Comprehensive Vulnerability Evaluation of Face Recognition Systems to Template Inversion Attacks via 3D Face Reconstruction

In this article, we comprehensively evaluate the vulnerability of state-of-the-art face recognition systems to template inversion attacks using 3D face reconstruction. We propose a new method (called GaFaR) to reconstruct 3D faces from facial templates using a pretrained geometry-aware face generation network, and train a mapping from facial templates to the intermediate latent space of the face generator network. We train our mapping with a semi-supervised approach using real and synthetic face images. For real face images, we use a generative adversarial network (GAN)-based framework to learn the distribution of generator intermediate latent space. For synthetic face images, we directly learn the mapping from facial templates to the generator intermediate latent code. Furthermore, to improve the success attack rate, we use two optimization methods on the camera parameters of the GNeRF model. We propose our method in the whitebox and blackbox attacks against face recognition systems and compare the transferability of our attack with state-of-the-art methods across other face recognition systems on the MOBIO and LFW datasets. We also perform practical presentation attacks on face recognition systems using the digital screen replay and printed photographs, and evaluate the vulnerability of face recognition systems to different template inversion attacks.


Comprehensive Vulnerability Evaluation of Face Recognition Systems to Template Inversion Attacks via 3D Face Reconstruction
Hatef Otroshi Shahreza and Sébastien Marcel Abstract-In this article, we comprehensively evaluate the vulnerability of state-of-the-art face recognition systems to template inversion attacks using 3D face reconstruction.We propose a new method (called GaFaR) to reconstruct 3D faces from facial templates using a pretrained geometry-aware face generation network, and train a mapping from facial templates to the intermediate latent space of the face generator network.We train our mapping with a semi-supervised approach using real and synthetic face images.For real face images, we use a generative adversarial network (GAN)-based framework to learn the distribution of generator intermediate latent space.For synthetic face images, we directly learn the mapping from facial templates to the generator intermediate latent code.Furthermore, to improve the success attack rate, we use two optimization methods on the camera parameters of the GNeRF model.We propose our method in the whitebox and blackbox attacks against face recognition systems and compare the transferability of our attack with state-of-the-art methods across other face recognition systems on the MOBIO and LFW datasets.We also perform practical presentation attacks on face recognition systems using the digital screen replay and printed photographs, and evaluate the vulnerability of face recognition systems to different template inversion attacks.Index Terms-Face recognition, face reconstruction, facial template, generative adversarial network (GAN), geometryaware, neural radiance fields (NeRF), preseantation attck, semisupervised learning, template inversion (TI), transferability, vulnerability evaluation.

I. INTRODUCTION
F ACE recognition (FR) is one of the most well-known biometric authentication tools, and its applications tend toward ubiquity, including smart phone unlock, 1 e-banking 2 Fig. 1.Sample face images from the FFHQ dataset (first row) and frontal 2D image (second row) from our 3D reconstruction (third row) in the whitebox template inversion attack against ArcFace.The values below each image of the second row show the cosine similarity between the templates of the original and frontal reconstruction face images.The decision threshold for FMR = 10 −3 is 0.24 on the LFW dataset.national identity system, 3 border control, 4 etc.In addition to the security applications, FR is also being used in entertainment 5applications.Generally in FR systems, some features (also known as templates or embeddings) are extracted from each face image.The extracted templates are stored in the system's database during the enrollment stage, and are later used for recognition.
Among different types of attacks against FR systems that are studied in the literature [1], [2], [3], [4], [5], template inversion (TI) attack can considerably jeopardize both security and privacy of users.In a TI attack, the adversary gains access to the templates stored in the system's database and tries to invert facial templates to reconstruct the underlying face image.Then, the adversary can use the reconstructed face image to impersonate and enter the system (security threat).In addition, the reconstructed face image may reveal privacy-sensitive information of the enrolled user, such as age, gender, ethnicity, etc. (privacy threat).In this paper, we focus on TI attacks in FR systems and present a comprehensive vulnerability evaluation of FR systems to TI attacks using 3D face reconstruction.We propose a new method (called geometry-aware face reconstruction, shortly GaFaR) to 3D reconstruct faces from facial templates using a geometry-aware face generator network.To our knowledge, this is the first work to reconstruct 3D faces from facial templates.Fig. 1 illustrates sample face images from the FFHQ [6] dataset and their corresponding 3D reconstruction from ArcFace [7] templates using our proposed method.
In our proposed 3D face reconstruction method, we use a geometry-aware face generator network based on GNeRF, and learn a mapping from facial templates to the intermediate latent space of the GNeRF model.We train our model with a semi-supervised approach using real and synthetic face images.For real training face images, where we do not have the corresponding GNeRF latent codes, we train our mapping within a GAN-based framework to learn the distribution of GNeRF intermediate latent space (unsupervised learning).However, for the synthetic training face images, we have the corresponding GNeRF latent codes, and directly learn the mapping from facial templates to the GNeRF intermediate latent space (supervised learning).At the inference stage, we have the 3D reconstructed face and can generate a face image from any arbitrary pose.Thus, we apply optimization on the camera parameters to generate face images with a pose that can increase the success attack rate against the FR system.Fig. 2 illustrates the general block diagram of our proposed template inversion attack.
We introduce our face reconstruction method for whitebox and blackbox TI attacks against FR systems.In the whitebox scenario, the adversary knows the internal functioning and parameters of the feature extraction model.However, in the blackbox scenario, the adversary does not have any knowledge about the internal functioning of the feature extraction model and can only use it to extract features from an arbitrary image.We consider the scenario where the adversary uses another FR model, with known internal functioning and parameters (i.e., whitebox knowledge), and uses this FR model for training the face reconstruction network.We present a comprehensive vulnerability evaluation of state-of-the-art (SOTA) FR systems to our TI attacks in whitebox and blackbox scenarios.We evaluate the transferability of the reconstructed face images by considering the situation where the adversary tries to reconstruct face images of the templates leaked from a FR system and use the reconstructed face images to impersonate the same users in another FR system (with a different feature extraction model) that the users are enrolled.Indeed, the transferability of TI attacks reveals a critical threat to FR systems, since the reconstructed face images can be used to enter other FR systems that the victim is enrolled in.Considering the whitebox/blackbox scenario and the adversary's knowledge of the target FR system, we define five different TI attacks, and comprehensively evaluate the vulnerability of SOTA FR systems to TI attacks.Furthermore, we perform practical evaluations based on presentation attacks using the digital replay and printed photographs of the reconstructed face images, and evaluate the vulnerability of SOTA FR systems.
To elaborate on the contributions of our paper, we summarize them hereunder: r We present a comprehensive vulnerability evaluation of SOTA FR system to TI attacks using 3D face reconstruction from facial templates.Considering the whitebox/blackbox scenarios and the adversary's knowledge of the target FR system, we define five different TI attacks and evaluate the vulnerability of SOTA FR systems to different TI attacks as well as transferability of reconstructed face images in TI attacks.We also perform a practical evaluation based on presentation attacks using the digital replay and printed Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
photograph of the reconstructed face images in TI attacks against SOTA FR systems.
r We propose a new method to reconstruct 3D faces from facial templates using a geometry-aware face generator network based on GNeRF.We use the proposed 3D face reconstruction method to introduce whitebox and blackbox TI attacks against FR systems.To our knowledge, this is the first work to reconstruct 3D faces from facial templates.To use 3D reconstructed face in TI attack against 2D FR systems during the inference stage, we apply optimization on the camera parameters in the input of the GNeRF model and find a pose that improves the success attack rate.
r We learn a mapping from facial templates to the intermedi- ate latent space of GNeRF.We train our mapping network with a semi-supervised approach, using real and synthetic face images.For the real training face images, we train our mapping within a GAN-based framework to learn the distribution of intermediate latent space of GNeRF.For the synthetic training face images, we directly learn the mapping from facial templates to the GNeRF intermediate latent codes.The remainder of this paper is structured as follows.First, we review the related works in Section II.Then, we describe the threat model, our five different defined attacks, and our proposed method in Section III.Next, in Section IV, we present our experiments and discuss our results.Finally, the paper is concluded in Section V.

