finally, we validate the framework on modern face recognition systems and show that it provides a controllable privacy--utility trade-off while substantially reducing leakage about sensitive attributes. To support reproducibility, we also release a PyTorch implementation of the proposed framework.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper adds a generative privacy funnel and a variational formulation to apply the privacy funnel to deep face recognition, but the soundness of the key bound is hard to judge without the derivations.

read the letter

The main thing here is that the authors extend the privacy funnel from its usual discriminative form to a generative one (GenPF) and wrap both in a deep variational version (DVPF) that they say gives a tractable bound for leakage in end-to-end face networks. They also tie it to models like AdaFace and ArcFace and release PyTorch code, which is useful for anyone trying to reproduce or build on it. That combination of an information-theoretic framing with modern recognition backbones is the concrete step forward; prior PF work stayed more theoretical or used simpler models. The claim that it gives a controllable privacy-utility trade-off while cutting leakage on sensitive attributes follows from the variational setup they describe. The code release and the explicit compatibility statements are the parts that stand out as practical. The soft spot is the variational bound itself. The abstract and the DVPF paragraph assert it measures and minimizes leakage without showing the derivation steps, the choice of auxiliary distribution, or whether it is an upper bound, a lower bound, or just a surrogate. If the bound is loose or only valid under strong assumptions on the variational family, then minimizing it may not actually reduce the true mutual information I(S;Z). The experiments are mentioned but not detailed enough in what is visible to check error bars, data splits, or whether post-hoc tuning affects the reported leakage reduction. This is the kind of paper that belongs in a reading group for people working on privacy constraints in biometrics or representation learning; the information-theoretic angle plus the code makes it worth looking at even if the bound needs verification. It deserves a serious referee to check the math and the tightness of the bound rather than a desk reject, because the framework is positioned as a direct extension of established PF results and the implementation is public.

Referee Report

2 major / 1 minor

Summary. The manuscript applies the information-theoretic Privacy Funnel to face recognition and introduces the Deep Variational Privacy Funnel (DVPF) framework. This includes the Discriminative Privacy Funnel (DisPF) and the new Generative Privacy Funnel (GenPF) models. DVPF supplies a tractable variational bound on information leakage that is end-to-end optimizable with modern face-recognition backbones (AdaFace, ArcFace) under logarithmic loss, yields a controllable privacy-utility trade-off, and substantially reduces leakage about sensitive attributes. Connections to VAEs, GANs and diffusion models are noted, and PyTorch code is released.

Significance. If the variational bound is a valid upper bound on I(S;Z) and the experiments confirm that its minimization reduces actual leakage, the work would supply a principled, information-theoretic tool for privacy-preserving representation learning that is compatible with current face-recognition pipelines. The explicit release of reproducible code strengthens the contribution.

major comments (2)

[DVPF model description] DVPF paragraph (abstract and corresponding methods section): the central claim that DVPF 'yields a tractable variational bound for measuring information leakage' and enables minimization of leakage is load-bearing. The manuscript must supply the explicit derivation showing that the chosen variational family produces a valid upper bound on the mutual information I(S;Z), together with any assumptions required for the bound to remain tight when the representation network is trained end-to-end.
[Experiments and results] Experimental section: the claim of 'substantially reducing leakage about sensitive attributes' requires direct evidence that the variational surrogate correlates with the true leakage. The paper should report an independent estimator of I(S;Z) (or a tight lower bound) on the learned representations before and after DVPF optimization, rather than relying solely on the value of the variational objective.

minor comments (1)

[Introduction / Model definitions] Notation for the two PF variants (DisPF and GenPF) is introduced only in the abstract; a short dedicated subsection clarifying the precise optimization objectives and the role of the variational bound for each variant would improve readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback and the recommendation for major revision. We address each major comment below, agreeing that additional details are needed for clarity and validation. We will incorporate the requested changes in the revised manuscript.

read point-by-point responses

Referee: DVPF paragraph (abstract and corresponding methods section): the central claim that DVPF 'yields a tractable variational bound for measuring information leakage' and enables minimization of leakage is load-bearing. The manuscript must supply the explicit derivation showing that the chosen variational family produces a valid upper bound on the mutual information I(S;Z), together with any assumptions required for the bound to remain tight when the representation network is trained end-to-end.

Authors: We agree that the explicit derivation is essential for rigor. The current manuscript states the bound but does not provide the full step-by-step derivation from the variational family to the upper bound on I(S;Z). In the revision we will add this derivation in the methods section, specifying the variational family (the form of q(z|s) and any auxiliary distributions), the Jensen or other inequality used, and the assumptions (e.g., the Markov chain S-X-Z and the support conditions) under which the bound remains valid and reasonably tight during end-to-end training of the representation network. revision: yes
Referee: Experimental section: the claim of 'substantially reducing leakage about sensitive attributes' requires direct evidence that the variational surrogate correlates with the true leakage. The paper should report an independent estimator of I(S;Z) (or a tight lower bound) on the learned representations before and after DVPF optimization, rather than relying solely on the value of the variational objective.

Authors: We acknowledge that relying solely on the variational objective leaves open the question of how well the surrogate tracks actual leakage. While the variational upper bound is the quantity we optimize, an independent check would strengthen the empirical claims. In the revision we will add results from a separate neural MI estimator (e.g., a MINE-style lower bound or a histogram-based estimator on held-out data) computed on the representations before and after DVPF training, and we will report the correlation between the variational objective and this independent estimate across the privacy-utility operating points. revision: yes

Circularity Check

0 steps flagged

No circularity: DVPF variational bound presented as extension of information-theoretic PF without reduction to self-fit or self-citation chain

full rationale

The provided abstract and reader's assessment show the central claim as an extension of established PF principles to deep representation learning via a new variational bound (DVPF) for DisPF/GenPF. No quoted equations or sections reduce the bound, the privacy-utility trade-off, or the leakage reduction to a fitted parameter renamed as prediction, a self-definitional loop, or a load-bearing self-citation whose validity is internal only. The framework is described as compatible with existing networks (AdaFace, ArcFace) and validated empirically, with code release for reproducibility. This satisfies the default expectation of a self-contained derivation against external benchmarks; no load-bearing step exhibits the required reduction by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 2 invented entities

The central claim rests on standard information-theoretic definitions of the privacy funnel under logarithmic loss and the validity of a variational bound for leakage measurement; no free parameters or invented physical entities are described in the abstract.

axioms (2)

domain assumption Privacy funnel trade-off under logarithmic loss between utility and obfuscation of sensitive information
Invoked as the foundation for both DisPF and GenPF formulations in the abstract.
domain assumption Variational bound provides a tractable surrogate for information leakage in deep networks
Central to the DVPF model enabling optimization; stated without further justification in the abstract.