II. RELATED WORKS
Methods in the literature for face reconstruction in TI attacks against FR systems can be generally categorized from different aspects, including the basis of the method (optimization/learning-based), the type of attack (whitebox/blackbox attack), and the resolution of reconstructed face images (high/low resolution).However, all previous methods generate 2D images in TI attacks against FR systems.
Several methods have been proposed for reconstructing lowresolution 2D face images from facial templates [22], [23], [24], [25], [26], [27].In [22], authors proposed two whitebox methods to reconstruct 2D low-resolution face images from facial templates.In the first method (optimization-based), they used a gradient-descent-based approach on a guiding image or random (noise) image to find an image that minimizes the distance between the template of the reconstructed face image and the target template.In addition, they used several regularization terms to generate a smooth image, including the total variation and Laplacian pyramid gradient normalization [33] of the reconstructed face image.In their learning-based method, they trained a deconvolutional neural network with the same loss function as in their optimization-based method, to generate reconstructed face images.For the evaluation of their method, they only discussed the visual reconstruction quality and did not provide any security evaluation on a FR system.
In [23], authors trained a multi-layer perceptron (MLP), to find the facial landmark coordinates, and a convolutional neural network (CNN), to generate face texture from the given facial template.Next, they used a differentiable warping to combine the estimated landmarks (from MLP) with the generated textures (from CNN) and reconstruct low-resolution 2D face images.They used their method for whitebox and blackbox attacks.In the whitebox attack, they trained their MLP and CNN by minimizing the distance between templates of the original and reconstructed face images.However, for their blackbox attack, they trained MLP and CNN separately, and used the warping in the inference only.For the security evaluation, they only reported the histogram of scores between the templates extracted from the original and reconstructed face images and compared it with the histogram of genuine scores.
In [24], authors proposed a learning-based method to generate low-resolution 2D face images in the blackbox attacks against FR systems.They proposed two new deconvolutional networks, called NbBlock-A and NbBlock-B, and trained them with either pixel loss ( 1 norm of pixel-level reconstruction error) or perceptual loss (distance of middle layers of VGG-19 [34] when given the original and reconstructed face images).For the security evaluation, they considered two types of attacks and evaluated vulnerability of FR systems.In their first type of attack, they compared the templates extracted from the original and reconstructed face images, and in their second type of attack, they compared the templates extracted from reconstructed images with templates of a different face image of the same user.
In [25] and [26], a same method based on bijection learning is used to train GAN networks with PO-GAN [35] and TransGAN [36] structures, respectively.In the whitebox attack, authors minimized the distance between target templates and templates extracted from the reconstructed face images using the FR model.To extend their method to the blackbox attack, they proposed to use the distillation of knowledge to train a student network that mimics the target FR model.However, they did not report any detail about the training of the student network (e.g., network structure, etc.) nor published their source code.For the security evaluation, they reported the matching accuracy between the reconstructed image and another original image in each positive pair in their TI attacks.However, they did not evaluate the vulnerability of FR systems at different threshold configurations.
In [27], authors proposed a 3-step method to reconstruct lowresolution 2D face images in the blacbox attack.In the first step, they trained a general face generator network based on GAN.In the second step, they trained a MLP to map the templates to the templates of a known (i.e., whitebox knowledge) FR model.In the third step, they used an optimization on the latent space of their face generator to find a latent code that can generate a face image that maximizes two terms; the cosine similarity between the templates (mapped templates and the templates extracted by the known FR model) and the discriminator score (for being a real face image).For their security evaluation, they reported the adversary's success attack rate (SAR), but they did not specify the system's operation configuration, such as the system's recognition false match rate (FMR).
In contrast to the most works in the literature that generate low-resolution 2D face images, recently few methods are proposed for high-resolution 2D face reconstruction.In [28], authors proposed a learning-based method to reconstruct highresolution 2D face images in the blackbox attack.They used a pretrained StyleGAN2 [37] to generate some face images and extracted the templates using the FR model.Then, they trained a MLP to map facial templates to the input latent codes of StyleGAN2 [37].For the security analysis, they considered two types of attacks as defined in [24] and evaluated the vulnerability of FR systems.They also evaluated their reconstructed face images with a commercial-off-the-shelf (COTS) presentation attack detection (PAD) system, also known as face liveness detection in their paper.However, the authors did not perform a practical presentation attack scenario, in which the images should have been recaptured by camera prior to be fed to the COTS PAD.Similarly, in [29], authors proposed a learningbased method for high-resolution 2D face reconstruction in the blackbox attack.They learned three mapping networks from the facial templates to three separate parts in the intermediate latent space of StyleGAN.Each of these mapping networks is composed of a MLP and is used to reconstruct coarse to fine information of face image.They also proposed to find this mapping with optimization instead of learning the mapping networks.For the security analysis, they did not report success attack rate (percentage) for any configuration.They only reported the histogram of the distance between templates of reconstructed and original face images and compared it with the histogram of templates for random pair of images (i.e., zero-effort impostor).
In [30], authors used a learning-based method based on a conditional denoising diffusion probabilistic model to reconstruct 2D face images in blackbox attack.They used the conditional diffusion model in [38] and iteratively denoise an input Gaussian noise conditioned with facial templates to generate low resolution (i.e., 64 × 64) face images from facial templates.Then, they used a super-resolution network to generate face images with a higher resolution (i.e., 256 × 256).Compared to other learning-based methods, their proposed method is relatively very slow, 6 because of iterative reconstruction in the inference stage.In addition, compared to other methods, that directly generate high-resolution face images, the method in [30] first reconstructs low-resolution face images and then uses a super-resolution to generate high-resolution face images.For security analysis, similar to [25], [26], they reported the matching accuracy between the reconstructed and a different original image in each positive pair, and did not evaluate the vulnerability of FR systems at different threshold configurations.
In [31], authors proposed a optimization on the latent vector (i.e., input noise) of StyleGAN2 [37] to find latent codes which generates face images with templates similar to the target templates.They solved this optimization with a grid-search and simulated annealing [39] approach for the blackbox scenario.However, since their method is computationally expensive, 7 they evaluated their method on only 20 face images and reported distance between the original templates and templates of the reconstructed face images.Along the same lines, in [32] authors considered a similar optimization to [31] on the latent vector of StyleGAN2 [37], but instead of grid-search, they solved the optimization using the standard genetic algorithm [40] for the blackbox attack.For the security analysis, they also considered two types of attacks as defined in [24] and evaluated the vulnerability of FR systems.Moreover, they evaluated their reconstructed face images using three COTS PAD systems (called liveness detection in their paper).However, similar to [28], they did not perform a practical presentation attack scenario by recapturing the reconstructed face images.
Table I compares our paper with the previous works in the literature.To our knowledge, our proposed method is the first method on 3D face reconstruction from facial templates (which are extracted from 2D face recognition models).Moreover, in contrast to most works in the literature, our method generates high-resolution face images.We also propose our method for both whitebox and blackbox attacks against FR systems and evaluate the transferability of our reconstructed face images (which has not been reported before for TI attacks).Furthermore, we perform practical presentation attacks against FR systems using the reconstructed face images.Last but not least, the source code of all the experiments in this paper is publicly available to facilitate the reproducibility of our work.

III. PROPOSED METHOD
We describe our threat model and define different TI attacks against FR systems in Section III-A (as depicted in Fig. 3).Then, we describe our proposed method to reconstruct 3D faces from facial templates in Section III-B.In the inference stage, we optimization on the camera parameters to generate a face image that can improve the success attack rate, as described in Section III-C.Fig. 4 illustrates the block diagram of the proposed TI attack, including our 3D face reconstruction method and our optimization on camera parameters during the inference stage.

A. Threat Model
We consider the situation where the adversary gains access to the database of a FR system (F template ), and aims to invert its templates.The adversary is also assumed to have access 8 to a feature extractor model F proxy (which can be the same or different than F template ).The adversary trains a face reconstruction model to reconstruct face images from templates extracted by F template , and uses the reconstructed face images to impersonate into the same or a different FR system (F target ).Therefore, we consider the following properties for the adversary: r Adversary's goal: The adversary aims to reconstruct face images from templates stored in the database of a FR system (F template ), and use the reconstructed face images to enter the same or a different FR system (we call it the target FR system, F target ).r Adversary's knowledge: The adversary has the following information: -The leaked face templates t leaked of users, which are enrolled in the database of F template . 8The adversary can use F proxy for training the face reconstruction network.
-The adversary also has the whitebox knowledge of a feature extractor model (F proxy ).It is worth mentioning that F proxy can be similar to or different from F template and F target .
r Adversary's capability: We consider two scenarios for the adversary's capability: -The adversary can perform a presentation attack using the reconstructed face images to impersonate and enter the target FR system (e.g., using digital replay attacks or printed photographs).-The adversary can inject the reconstructed face image as a query to the target FR system.r Adversary's strategy: The adversary trains a face recon- struction model to invert the leaked facial templates t leaked .
Then, based on the adversary's capability, the adversary can use the reconstructed face images to either perform a presentation attack or inject the reconstructed face image as a query to the target FR system.In our threat model, we consider three different feature extraction models, including F template (.), F proxy (.), and F target (.).Fig. 3 illustrates the block diagram of our threat model.Based on the target FR system and the adversary's knowledge, we can define five different attacks: r Attack 1: The adversary has the whitebox knowledge of the feature extractor of the FR system from which the template is leaked and aims to impersonate to the same FR system (i.e., F template = F proxy = F target ).
r Attack 2: The adversary has the whitebox knowledge of the feature extractor of the FR system from which the template is leaked, but aims to impersonate to a different FR system (i.e., F template = F proxy = F target ).
r Attack 3: The adversary aims to impersonate to the same FR system from which the template is leaked, but has only the blackbox access to the feature extractor of the FR system.Instead, the adversary has the whitebox knowledge of another FR model to use for training the face reconstruction model (i.e., F template = F target = F proxy ).
r Attack 4: The adversary aims to impersonate to a different FR system than the one which from the template is leaked.In addition, the adversary has the whitebox knowledge of the feature extractor of the target FR system (i.e., F template = F proxy = F target ).
r Attack 5: The adversary aims to impersonate to a different FR system from which the template is leaked, and has only Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