invented entities (2)

Generative Privacy Funnel (GenPF) no independent evidence
purpose: Extend traditional discriminative PF to generative formulations under information-theoretic and estimation-theoretic criteria
New model introduced by the paper; no independent evidence outside the work is mentioned.
Deep Variational Privacy Funnel (DVPF) no independent evidence
purpose: Provide tractable variational bound for measuring leakage and enabling deep optimization
New formulation introduced to connect PF with VAEs, GANs, and diffusion models.

pith-pipeline@v0.9.0 · 5826 in / 1558 out tokens · 29383 ms · 2026-05-24T01:56:44.056025+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

271 extracted references · 271 canonical work pages · 9 internal anchors

[1]

write newline

" write newline "" before.all 'output.state := FUNCTION fin.entry add.period write newline FUNCTION new.block output.state before.all = 'skip after.block 'output.state := if FUNCTION new.ncblock write newline " " before.all 'output.state := FUNCTION new.nccont write " " before.all 'output.state := FUNCTION new.sentence output.state after.block = 'skip out...

work page
[2]

11em plus .33em minus .07em 4000 4000 100 4000 4000 500 `\.=1000 = #1 \@IEEEnotcompsoconly \@IEEEcompsoconly #1 * [1] 0pt [0pt][0pt] #1 * [1] 0pt [0pt][0pt] #1 * \| ** #1 \@IEEEauthorblockNstyle \@IEEEcompsocnotconfonly \@IEEEauthorblockAstyle \@IEEEcompsocnotconfonly \@IEEEcompsocconfonly \@IEEEauthordefaulttextstyle \@IEEEcompsocnotconfonly \@IEEEauthor...

work page 2016
[3]

Deep learning with differential privacy

Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 308--318, 2016

work page 2016
[4]

Biometric template attacks and recent protection mechanisms: A survey

Sani M Abdullahi, Shuifa Sun, Beng Wang, Ning Wei, and Hongxia Wang. Biometric template attacks and recent protection mechanisms: A survey. Information Fusion, 103: 0 102144, 2024

work page 2024
[5]

A review of state-of-the-art in face presentation attack detection: From early development to advanced deep learning and multi-modal fusion methods

Faseela Abdullakutty, Eyad Elyan, and Pamela Johnston. A review of state-of-the-art in face presentation attack detection: From early development to advanced deep learning and multi-modal fusion methods. Information fusion, 75: 0 55--69, 2021

work page 2021
[6]

Privacy-preserving data mining

Rakesh Agrawal and Ramakrishnan Srikant. Privacy-preserving data mining. In Proceedings of the 2000 ACM SIGMOD international conference on Management of data, pages 439--450, 2000

work page 2000
[7]

Deep Variational Information Bottleneck

Alexander A Alemi, Ian Fischer, Joshua V Dillon, and Kevin Murphy. Deep variational information bottleneck. arXiv preprint arXiv:1612.00410, 2016

work page internal anchor Pith review Pith/arXiv arXiv 2016
[8]

A general class of coefficients of divergence of one distribution from another

Syed Mumtaz Ali and Samuel D Silvey. A general class of coefficients of divergence of one distribution from another. Journal of the Royal Statistical Society: Series B (Methodological), 28 0 (1): 0 131--142, 1966

work page 1966
[9]

Genattack: Practical black-box attacks with gradient-free optimization

Moustafa Alzantot, Yash Sharma, Supriyo Chakraborty, Huan Zhang, Cho-Jui Hsieh, and Mani B Srivastava. Genattack: Practical black-box attacks with gradient-free optimization. In Proceedings of the genetic and evolutionary computation conference, pages 1111--1119, 2019

work page 2019
[10]

Learning representations for neural network-based classification using the information bottleneck principle

Rana Ali Amjad and Bernhard Claus Geiger. Learning representations for neural network-based classification using the information bottleneck principle. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019

work page 2019
[11]

Openface: A general-purpose face recognition library with mobile applications

Brandon Amos, Bartosz Ludwiczuk, and Mahadev Satyanarayanan. Openface: A general-purpose face recognition library with mobile applications. Technical report, CMU-CS-16-118, CMU School of Computer Science, 2016

work page 2016
[12]

Information measures and capacity of order for discrete memoryless channels

Suguru Arimoto. Information measures and capacity of order for discrete memoryless channels. Topics in Information Theory, 16: 0 41--52, 1977

work page 1977
[13]

Bottleneck problems: An information and estimation-theoretic view

Shahab Asoodeh and Flavio P Calmon. Bottleneck problems: An information and estimation-theoretic view. Entropy, 22 0 (11): 0 1325, 2020

work page 2020
[14]

Notes on information-theoretic privacy

Shahab Asoodeh, Fady Alajaji, and Tam \'a s Linder. Notes on information-theoretic privacy. In 52nd Annual Allerton Conference on Communication, Control, and Computing, pages 1272--1278. IEEE, 2014

work page 2014
[15]

Information extraction under privacy constraints

Shahab Asoodeh, Mario Diaz, Fady Alajaji, and Tam \'a s Linder. Information extraction under privacy constraints. Information, 7 0 (1): 0 15, 2016

work page 2016
[16]

Estimation efficiency under privacy constraints

Shahab Asoodeh, Mario Diaz, Fady Alajaji, and Tam \'a s Linder. Estimation efficiency under privacy constraints. IEEE Transactions on Information Theory, 65 0 (3): 0 1512--1534, 2018

work page 2018
[17]

Local differential privacy is equivalent to contraction of an f -divergence

Shahab Asoodeh, Maryam Aliakbarpour, and Flavio P Calmon. Local differential privacy is equivalent to contraction of an f -divergence. In 2021 IEEE International Symposium on Information Theory (ISIT), pages 545--550. IEEE, 2021

work page 2021
[18]

Variational leakage: The role of information complexity in privacy leakage

Amir Ahooye Atashin, Behrooz Razeghi, Deniz G \"u nd \"u z, and Slava Voloshynovskiy. Variational leakage: The role of information complexity in privacy leakage. In 3rd ACM Workshop on Wireless Security and Machine Learning, pages 91--96, 2021

work page 2021
[19]

Privacy in epigenetics: Temporal linkability of \ MicroRNA \ expression profiles

Michael Backes, Pascal Berrang, Anna Hecksteden, Mathias Humbert, Andreas Keller, and Tim Meyer. Privacy in epigenetics: Temporal linkability of \ MicroRNA \ expression profiles. In 25th USENIX security symposium (USENIX Security 16), pages 1223--1240, 2016

work page 2016
[20]