TABLE II DIFFERENT TI ATTACKS AGAINST FR SYSTEMS IN OUR THREAT MODEL
the blackbox knowledge of the both the FR systems.However, the adversary instead has the whitebox knowledge of another FR model to use for training the face reconstruction model (i.e., F template = F proxy = F target ).Table II summarizes different TI attack types in our threat model as well as the adversary's knowledge of different FR models in each type of attack.In all types of attacks, the leaked facial templates to be reconstructed are from F template and the reconstructed face image is used to attack target FR system F target .In attack 1 and attack 3, the target FR system is the same as the FR system from which the template is leaked (i.e., F template = F target ).However, in attacks 2, 4, and 5, the target FR system is different from the FR system from which the template is leaked (i.e., F template = F target ), and therefore in attack 2, 4, and 5, the transferability of reconstructed face images in attacks against different FR systems is evaluated.Comparing different types of attacks, in attack 1 the adversary has knowledge of the FR system from which the template is leaked and aims to enter the same FR system, therefore it is expected that attack 1 may be the easiest attack.In contrast, in attack 5 the adversary does not have the whitebox knowledge of the FR system from which the template is leaked or the target FR system, and thus attack 5 may be the hardest attack for the adversary.

B. Proposed 3D Face Reconstruction
To reconstruct 3D faces from facial templates, we use a pretrained EG3D [18] ŵ, c) from an arbitrary view corresponds to the camera parameters c.We train our mapping network M rec simultaneously using real and synthetic training data with a semi-supervised approach as follows: 1) Unsupervised Learning Using Real Training Data: To train our mapping network M rec (.) with the real training data, we use a set of real face images {I real,i } N i=0 and extract the facial template t real,i = F template (I real,i ) from each face image I real,i using the FR model F template (.).We assume that the adversary does not have any information about the training dataset of F template (.)and F target (.), and thus use another dataset for training the face reconstruction model.Since we do not have the true value of the intermediate latent space W of the GNeRF model for the real face images in {I real,i } N i=0 , we consider training our mapping network using the real training data as unsupervised learning.For the real training data, we train our mapping M rec (.) within a GAN-based framework based on Wasserstein GAN (WGAN) [41] algorithm to learn the distribution of intermediate latent space W of the GNeRF model.In this framework, our mapping network M rec acts as the generator of our WGAN training and generates a latent code ŵ = M rec ([n, t]) from a random vector n ∈ N and the facial template t.In our WGAN framework, we can also generate the real latent code w = M GNeRF (z) ∈ W using the GNeRF mapping function M GNeRF and a random vector z ∈ Z.Then, we can use a critic network C(.) to score the latent codes generated by GNeRF mapping (as real) and our mapping (as fake).Hence, we can train our mapping M rec along with the the critic network C(.) in the WGAN framework using the following loss functions: In addition to the WGAN training, we feed the generated latent code ŵ = M rec ([n, t]) to the GNeRF model to generate the face image Î = G( ŵ, c), and then use the generated face image Î to optimize our mapping network M rec (.) using the following multi-term loss function: where L Pixel and L ID are pixel loss and ID loss, respectively, and are defined as: 2  2 ] (5) The pixel loss L Pixel minimizes the pixel-level reconstruction error and the ID loss L ID optimizes the model to generate face images that have similar facial templates (extracted by F proxy ) to the templates of the original image I.
2) Supervised Learning Using Synthetic Training Data: To train our mapping network M rec (.) with the synthetic training face images, we use the pretrained GNeRF model to generate a set of random face images {I syn,i } K i=0 .Therefore, as opposed to real training data, we have the true value of intermediate latent space w ∈ W to generate the same synthetic face image, and therefore can directly learn the GNeRF intermediate latent code w = M GNeRF (z) from template t syn,i = F template (I syn,i ).Hence, we consider training our mapping network using the synthetic data as supervised learning.In addition to directly learning the intermediate latent code w, we use the generated face image to optimize our mapping network by minimizing the following multi-term loss function: where L Pixel and L ID are the pixel loss (4) and ID loss (5), respectively.Moreover, L w is w-loss to directly learn the latent space of GNeRF by minimizing the mean squared error between w and ŵ = M rec ([n, t]) as follows: To train our networks, we use Adam [42] optimizer and optimize the parameters of our new mapping network M rec (.) for L rec real (i.e., (3)) and L rec syn (i.e., ( 6)) losses in every iteration of our training process (also shown in Fig. 4).However, in the WGAN framework, we update weights of our new mapping network M rec (.