Explaining a black-box using deep variational information bottleneck approach

Seojin Bang, Pengtao Xie, Heewook Lee, Wei Wu, and Eric Xing. Explaining a black-box using deep variational information bottleneck approach. arXiv preprint arXiv:1902.06918, 2019

work page arXiv 1902
[21]

On privacy-utility tradeoffs for constrained data release mechanisms

Yuksel Ozan Basciftci, Ye Wang, and Prakash Ishwar. On privacy-utility tradeoffs for constrained data release mechanisms. In Information Theory and Applications Workshop (ITA), pages 1--6. IEEE, 2016

work page 2016
[22]

Fast and accurate likelihood ratio-based biometric verification secure against malicious adversaries

Amina Bassit, Florian Hahn, Joep Peeters, Tom Kevenaar, Raymond Veldhuis, and Andreas Peter. Fast and accurate likelihood ratio-based biometric verification secure against malicious adversaries. IEEE transactions on information forensics and security, 16: 0 5045--5060, 2021

work page 2021
[23]

\ CSI \ \ NN \ : Reverse engineering of neural network architectures through electromagnetic side channel

Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. \ CSI \ \ NN \ : Reverse engineering of neural network architectures through electromagnetic side channel. In 28th USENIX Security Symposium (USENIX Security 19), pages 515--532, 2019

work page 2019
[24]

A survey on privacy in social media: Identification, mitigation, and applications

Ghazaleh Beigi and Huan Liu. A survey on privacy in social media: Identification, mitigation, and applications. ACM Transactions on Data Science, 1 0 (1): 0 1--38, 2020

work page 2020
[25]

Mutual information neural estimation

Mohamed Ishmael Belghazi, Aristide Baratin, Sai Rajeshwar, Sherjil Ozair, Yoshua Bengio, Aaron Courville, and Devon Hjelm. Mutual information neural estimation. In International conference on machine learning, pages 531--540. PMLR, 2018

work page 2018
[26]

Practical black-box attacks on deep neural networks using efficient query mechanisms

Arjun Nitin Bhagoji, Warren He, Bo Li, and Dawn Song. Practical black-box attacks on deep neural networks using efficient query mechanisms. In Proceedings of the European conference on computer vision (ECCV), pages 154--169, 2018

work page 2018
[27]

Protection Against Reconstruction and Its Applications in Private Federated Learning

Abhishek Bhowmick, John Duchi, Julien Freudiger, Gaurav Kapoor, and Ryan Rogers. Protection against reconstruction and its applications in private federated learning. arXiv preprint arXiv:1812.00984, 2018

work page internal anchor Pith review Pith/arXiv arXiv 2018
[28]

Poisoning Attacks against Support Vector Machines

Battista Biggio, Blaine Nelson, and Pavel Laskov. Poisoning attacks against support vector machines. arXiv preprint arXiv:1206.6389, 2012

work page internal anchor Pith review Pith/arXiv arXiv 2012
[29]

Adversarial biometric recognition: A review on biometric system security from the adversarial machine-learning perspective

Battista Biggio, Paolo Russu, Luca Didaci, Fabio Roli, et al. Adversarial biometric recognition: A review on biometric system security from the adversarial machine-learning perspective. IEEE Signal Processing Magazine, 32 0 (5): 0 31--41, 2015

work page 2015
[30]

Pattern recognition and machine learning, volume 4

Christopher M Bishop and Nasser M Nasrabadi. Pattern recognition and machine learning, volume 4. Springer, 2006

work page 2006
[31]

An overview of information-theoretic security and privacy: Metrics, limits and applications

Matthieu Bloch, Onur G \"u nl \"u , Aylin Yener, Fr \'e d \'e rique Oggier, H Vincent Poor, Lalitha Sankar, and Rafael F Schaefer. An overview of information-theoretic security and privacy: Metrics, limits and applications. IEEE Journal on Selected Areas in Information Theory, 2 0 (1): 0 5--22, 2021

work page 2021
[32]

Architectural backdoors in neural networks

Mikel Bober-Irizar, Ilia Shumailov, Yiren Zhao, Robert Mullins, and Nicolas Papernot. Architectural backdoors in neural networks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 24595--24604, 2023

work page 2023
[33]

Secure face matching using fully homomorphic encryption

Vishnu Naresh Boddeti. Secure face matching using fully homomorphic encryption. In 2018 IEEE 9th International Conference on Biometrics Theory, Applications and Systems (BTAS), pages 1--10. IEEE, 2018

work page 2018
[34]

The economic cost of publicly announced information security breaches: empirical evidence from the stock market

Katherine Campbell, Lawrence A Gordon, Martin P Loeb, and Lei Zhou. The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer security, 11 0 (3): 0 431--448, 2003

work page 2003
[35]

Poisoning web-scale training datasets is practical

Nicholas Carlini, Matthew Jagielski, Christopher A Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, and Florian Tram \`e r. Poisoning web-scale training datasets is practical. arXiv preprint arXiv:2302.10149, 2023

work page arXiv 2023
[36]

Exploring connections between active learning and model extraction

Varun Chandrasekaran, Kamalika Chaudhuri, Irene Giacomelli, Somesh Jha, and Songbai Yan. Exploring connections between active learning and model extraction. In 29th USENIX Security Symposium (USENIX Security 20), pages 1309--1326, 2020

work page 2020
[37]

Security without identification: Transaction systems to make big brother obsolete

David Chaum. Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28 0 (10): 0 1030--1044, 1985

work page 1985
[38]

Untraceable electronic mail, return addresses, and digital pseudonyms

David L Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24 0 (2): 0 84--90, 1981

work page 1981
[39]

Advdiffuser: Natural adversarial example synthesis with diffusion models

Xinquan Chen, Xitong Gao, Juanjuan Zhao, Kejiang Ye, and Cheng-Zhong Xu. Advdiffuser: Natural adversarial example synthesis with diffusion models. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 4562--4572, 2023

work page 2023
[40]

Secure multiparty computation

Ronald Cramer, Ivan Bjerre Damg rd, et al. Secure multiparty computation. Cambridge University Press, 2015

work page 2015
[41]

Information-type measures of difference of probability distributions and indirect observation

Imre Csisz \'a r. Information-type measures of difference of probability distributions and indirect observation. studia scientiarum Mathematicarum Hungarica, 2: 0 229--318, 1967

work page 1967
[42]

Information theory and statistics: A tutorial

Imre Csisz \'a r, Paul C Shields, et al. Information theory and statistics: A tutorial. Foundations and Trends in Communications and Information Theory , 1 0 (4): 0 417--528, 2004

work page 2004
[43]

Funck: Information funnels and bottlenecks for invariant representation learning

Jo \ a o Machado de Freitas and Bernhard C Geiger. Funck: Information funnels and bottlenecks for invariant representation learning. arXiv preprint arXiv:2211.01446, 2022

work page arXiv 2022
[44]