C. Camera Parameters Optimization
After generating a 3D reconstruction of face from the facial template using our proposed method described in Section III-B, the adversary needs to select a pose to generate a 2D reconstructed face image to inject into the system or perform a presentation attack.To this end, during the inference stage we Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
Sample a batch from D real and calculate: 9: end if 15: if itr mod n WGAN C = 0 then 16: Sample a batch w ∼ W and calculate: 17: end if 21: end for 22: end for 23: end procedure can optimize the camera parameters to find a pose that increases the success attack rate (SAR).In other words, having the 3D reconstruction of a face, we would like to find the camera parameters so that the 2D generated face image has a facial template that is more similar to the leaked templates than the templates of any other pose.Among different camera parameters c, we consider the parameters that corresponds to the camera rotations and therefore can change the pose of the generated face image.It is noteworthy that by changing the camera rotations, we want to vary the pitch and yaw rotations of the reconstructed face and do not want to modify the roll rotation.As a matter of fact, the effect of any roll rotation will be eliminated in the FR system through the face alignment in the pre-processing step of the feature extraction.We consider two different approaches to optimize camera parameters as follows: 1) Grid Search (GS): In our grid search approach, we consider pre-defined steps to change the camera pitch θ ∈ Θ and yaw ψ ∈ Ψ and generate corresponding camera parameters c.We generate the 2D face images for all values of camera rotation steps (θ step and ψ step ) and find the facial templates for each generated image.Finally, we select the face image Î = G(M rec ([n, t]), c) which has a template t = F template ( Î) that minimizes the mean squared error with the leaked template t: Note that the grid search can be applied in both whitebox and blackbox scenarios (i.e., all attacks defined in Section III-A) using the FR model F template .
2) Continuous Optimization (CO): For continuous optimization, we start from the frontal camera parameters and use the Adam [42] optimizer to solve the following minimization using the mapped latent code ŵ = M rec ([n, t]): By solving this optimization, we can find the θ and ψ rotations and the corresponding camera parameters c that lead to a face image with the template close to the leaked template t.In contrast to the grid search, the continuous optimization approach can be applied only when the adversary has the whitebox knowledge of F template (i.e., attack 1 and attack 2).

IV. EXPERIMENTS
In this section, we evaluate the vulnerability of SOTA FR systems to our TI attacks defined in Section III.First, in Section IV-A we describe our experimental setup.In Section IV-B, we consider the case where the adversary can inject the reconstructed face image as a query to the system to impersonate, and present our experimental results.In Section IV-C, we consider the situation where the adversary uses the reconstructed face images to perform presentation attacks and evaluate the vulnerability of SOTA FR systems.Finally, we discuss our findings in Section IV-D.

A. Experimental Setup 1) Face Recognition Models:
In our experiments, we evaluate the vulnerability of different SOTA FR models to our TI attacks.We consider two SOTA models, including ArcFace [7], ElasticFace [43], as the models from which templates are leaked (i.e., F template ) and use our proposed method to reconstruct face images.Then, to evaluate the transferability of reconstructed face images, we also use four different FR models with SOTA backbones from FaceX-Zoo [44] for the target FR system (i.e., F target ), including AttentionNet [45], HRNet [46], RepVGG [47], and Swin [48].The recognition performances of these models are reported in Table III.
2) Datasets: All the FR models used in our experiments are trained on the MS-Celeb1M dataset [49].However, we assume that the adversary does not have knowledge about the training data of the FR network (either F template or F target ), and uses another dataset for training the face reconstruction model.We  use the Flickr-Faces-HQ (FFHQ) dataset [6], which consists of 70,000 high-resolution (i.e., 1024 × 1024) face images crawled from the internet (without identity labels), for training our 3D face reconstruction model.We randomly split the FFHQ dataset to train (90%) and validation (10%) subsets.
To evaluate the vulnerability of FR systems to TI attacks, we consider two other different face image datasets with identity labels, including the MOBIO [50] and Labeled Faces in the Wild (LFW) [51] datasets.The MOBIO dataset includes face images captured using mobile devices from 150 people in 12 sessions (6-11 samples in each session).The LFW dataset includes 13,233 face images of 5,749 people collected from the internet, where 1,680 people have two or more images.
3) Evaluation Protocol: To implement each of the attacks described in Section III-A, we build one or two separate FR systems using the same or two different SOTA feature extractor models (based on the attack type).If the target FR system is the same as the system from which the template is leaked (i.e., F template = F target , as in attack 1 and attack 3), we have only one FR system.Otherwise, if the target system is different than the system from which the template is leaked (i.e., F template = F target , as in attack 2, attack 4, and attack 5), we have two FR systems with two different feature extractors.We should note that in the transferability evaluations, we need that the subjects whose templates are leaked to be enrolled in the target system too.Therefore, to implement any of the attacks which require two FR systems (i.e., attack 2, attack 4, and attack 5), we use one of our evaluation datasets to build both FR systems (i.e., F template and F target ).
To evaluate the vulnerability to all our TI attacks, we assume that the target FR system is configured at the threshold corresponding to a false match rate (FMR) of 10 −2 or 10 −3 , and we evaluate the adversary's success attack rate (SAR) in entering that system.In our experiments, we consider two situations, where the adversary can inject the reconstructed face image as a query to the FR system (Section IV-B), or use the reconstructed face image to perform a presentation attack (Section IV-C).Fig. 5 depicts and compares two scenarios of injecting the reconstructed face image or performing a presentation attack.In our evaluation of TI attacks by injecting the reconstructed face image (Section IV-B), we directly inject the reconstructed face images into the feature extractor of the FR system and evaluate the TI attack in terms of SAR.However, in our evaluation of the presentation attack using the reconstructed face image (Section IV-C), we present the reconstructed face image (using either a digital screen or a printed photograph) in front of the camera and evaluate the attack in terms of SAR.