Arcface: Additive angular margin loss for deep face recognition

Jiankang Deng, Jia Guo, Niannan Xue, and Stefanos Zafeiriou. Arcface: Additive angular margin loss for deep face recognition. In IEEE/CVF CVPR, 2019 a . doi:10.1109/CVPR.2019.00482

work page doi:10.1109/cvpr.2019.00482 2019
[45]

Lightweight face recognition challenge

Jiankang Deng, Jia Guo, Debing Zhang, Yafeng Deng, Xiangju Lu, and Song Shi. Lightweight face recognition challenge. In IEEE/CVF ICCV Workshops, 2019 b

work page 2019
[46]

Calmon, and Lalitha Sankar

Mario Diaz, Hao Wang, Flavio P. Calmon, and Lalitha Sankar. On the robustness of information-theoretic privacy measures and mechanisms. IEEE Transactions on Information Theory, 66 0 (4): 0 1949--1978, 2019

work page 1949
[47]

New directions in cryptography

Whitfield Diffie and Martin E Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 1976

work page 1976
[48]

A submodularity-based clustering algorithm for the information bottleneck and privacy funnel

Ni Ding and Parastoo Sadeghi. A submodularity-based clustering algorithm for the information bottleneck and privacy funnel. In IEEE Information Theory Workshop (ITW), pages 1--5. IEEE, 2019

work page 2019
[49]

Asymptotic evaluation of certain markov process expectations for large time

Monroe D Donsker and SR Srinivasa Varadhan. Asymptotic evaluation of certain markov process expectations for large time. iv. Communications on pure and applied mathematics, 36 0 (2): 0 183--212, 1983

work page 1983
[50]

Secure multi-party computation problems and their applications: a review and open problems

Wenliang Du and Mikhail J Atallah. Secure multi-party computation problems and their applications: a review and open problems. In Proceedings of the 2001 workshop on New security paradigms, pages 13--22, 2001

work page 2001
[51]

Lecture notes for statistics 311/electrical engineering 377

John Duchi. Lecture notes for statistics 311/electrical engineering 377. URL: https://stanford. edu/class/stats311/Lectures/full notes., 2, 2016

work page 2016
[52]

Local Privacy, Data Processing Inequalities, and Statistical Minimax Rates

John C Duchi, Michael I Jordan, and Martin J Wainwright. Local privacy, data processing inequalities, and statistical minimax rates. arXiv preprint arXiv:1302.3203, 2013 a

work page internal anchor Pith review Pith/arXiv arXiv 2013
[53]

Local privacy and statistical minimax rates

John C Duchi, Michael I Jordan, and Martin J Wainwright. Local privacy and statistical minimax rates. In 2013 IEEE 54th Annual Symposium on Foundations of Computer Science, pages 429--438. IEEE, 2013 b

work page 2013
[54]

Privacy aware learning

John C Duchi, Michael I Jordan, and Martin J Wainwright. Privacy aware learning. Journal of the ACM (JACM), 61 0 (6): 0 1--57, 2014

work page 2014
[55]

Minimax optimal procedures for locally private estimation

John C Duchi, Michael I Jordan, and Martin J Wainwright. Minimax optimal procedures for locally private estimation. Journal of the American Statistical Association, 113 0 (521): 0 182--201, 2018

work page 2018
[56]

Deterring unauthorized access to computers: Controlling behavior in cyberspace through a contract law paradigm

Robert L Dunne. Deterring unauthorized access to computers: Controlling behavior in cyberspace through a contract law paradigm. Jurimetrics J., 35: 0 1, 1994

work page 1994
[57]

Improved residual networks for image and video recognition

Ionut Cosmin Duta, Li Liu, Fan Zhu, and Ling Shao. Improved residual networks for image and video recognition. In 25th International Conference on Pattern Recognition (ICPR), pages 9415--9422. IEEE, 2021

work page 2021
[58]

A decentralized privacy-preserving healthcare blockchain for iot

Ashutosh Dhar Dwivedi, Gautam Srivastava, Shalini Dhar, and Rajani Singh. A decentralized privacy-preserving healthcare blockchain for iot. Sensors, 19 0 (2): 0 326, 2019

work page 2019
[59]

Our data, ourselves: Privacy via distributed noise generation

Cynthia Dwork, Krishnaram Kenthapadi, Frank McSherry, Ilya Mironov, and Moni Naor. Our data, ourselves: Privacy via distributed noise generation. In Advances in Cryptology-EUROCRYPT 2006: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28-June 1, 2006. Proceedings 25, pages 486--...

work page 2006
[60]

Calibrating noise to sensitivity in private data analysis

Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography Conference, pages 265--284. Springer, 2006 b

work page 2006
[61]

The algorithmic foundations of differential privacy

Cynthia Dwork, Aaron Roth, et al. The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science , 9 0 (3--4): 0 211--407, 2014

work page 2014
[62]

Exposed! a survey of attacks on private data

Cynthia Dwork, Adam Smith, Thomas Steinke, and Jonathan Ullman. Exposed! a survey of attacks on private data. Annual Review of Statistics and Its Application, 4: 0 61--84, 2017

work page 2017
[63]

Censoring representations with an adversary

Harrison Edwards and Amos Storkey. Censoring representations with an adversary. In International Conference on Learning Representation (ICLR), 2016

work page 2016
[64]

Robin Effing, Jos Van Hillegersberg, and Theo Huibers. Social media and political participation: are facebook, twitter and youtube democratizing our political systems? In Electronic Participation: Third IFIP WG 8.5 International Conference, ePart 2011, Delft, The Netherlands, August 29--September 1, 2011. Proceedings 3, pages 25--35. Springer, 2011

work page 2011
[65]

A systematic review of re-identification attacks on health data

Khaled El Emam, Elizabeth Jonker, Luk Arbuckle, and Bradley Malin. A systematic review of re-identification attacks on health data. PloS one, 6 0 (12): 0 e28071, 2011

work page 2011
[66]

Limiting privacy breaches in privacy preserving data mining

Alexandre Evfimievski, Johannes Gehrke, and Ramakrishnan Srikant. Limiting privacy breaches in privacy preserving data mining. In 22th ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, pages 211--222. ACM, 2003

work page 2003
[67]

Learning robust representations via multi-view information bottleneck

Marco Federici, Anjan Dutta, Patrick Forr \'e , Nate Kushman, and Zeynep Akata. Learning robust representations via multi-view information bottleneck. International Conference on Learning Representations (ICLR), 2020

work page 2020
[68]

Privacy-preserving image sharing via sparsifying layers on convolutional groups

Sohrab Ferdowsi, Behrooz Razeghi, Taras Holotyak, Flavio P Calmon, and Slava Voloshynovskiy. Privacy-preserving image sharing via sparsifying layers on convolutional groups. In IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 2797--2801. IEEE, 2020

work page 2020
[69]

Zero knowledge proofs of identity

Uriel Fiege, Amos Fiat, and Adi Shamir. Zero knowledge proofs of identity. In Proceedings of the nineteenth annual ACM symposium on Theory of computing, pages 210--217, 1987

work page 1987
[70]

The conditional entropy bottleneck

Ian Fischer. The conditional entropy bottleneck. arXiv preprint arXiv:2002.05379, 2020

work page arXiv 2002
[71]

On the vulnerability of face verification systems to hill-climbing attacks

Javier Galbally, Chris McCool, Julian Fierrez, Sebastien Marcel, and Javier Ortega-Garcia. On the vulnerability of face verification systems to hill-climbing attacks. Pattern Recognition, 43 0 (3): 0 1027--1038, 2010

work page 2010
[72]

The information bottleneck problem and its applications in machine learning

Ziv Goldfeld and Yury Polyanskiy. The information bottleneck problem and its applications in machine learning. IEEE Journal on Selected Areas in Information Theory, 2020

work page 2020
[73]

Secure multi-party computation

Oded Goldreich. Secure multi-party computation. Manuscript. Preliminary version, 78 0 (110), 1998

work page 1998
[74]

Definitions and properties of zero-knowledge proof systems

Oded Goldreich and Yair Oren. Definitions and properties of zero-knowledge proof systems. Journal of Cryptology, 7 0 (1): 0 1--32, 1994

work page 1994
[75]

Jointly de-biasing face recognition and demographic attribute estimation

Sixue Gong, Xiaoming Liu, and Anil K Jain. Jointly de-biasing face recognition and demographic attribute estimation. In Computer Vision--ECCV 2020: 16th European Conference, Glasgow, UK, August 23--28, 2020, Proceedings, Part XXIX 16, pages 330--347. Springer, 2020

work page 2020
[76]

Digital footprints: Predicting personality from temporal patterns of technology use

Ted Grover and Gloria Mark. Digital footprints: Predicting personality from temporal patterns of technology use. In Proceedings of the 2017 acm international joint conference on pervasive and ubiquitous computing and proceedings of the 2017 acm international symposium on wearable computers, pages 41--44, 2017

work page 2017
[77]

The essential message: Claude Shannon and the making of information theory

Erico Marui Guizzo. The essential message: Claude Shannon and the making of information theory. PhD thesis, Massachusetts Institute of Technology, 2003

work page 2003
[78]

Simple black-box adversarial attacks

Chuan Guo, Jacob Gardner, Yurong You, Andrew Gordon Wilson, and Kilian Weinberger. Simple black-box adversarial attacks. In International Conference on Machine Learning, pages 2484--2493. PMLR, 2019

work page 2019
[79]

Practical poisoning attacks on neural networks

Junfeng Guo and Cong Liu. Practical poisoning attacks on neural networks. In Computer Vision--ECCV 2020: 16th European Conference, Glasgow, UK, August 23--28, 2020, Proceedings, Part XXVII 16, pages 142--158. Springer, 2020

work page 2020
[80]

Information bottleneck and its applications in deep learning

Hassan Hafez-Kolahi and Shohreh Kasaei. Information bottleneck and its applications in deep learning. Algorithms, 3 0 (4): 0 5, 2019

work page 2019

Showing first 80 references.

[1] [1]

write newline

" write newline "" before.all 'output.state := FUNCTION fin.entry add.period write newline FUNCTION new.block output.state before.all = 'skip after.block 'output.state := if FUNCTION new.ncblock write newline " " before.all 'output.state := FUNCTION new.nccont write " " before.all 'output.state := FUNCTION new.sentence output.state after.block = 'skip out...

work page

[2] [2]

11em plus .33em minus .07em 4000 4000 100 4000 4000 500 `\.=1000 = #1 \@IEEEnotcompsoconly \@IEEEcompsoconly #1 * [1] 0pt [0pt][0pt] #1 * [1] 0pt [0pt][0pt] #1 * \| ** #1 \@IEEEauthorblockNstyle \@IEEEcompsocnotconfonly \@IEEEauthorblockAstyle \@IEEEcompsocnotconfonly \@IEEEcompsocconfonly \@IEEEauthordefaulttextstyle \@IEEEcompsocnotconfonly \@IEEEauthor...

work page 2016

[3] [3]

Deep learning with differential privacy

Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 308--318, 2016

work page 2016

[4] [4]

Biometric template attacks and recent protection mechanisms: A survey

Sani M Abdullahi, Shuifa Sun, Beng Wang, Ning Wei, and Hongxia Wang. Biometric template attacks and recent protection mechanisms: A survey. Information Fusion, 103: 0 102144, 2024

work page 2024

[5] [5]

A review of state-of-the-art in face presentation attack detection: From early development to advanced deep learning and multi-modal fusion methods

Faseela Abdullakutty, Eyad Elyan, and Pamela Johnston. A review of state-of-the-art in face presentation attack detection: From early development to advanced deep learning and multi-modal fusion methods. Information fusion, 75: 0 55--69, 2021

work page 2021

[6] [6]

Privacy-preserving data mining

Rakesh Agrawal and Ramakrishnan Srikant. Privacy-preserving data mining. In Proceedings of the 2000 ACM SIGMOD international conference on Management of data, pages 439--450, 2000

work page 2000

[7] [7]

Deep Variational Information Bottleneck

Alexander A Alemi, Ian Fischer, Joshua V Dillon, and Kevin Murphy. Deep variational information bottleneck. arXiv preprint arXiv:1612.00410, 2016

work page internal anchor Pith review Pith/arXiv arXiv 2016

[8] [8]

A general class of coefficients of divergence of one distribution from another

Syed Mumtaz Ali and Samuel D Silvey. A general class of coefficients of divergence of one distribution from another. Journal of the Royal Statistical Society: Series B (Methodological), 28 0 (1): 0 131--142, 1966

work page 1966

[9] [9]

Genattack: Practical black-box attacks with gradient-free optimization

Moustafa Alzantot, Yash Sharma, Supriyo Chakraborty, Huan Zhang, Cho-Jui Hsieh, and Mani B Srivastava. Genattack: Practical black-box attacks with gradient-free optimization. In Proceedings of the genetic and evolutionary computation conference, pages 1111--1119, 2019

work page 2019

[10] [10]

Learning representations for neural network-based classification using the information bottleneck principle

Rana Ali Amjad and Bernhard Claus Geiger. Learning representations for neural network-based classification using the information bottleneck principle. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019

work page 2019

[11] [11]