4) Implementation Details and Source Code:
To build the FR pipeline and evaluate the TI attacks against FR systems, we use the Bob 9 [52] toolbox.We use the PyTorch package and trained all the networks on a system equipped with an NVIDIA GeForce RTX TM 3090.For the GNeRF model, we use the pretrained model of EG3D 10 with StyleGAN [37] backbone to generate 3D faces with 512 × 512 high-resolution images from any arbitrary view.For the FR models, we use the pretrained models 11 form Bob and FaceX-Zoo [44] toolboxes.
To train our 3D face reconstruction networks, we consider n epoch = 15, n WGAN C = 4 and n WGAN M = 2 in Algorithm 1. Furthermore, the input noise vectors to the mapping network of 9 Available at https://www.idiap.ch/software/bob/ 10 Available at https://github.com/NVlabs/eg3d 11Available at https://gitlab.idiap.ch/bob/bob.bio.faceAuthorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
GNeRF's pretrained network (i.e., z ∈ Z) and to our mapping network M rec (i.e., n ∈ N ) are both from the standard normal distribution and with 512 and 16 dimensions, respectively.The intermediate latent space of GNeRF model has 14 × 512 dimensions, i.e., W ⊂ R 14×512 .The templates extracted by the FR models in Table III have 512 dimensions.For simplicity in training our mapping network, we assume that our training face images from the FFHQ dataset (i.e., real data) are frontal.
In our experiments, we use the continuous optimization (in whitebox attacks only) and grid search optimization (in both whitebox and blackbox attacks) in the inference stage, as described in Section III-C, to optimize camera parameters.In the grid search approach, we consider ψ ∈ [−45  .For the continuous optimization, we use Adam optimizer [42] with the learning rate of 10 −2 and 121 iterations.An ablation study on the effect of these hyperparameters and the corresponding execution times are reported in Section IV-D.
We should note that the source code and the captured images for our presentation attack evaluation are publicly available to help reproduce our results. 12

B. TI Attack by Injecting Reconstructed Face Images
In this section, we consider the situation where the adversary can inject the reconstructed face image to the feature extractor of the target FR system.We consider SOTA FR models and evaluate the vulnerability of these systems to different TI attacks described in Section III-A in the whitebox (attacks 1-2) and blackbox (attacks 3-5) scenarios.
1) Whitebox Scenario: In attacks 1-2, we assume that the adversary has the whitebox knowledge of the FR system from which the template is leaked (i.e., F template ) and uses the same feature extraction model for training (i.e., F proxy ) the face reconstruction network.We considered ArcFace and ElasticFace models for the system from which the template is leaked (i.e., F template ) and evaluate the vulnerability of SOTA FR systems as the target FR systems against attacks 1-2.Table IV compares the vulnerability of different target systems to attacks 1-2 using our method 13 in terms of adversary's SAR at the system's FMR of 10 −3 .As this table shows, our proposed face reconstruction method achieves considerable SAR values against ArcFace and ElasticFace target FR systems in attack 1. Comparing the SAR values between attack 1 and attack 2, the SAR values degrade for different target FR models in attack 2. However, the reconstructed face images are transferable and can still be used to enter a target system with a different feature extractor.It is also noteworthy that considering the recognition performances in Table III, we can conclude that the target FR system with a higher recognition accuracy is generally more vulnerable to attack 2. For example, when ArcFace is used for F template in Table IV, attacks against ElasticFace and Swin as target FR systems result in the highest SAR, and there is the same order for their recognition performance in Table III.Comparing the frontal reconstructed face images by our proposed method (iGaFaR) with our camera parameter optimizations methods (GaFaR+GS and GaFaR+CO), the results show that camera parameter optimization methods improve SAR in both attack 1 and attack 2. Therefore, camera parameter optimization methods not only enhance the attack against the same system (i.e., attack 1), but are also transferable to other FR systems (i.e., attack 2).Comparing the grid search and continuous optimization methods for camera parameter optimization, the results show that the continuous optimization method achieves higher SAR values, and therefore further enhances our TI attack.Fig. 6 illustrates sample face images and their corresponding frontal face reconstruction as well as a sub-grid of reconstructed face images with different poses from ArcFace templates in the whitebox TI attacks (i.e., attacks 1-2).We should note that the reconstructed face images in attack 1 and attack 2 are the same, however, they are used to enter different target FR systems.
2) Blackbox Scenario: In attacks 3-5, we assume that the adversary has the blackbox knowledge of the feature extractor of the FR system from which the template is leaked (i.e., F template ) and uses another feature extraction model for training (i.e., F proxy ).Similar to Section IV-B1, we consider ArcFace and ElasticFace models for F template and evaluate the vulnerability of SOTA FR systems in the target FR systems against attacks 3-5.
In each case, we also use the other model for F proxy (i.e., ArcFace as F template and ElasticFace as F proxy or ElasticFace as F template and ArcFace as F proxy ).Table V compares the performance of our method with blackbox methods in the literature [24], [28], [31] for attacks 3-5 in terms of adversary's SAR at system's FMR of 10 −3 .As the results in this table show, the frontal face reconstruction by our method (i.e, GaFaR) achieves superior performance than previous methods in the literature.Moreover, when we apply camera parameter optimization (i.e., GaFaR+GS) the  performance of our attack improves up to 11.91%, 3.98%, and 10.00% compared to our frontal face reconstruction (i.e, GaFaR) in attack 3, attack 4, and attack 5, respectively.Comparing the use of ArcFace and ElasticFace as F proxy , the results show that the SAR values in attacks with the ArcFace model are higher.This can be due to the fact that according to Table III, ArcFace has a better recognition performance than ElasticFace.
Table V also shows that SOTA FR systems are vulnerable to our TI attacks in the blackbox scenario.In particular, in attack 5 which is the hardest TI attack, where F target , F template , and F proxy are different, the results show that SOTA FR models (as the target FR system) are still vulnerable to our TI attack.The results of Fig. 7. Sample face images from the FFHQ dataset (first row) and their corresponding frontal (second row) reconstructed face images using our method in the blackbox attack against ElasticFace using ArcFace as F proxy .The values below each image show the cosine similarity between templates of original and frontal reconstructed face images.attack 5 for our proposed method also show the transferability of our attack to different FR systems.In addition, similar to the whitebox scenario, we can also observe that for TI attacks in the blackbox scenario, the FR model with a higher recognition performance is generally more vulnerable to our TI attacks.Comparing the results in Tables IV and V and as expected, attack 1 is the easiest attack with the highest SAR, where F template , F proxy , and F target are the same, and attack 5 is the most difficult attack, where F template , F proxy , and F target are different.Fig. 7 shows sample face images and their corresponding frontal face reconstruction as well as their sub-grids of reconstructed face images with different poses from ElasticFace templates in the blackbox TI attack (i.e., attacks 3-5) using ArcFace as