Openface: A general-purpose face recognition library with mobile applications

Brandon Amos, Bartosz Ludwiczuk, and Mahadev Satyanarayanan. Openface: A general-purpose face recognition library with mobile applications. Technical report, CMU-CS-16-118, CMU School of Computer Science, 2016

work page 2016

[12] [12]

Information measures and capacity of order for discrete memoryless channels

Suguru Arimoto. Information measures and capacity of order for discrete memoryless channels. Topics in Information Theory, 16: 0 41--52, 1977

work page 1977

[13] [13]

Bottleneck problems: An information and estimation-theoretic view

Shahab Asoodeh and Flavio P Calmon. Bottleneck problems: An information and estimation-theoretic view. Entropy, 22 0 (11): 0 1325, 2020

work page 2020

[14] [14]

Notes on information-theoretic privacy

Shahab Asoodeh, Fady Alajaji, and Tam \'a s Linder. Notes on information-theoretic privacy. In 52nd Annual Allerton Conference on Communication, Control, and Computing, pages 1272--1278. IEEE, 2014

work page 2014

[15] [15]

Information extraction under privacy constraints

Shahab Asoodeh, Mario Diaz, Fady Alajaji, and Tam \'a s Linder. Information extraction under privacy constraints. Information, 7 0 (1): 0 15, 2016

work page 2016

[16] [16]

Estimation efficiency under privacy constraints

Shahab Asoodeh, Mario Diaz, Fady Alajaji, and Tam \'a s Linder. Estimation efficiency under privacy constraints. IEEE Transactions on Information Theory, 65 0 (3): 0 1512--1534, 2018

work page 2018

[17] [17]

Local differential privacy is equivalent to contraction of an f -divergence

Shahab Asoodeh, Maryam Aliakbarpour, and Flavio P Calmon. Local differential privacy is equivalent to contraction of an f -divergence. In 2021 IEEE International Symposium on Information Theory (ISIT), pages 545--550. IEEE, 2021

work page 2021

[18] [18]

Variational leakage: The role of information complexity in privacy leakage

Amir Ahooye Atashin, Behrooz Razeghi, Deniz G \"u nd \"u z, and Slava Voloshynovskiy. Variational leakage: The role of information complexity in privacy leakage. In 3rd ACM Workshop on Wireless Security and Machine Learning, pages 91--96, 2021

work page 2021

[19] [19]

Privacy in epigenetics: Temporal linkability of \ MicroRNA \ expression profiles

Michael Backes, Pascal Berrang, Anna Hecksteden, Mathias Humbert, Andreas Keller, and Tim Meyer. Privacy in epigenetics: Temporal linkability of \ MicroRNA \ expression profiles. In 25th USENIX security symposium (USENIX Security 16), pages 1223--1240, 2016

work page 2016

[20] [20]

Explaining a black-box using deep variational information bottleneck approach

Seojin Bang, Pengtao Xie, Heewook Lee, Wei Wu, and Eric Xing. Explaining a black-box using deep variational information bottleneck approach. arXiv preprint arXiv:1902.06918, 2019

work page arXiv 1902

[21] [21]

On privacy-utility tradeoffs for constrained data release mechanisms

Yuksel Ozan Basciftci, Ye Wang, and Prakash Ishwar. On privacy-utility tradeoffs for constrained data release mechanisms. In Information Theory and Applications Workshop (ITA), pages 1--6. IEEE, 2016

work page 2016

[22] [22]

Fast and accurate likelihood ratio-based biometric verification secure against malicious adversaries

Amina Bassit, Florian Hahn, Joep Peeters, Tom Kevenaar, Raymond Veldhuis, and Andreas Peter. Fast and accurate likelihood ratio-based biometric verification secure against malicious adversaries. IEEE transactions on information forensics and security, 16: 0 5045--5060, 2021

work page 2021

[23] [23]

\ CSI \ \ NN \ : Reverse engineering of neural network architectures through electromagnetic side channel

Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. \ CSI \ \ NN \ : Reverse engineering of neural network architectures through electromagnetic side channel. In 28th USENIX Security Symposium (USENIX Security 19), pages 515--532, 2019

work page 2019

[24] [24]

A survey on privacy in social media: Identification, mitigation, and applications

Ghazaleh Beigi and Huan Liu. A survey on privacy in social media: Identification, mitigation, and applications. ACM Transactions on Data Science, 1 0 (1): 0 1--38, 2020

work page 2020

[25] [25]

Mutual information neural estimation

Mohamed Ishmael Belghazi, Aristide Baratin, Sai Rajeshwar, Sherjil Ozair, Yoshua Bengio, Aaron Courville, and Devon Hjelm. Mutual information neural estimation. In International conference on machine learning, pages 531--540. PMLR, 2018

work page 2018

[26] [26]

Practical black-box attacks on deep neural networks using efficient query mechanisms

Arjun Nitin Bhagoji, Warren He, Bo Li, and Dawn Song. Practical black-box attacks on deep neural networks using efficient query mechanisms. In Proceedings of the European conference on computer vision (ECCV), pages 154--169, 2018

work page 2018

[27] [27]

Protection Against Reconstruction and Its Applications in Private Federated Learning

Abhishek Bhowmick, John Duchi, Julien Freudiger, Gaurav Kapoor, and Ryan Rogers. Protection against reconstruction and its applications in private federated learning. arXiv preprint arXiv:1812.00984, 2018

work page internal anchor Pith review Pith/arXiv arXiv 2018

[28] [28]

Poisoning Attacks against Support Vector Machines

Battista Biggio, Blaine Nelson, and Pavel Laskov. Poisoning attacks against support vector machines. arXiv preprint arXiv:1206.6389, 2012

work page internal anchor Pith review Pith/arXiv arXiv 2012

[29] [29]

Adversarial biometric recognition: A review on biometric system security from the adversarial machine-learning perspective

Battista Biggio, Paolo Russu, Luca Didaci, Fabio Roli, et al. Adversarial biometric recognition: A review on biometric system security from the adversarial machine-learning perspective. IEEE Signal Processing Magazine, 32 0 (5): 0 31--41, 2015

work page 2015

[30] [30]

Pattern recognition and machine learning, volume 4

Christopher M Bishop and Nasser M Nasrabadi. Pattern recognition and machine learning, volume 4. Springer, 2006

work page 2006

[31] [31]

An overview of information-theoretic security and privacy: Metrics, limits and applications

Matthieu Bloch, Onur G \"u nl \"u , Aylin Yener, Fr \'e d \'e rique Oggier, H Vincent Poor, Lalitha Sankar, and Rafael F Schaefer. An overview of information-theoretic security and privacy: Metrics, limits and applications. IEEE Journal on Selected Areas in Information Theory, 2 0 (1): 0 5--22, 2021

work page 2021

[32] [32]

Architectural backdoors in neural networks

Mikel Bober-Irizar, Ilia Shumailov, Yiren Zhao, Robert Mullins, and Nicolas Papernot. Architectural backdoors in neural networks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 24595--24604, 2023

work page 2023

[33] [33]

Secure face matching using fully homomorphic encryption

Vishnu Naresh Boddeti. Secure face matching using fully homomorphic encryption. In 2018 IEEE 9th International Conference on Biometrics Theory, Applications and Systems (BTAS), pages 1--10. IEEE, 2018

work page 2018

[34] [34]

The economic cost of publicly announced information security breaches: empirical evidence from the stock market

Katherine Campbell, Lawrence A Gordon, Martin P Loeb, and Lei Zhou. The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer security, 11 0 (3): 0 431--448, 2003

work page 2003

[35] [35]

Poisoning web-scale training datasets is practical

Nicholas Carlini, Matthew Jagielski, Christopher A Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, and Florian Tram \`e r. Poisoning web-scale training datasets is practical. arXiv preprint arXiv:2302.10149, 2023

work page arXiv 2023

[36] [36]

Exploring connections between active learning and model extraction

Varun Chandrasekaran, Kamalika Chaudhuri, Irene Giacomelli, Somesh Jha, and Songbai Yan. Exploring connections between active learning and model extraction. In 29th USENIX Security Symposium (USENIX Security 20), pages 1309--1326, 2020

work page 2020

[37] [37]

Security without identification: Transaction systems to make big brother obsolete

David Chaum. Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28 0 (10): 0 1030--1044, 1985

work page 1985

[38] [38]

Untraceable electronic mail, return addresses, and digital pseudonyms

David L Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24 0 (2): 0 84--90, 1981

work page 1981

[39] [39]

Advdiffuser: Natural adversarial example synthesis with diffusion models

Xinquan Chen, Xitong Gao, Juanjuan Zhao, Kejiang Ye, and Cheng-Zhong Xu. Advdiffuser: Natural adversarial example synthesis with diffusion models. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 4562--4572, 2023

work page 2023

[40] [40]

Secure multiparty computation

Ronald Cramer, Ivan Bjerre Damg rd, et al. Secure multiparty computation. Cambridge University Press, 2015

work page 2015

[41] [41]

Information-type measures of difference of probability distributions and indirect observation

Imre Csisz \'a r. Information-type measures of difference of probability distributions and indirect observation. studia scientiarum Mathematicarum Hungarica, 2: 0 229--318, 1967

work page 1967

[42] [42]

Information theory and statistics: A tutorial

Imre Csisz \'a r, Paul C Shields, et al. Information theory and statistics: A tutorial. Foundations and Trends in Communications and Information Theory , 1 0 (4): 0 417--528, 2004

work page 2004

[43] [43]

Funck: Information funnels and bottlenecks for invariant representation learning

Jo \ a o Machado de Freitas and Bernhard C Geiger. Funck: Information funnels and bottlenecks for invariant representation learning. arXiv preprint arXiv:2211.01446, 2022

work page arXiv 2022

[44] [44]

Arcface: Additive angular margin loss for deep face recognition

Jiankang Deng, Jia Guo, Niannan Xue, and Stefanos Zafeiriou. Arcface: Additive angular margin loss for deep face recognition. In IEEE/CVF CVPR, 2019 a . doi:10.1109/CVPR.2019.00482

work page doi:10.1109/cvpr.2019.00482 2019

[45] [45]

Lightweight face recognition challenge

Jiankang Deng, Jia Guo, Debing Zhang, Yafeng Deng, Xiangju Lu, and Song Shi. Lightweight face recognition challenge. In IEEE/CVF ICCV Workshops, 2019 b

work page 2019

[46] [46]

Calmon, and Lalitha Sankar

Mario Diaz, Hao Wang, Flavio P. Calmon, and Lalitha Sankar. On the robustness of information-theoretic privacy measures and mechanisms. IEEE Transactions on Information Theory, 66 0 (4): 0 1949--1978, 2019

work page 1949

[47] [47]

New directions in cryptography

Whitfield Diffie and Martin E Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 1976

work page 1976

[48] [48]

A submodularity-based clustering algorithm for the information bottleneck and privacy funnel

Ni Ding and Parastoo Sadeghi. A submodularity-based clustering algorithm for the information bottleneck and privacy funnel. In IEEE Information Theory Workshop (ITW), pages 1--5. IEEE, 2019

work page 2019

[49] [49]

Asymptotic evaluation of certain markov process expectations for large time

Monroe D Donsker and SR Srinivasa Varadhan. Asymptotic evaluation of certain markov process expectations for large time. iv. Communications on pure and applied mathematics, 36 0 (2): 0 183--212, 1983

work page 1983

[50] [50]

Secure multi-party computation problems and their applications: a review and open problems

Wenliang Du and Mikhail J Atallah. Secure multi-party computation problems and their applications: a review and open problems. In Proceedings of the 2001 workshop on New security paradigms, pages 13--22, 2001

work page 2001

[51] [51]

Lecture notes for statistics 311/electrical engineering 377

John Duchi. Lecture notes for statistics 311/electrical engineering 377. URL: https://stanford. edu/class/stats311/Lectures/full notes., 2, 2016

work page 2016

[52] [52]

Local Privacy, Data Processing Inequalities, and Statistical Minimax Rates

John C Duchi, Michael I Jordan, and Martin J Wainwright. Local privacy, data processing inequalities, and statistical minimax rates. arXiv preprint arXiv:1302.3203, 2013 a

work page internal anchor Pith review Pith/arXiv arXiv 2013

[53] [53]

Local privacy and statistical minimax rates

John C Duchi, Michael I Jordan, and Martin J Wainwright. Local privacy and statistical minimax rates. In 2013 IEEE 54th Annual Symposium on Foundations of Computer Science, pages 429--438. IEEE, 2013 b

work page 2013

[54] [54]

Privacy aware learning

John C Duchi, Michael I Jordan, and Martin J Wainwright. Privacy aware learning. Journal of the ACM (JACM), 61 0 (6): 0 1--57, 2014

work page 2014

[55] [55]

Minimax optimal procedures for locally private estimation

John C Duchi, Michael I Jordan, and Martin J Wainwright. Minimax optimal procedures for locally private estimation. Journal of the American Statistical Association, 113 0 (521): 0 182--201, 2018

work page 2018

[56] [56]

Deterring unauthorized access to computers: Controlling behavior in cyberspace through a contract law paradigm

Robert L Dunne. Deterring unauthorized access to computers: Controlling behavior in cyberspace through a contract law paradigm. Jurimetrics J., 35: 0 1, 1994

work page 1994

[57] [57]