C. Practical Presentation Attack Using Reconstructed Face Images
In this section, we consider the situation where the adversary uses the reconstructed face image to perform a presentation attack to enter the target FR system.We consider reconstructed face images from ArcFace templates using our proposed face reconstruction method and camera parameter optimizations (i.e., GaFaR, GaFaR+GS, and GaFaR+CO) in both whitebox and blackbox scenarios, and use the reconstructed face images in each case to perform presentation attacks.We perform our presentation attacks against different SOTA FR systems based on the various TI attacks described in Section III-A.Therefore, we similarly have five different presentation attacks according to the adversary's knowledge of the FR system from which the template is leaked (i.e., F template ) and the target FR system (i.e., F target ).We also assume that the adversary can use the reconstructed face images to perform two types of attacks as follows: r Presentation attack via digital replay (replay attack): In this type of presentation attack, the adversary presents the reconstructed face image using a digital display in front of the camera.To perform this attack, we use a tablet (Apple iPad Pro) showing the reconstructed face image and put it in front of the camera of the target FR system.
r Presentation attack via printed photograph: In this type of presentation attack, the adversary prints the reconstructed face image and presents the printed photograph.To perform this attack, we print the reconstructed face images with a colorful laser printer (Develop Ineo+C364e) on typical papers and present the printed photograph in front of the camera of the target FR system.To perform the presentation attacks (with either digital replay or printed photograph), the reconstructed image should Fig. 9. Sample image from the MOBIO dataset, its corresponding reconstructed face images using our face reconstruction methods (i.e., GaFaR, GaFaR+GS, and GaFaR+CO) in the whitebox and blackbox scenarios, the corresponding digital replay attacks and presentation attacks using printed photographs captured with different mobile devices.
be presented in front of the camera of the target FR system.For each of these cases, we considered three different mobile devices, including Apple iPhone 12, Xiaomi Redmi 9 A, and Samsung Galaxy S9, as the camera of the target FR system and capture images from the presentations.Fig. 8 shows our evaluation setup for capturing presentation attacks from tablet and printed photographs using different mobile cameras.It is noteworthy that we used the default display scale on the digital screen (i.e., iPad), in which the reconstructed face images with 512 × 512 resolution do not cover all the screen.However, the face area in the captured images is still larger than the required resolution to feed to be used in the target FR systems.
Fig. 9 illustrates a sample face image from the MOBIO dataset, its reconstructed face images from ArcFace templates using our different methods (GaFaR, GaFaR+GS, and Ga-FaR+CO) in the whitebox and blackbox (using ElasticFace as F proxy ) scenarios, and captured images from the reconstructed face images using different mobile devices in replay attacks and presentation attacks using printed photographs.As this figure shows, the captured images from replay attacks are more similar to the reconstructed face images, while the ones from printed photographs suffer from quality degradation.In addition, different mobile devices introduce different sensor qualities, and therefore different image qualities for the captured images in our experiment.We use the captured images 14 by each mobile device from presentation attacks as inputs to different SOTA FR systems as target FR systems, and evaluate the vulnerability of these FR systems to the presentation attack using the reconstructed face images.
Table VI reports the result of the vulnerability evaluation against SOTA FR systems to TI attacks (by injecting the reconstructed face images in our simulation), and different presentation attacks (digital replay attack and printed photograph) in the whitebox and blackbox scenarios in terms of SAR. 15 It is noteworthy that based on the presentation type, we have two 14 The reconstructed face images and all captured images for our presentation attack evaluation are publicly available. 15According to the ISO/IEC 30107-3 standard [53], the adversary's success attack rate in the evaluation of presentation attack is reported in terms of the Impostor Attack Presentation Match Rate (IAPMR).However, for consistency with our experiments in Section IV-B, we use "SAR" to report the success attack rate in the evaluation of our presentation attacks using reconstructed face images too.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.We also compare the performance of our method with two best blackbox methods in the literature from Table V (i.e., NBNetB-P [24] and Vebdrow and Vendrow [31]) in presentation attacks based on TI attacks 3-5 against SOTA FR models.Table VII reports this evaluation for digital replay presentation attack (captured by Apple iPhone 12) based on TI attacks using ArcFace templates against SOTA FR models in terms of adversary's SAR at the system's FMR of 10 −3 on the MOBIO dataset.The results in this table show that our method still achieves superior performance than previous methods in the literature.Comparing this table with Table V, we can see there are in average −4.7%, 0%, −0.87%, and −2.69% changes in the SAR values in presentation attacks than the injection of reconstructed face images (Table V) for NBNetB-P [24], Vebdrow and Vendrow [31], GaFaR, GaFaR+GS, respectively.