Improved residual networks for image and video recognition

Ionut Cosmin Duta, Li Liu, Fan Zhu, and Ling Shao. Improved residual networks for image and video recognition. In 25th International Conference on Pattern Recognition (ICPR), pages 9415--9422. IEEE, 2021

work page 2021

[58] [58]

A decentralized privacy-preserving healthcare blockchain for iot

Ashutosh Dhar Dwivedi, Gautam Srivastava, Shalini Dhar, and Rajani Singh. A decentralized privacy-preserving healthcare blockchain for iot. Sensors, 19 0 (2): 0 326, 2019

work page 2019

[59] [59]

Our data, ourselves: Privacy via distributed noise generation

Cynthia Dwork, Krishnaram Kenthapadi, Frank McSherry, Ilya Mironov, and Moni Naor. Our data, ourselves: Privacy via distributed noise generation. In Advances in Cryptology-EUROCRYPT 2006: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28-June 1, 2006. Proceedings 25, pages 486--...

work page 2006

[60] [60]

Calibrating noise to sensitivity in private data analysis

Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography Conference, pages 265--284. Springer, 2006 b

work page 2006

[61] [61]

The algorithmic foundations of differential privacy

Cynthia Dwork, Aaron Roth, et al. The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science , 9 0 (3--4): 0 211--407, 2014

work page 2014

[62] [62]

Exposed! a survey of attacks on private data

Cynthia Dwork, Adam Smith, Thomas Steinke, and Jonathan Ullman. Exposed! a survey of attacks on private data. Annual Review of Statistics and Its Application, 4: 0 61--84, 2017

work page 2017

[63] [63]

Censoring representations with an adversary

Harrison Edwards and Amos Storkey. Censoring representations with an adversary. In International Conference on Learning Representation (ICLR), 2016

work page 2016

[64] [64]

Robin Effing, Jos Van Hillegersberg, and Theo Huibers. Social media and political participation: are facebook, twitter and youtube democratizing our political systems? In Electronic Participation: Third IFIP WG 8.5 International Conference, ePart 2011, Delft, The Netherlands, August 29--September 1, 2011. Proceedings 3, pages 25--35. Springer, 2011

work page 2011

[65] [65]

A systematic review of re-identification attacks on health data

Khaled El Emam, Elizabeth Jonker, Luk Arbuckle, and Bradley Malin. A systematic review of re-identification attacks on health data. PloS one, 6 0 (12): 0 e28071, 2011

work page 2011

[66] [66]

Limiting privacy breaches in privacy preserving data mining

Alexandre Evfimievski, Johannes Gehrke, and Ramakrishnan Srikant. Limiting privacy breaches in privacy preserving data mining. In 22th ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, pages 211--222. ACM, 2003

work page 2003

[67] [67]

Learning robust representations via multi-view information bottleneck

Marco Federici, Anjan Dutta, Patrick Forr \'e , Nate Kushman, and Zeynep Akata. Learning robust representations via multi-view information bottleneck. International Conference on Learning Representations (ICLR), 2020

work page 2020

[68] [68]

Privacy-preserving image sharing via sparsifying layers on convolutional groups

Sohrab Ferdowsi, Behrooz Razeghi, Taras Holotyak, Flavio P Calmon, and Slava Voloshynovskiy. Privacy-preserving image sharing via sparsifying layers on convolutional groups. In IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 2797--2801. IEEE, 2020

work page 2020

[69] [69]

Zero knowledge proofs of identity

Uriel Fiege, Amos Fiat, and Adi Shamir. Zero knowledge proofs of identity. In Proceedings of the nineteenth annual ACM symposium on Theory of computing, pages 210--217, 1987

work page 1987

[70] [70]

The conditional entropy bottleneck

Ian Fischer. The conditional entropy bottleneck. arXiv preprint arXiv:2002.05379, 2020

work page arXiv 2002

[71] [71]

On the vulnerability of face verification systems to hill-climbing attacks

Javier Galbally, Chris McCool, Julian Fierrez, Sebastien Marcel, and Javier Ortega-Garcia. On the vulnerability of face verification systems to hill-climbing attacks. Pattern Recognition, 43 0 (3): 0 1027--1038, 2010

work page 2010

[72] [72]

The information bottleneck problem and its applications in machine learning

Ziv Goldfeld and Yury Polyanskiy. The information bottleneck problem and its applications in machine learning. IEEE Journal on Selected Areas in Information Theory, 2020

work page 2020

[73] [73]

Secure multi-party computation

Oded Goldreich. Secure multi-party computation. Manuscript. Preliminary version, 78 0 (110), 1998

work page 1998

[74] [74]

Definitions and properties of zero-knowledge proof systems

Oded Goldreich and Yair Oren. Definitions and properties of zero-knowledge proof systems. Journal of Cryptology, 7 0 (1): 0 1--32, 1994

work page 1994

[75] [75]

Jointly de-biasing face recognition and demographic attribute estimation

Sixue Gong, Xiaoming Liu, and Anil K Jain. Jointly de-biasing face recognition and demographic attribute estimation. In Computer Vision--ECCV 2020: 16th European Conference, Glasgow, UK, August 23--28, 2020, Proceedings, Part XXIX 16, pages 330--347. Springer, 2020

work page 2020

[76] [76]

Digital footprints: Predicting personality from temporal patterns of technology use

Ted Grover and Gloria Mark. Digital footprints: Predicting personality from temporal patterns of technology use. In Proceedings of the 2017 acm international joint conference on pervasive and ubiquitous computing and proceedings of the 2017 acm international symposium on wearable computers, pages 41--44, 2017

work page 2017

[77] [77]

The essential message: Claude Shannon and the making of information theory

Erico Marui Guizzo. The essential message: Claude Shannon and the making of information theory. PhD thesis, Massachusetts Institute of Technology, 2003

work page 2003

[78] [78]

Simple black-box adversarial attacks

Chuan Guo, Jacob Gardner, Yurong You, Andrew Gordon Wilson, and Kilian Weinberger. Simple black-box adversarial attacks. In International Conference on Machine Learning, pages 2484--2493. PMLR, 2019

work page 2019

[79] [79]

Practical poisoning attacks on neural networks

Junfeng Guo and Cong Liu. Practical poisoning attacks on neural networks. In Computer Vision--ECCV 2020: 16th European Conference, Glasgow, UK, August 23--28, 2020, Proceedings, Part XXVII 16, pages 142--158. Springer, 2020

work page 2020

[80] [80]

Information bottleneck and its applications in deep learning

Hassan Hafez-Kolahi and Shohreh Kasaei. Information bottleneck and its applications in deep learning. Algorithms, 3 0 (4): 0 5, 2019

work page 2019