D. Discussion
Our experiments in Section IV-B show that our proposed method outperforms previous methods in the literature in TI attacks against FR systems.To evaluate the effect of each part in our proposed method, we perform an ablation study and train different models.To this end, we evaluate the effect of semi-supervised learning approach in our method compared to fully supervised learning (i.e, using only synthetic data where we have the corresponding latent code for each template) and fully unsupervised learning approach (i.e., using only real data where we do not have the corresponding latent code for each template).In each of fully supervised learning and fully unsupervised learning approaches, we also evaluate the effect of each loss function.In the case of the fully unsupervised learning approach, we also evaluate the effect of adversarial learning in our method.Table VIII reports our ablation study on the effect of each part in our proposed method in attack 1 (injection) against ArcFace model on the MOBIO and LFW datasets in terms of SAR at system's FMR of 10 −2 and 10 −3 .As the results of our ablation study show, the proposed semi-supervised approach has a better reconstruction performance (in terms of SAR) than fully supervised learning and fully unsupervised learning approaches.Moreover, our ablation study on the effect of loss terms shows that each of the loss terms has an important impact on the performance of our face reconstruction network.In particular, using WGAN for our unsupervised learning (i.As another ablation study, we evaluate the effect of hyperparameters in the camera parameter optimization for our proposed grid search (GS) and continuous optimization (CO) approaches.For the grid search optimization approach, in our experiments in Sections IV-B and IV-C, we considered ψ ∈ [−45   For our ablation study, we use the same hyperparameters and only change one of these hyperparameters (i.e., grid size, interval of Φ, and interval of Θ) to evaluate its effect on the performance of our method in terms of SAR and average execution time.Fig. 11 reports our ablation study in the attack 1 (injection) against the ArcFace FR system configured at FMR = 10 −3 on the MOBIO dataset.The results in this figure show that the intervals of Φ and Θ are not required to be very large.Moreover, by increasing the size of our search grid (i.e., the number of steps) we can achieve a better SAR with the cost of a higher execution time.For the continuous optimization approach, in our experiments in Sections IV-B and IV-C, we considered ψ ∈ [−45   ] and used Adam optimizer [42] with 121 iterations and the learning rate of 10 −2 .Similarly, for the ablation study, we use the same hyperparameters and only change one of these hyperparameters (i.e., learning rate, number of iterations, interval of Φ, and interval of Θ) to evaluate its effect on the performance of our method in terms of SAR and average execution time.Fig. 12 reports our ablation study in the attack 1 (injection) against the ArcFace FR system configured at FMR = 10 −3 on the MOBIO dataset.According to these results, similar to the ablation study for the grid search optimization, the intervals of Φ and Θ should not be necessarily very large.In addition, similar to the effect of the grid size in the grid search optimization, by increasing the number of iterations we can achieve a better SAR with the cost of a higher execution time.
According to the results in Tables IV, V, and VI, our camera parameter optimization methods improve the performance of our face reconstruction network.In particular, we observe that GaFaR+GS and GaFaR+CO also improve the SAR in attacks against different target FR systems (i.e., transferability evaluation in attacks 2, 4, and 5) too.This shows that our camera parameter optimization methods improve the attacks in the way that the reconstructed face images have more similar templates to templates of the original face images, even if extracted by a different FR model.Achieving such improvements in attacks against different target FR systems shows the transferability of our pose-optimized reconstructed face images.
We further investigate the effect of our camera parameter optimization methods on our attacks.In attack 1 against Arc-Face, our grid search method increases the similarity between templates of original and reconstructed face images for 89.52% and 88.70% of cases on the MOBIO and LFW datasets, respectively.Moreover, our continuous optimization method increases the similarity between templates for 99.04% and 98.66% of reconstructed face images on the MOBIO and LFW datasets, respectively. 16We also use the pose estimation model in [54] to find the histograms of the pose of original and reconstructed face images in attack 1 against 17 ArcFace on the MOBIO and LFW datasets.As the histograms in this figure show, most of the pose-optimized reconstructed face images have a small variation around the frontal pose.This observation is also consistent with our ablation study in Figs.11 and 12, where we see that the intervals of Φ and Θ are not required to be very large.In addition, Fig. 13 also shows that the pose of reconstructed face images does not have the same distribution as that of the original face images.This demonstrates that our camera parameter optimization methods (CO or GS) do not try to find the same pose as the original images, but rather try to find a pose that has a template with higher similarity to the leaked template.Our transferability evaluations in Tables IV, V, and VI (i.e., attacks 2, 4, and 5) also confirm that the pose-optimized reconstructed face images also achieve better performance in attacks (either inject or even presentation attack) against different FR systems.Therefore, 3D reconstruction is essentially more useful than 2D reconstruction to generate better 2D reconstructed face images in our attacks.Fig. 14 shows sample reconstructed face images from the MOBIO dataset in whitebox and blackbox (using Elas-ticFace) TI attacks using our different reconstruction methods.We can observe that our camera paramter optimization leads to different poses to increase SAR.
Comparing our result in whitebox (Table IV) and blackbox (Table V) attacks in Section IV-B, we observe that our proposed face reconstruction network, GaFaR, achieves better performance in whitebox attacks (attacks 1-2) than blackbox attacks (attacks 1-2) when inverting ArcFace templates (i.e., ArcFace as F template ).However, in inverting ElasticFace templates, the results show that GaFaR achieves better performance in blackbox attacks (attacks 3-5) than whitebox attacks (attacks 1-2).As a matter of fact, the difference in whitebox and blackbox attacks in our method is the FR model used as F proxy for training our network.In blackbox attacks against ElasticFace templates, the ArcFace model is used as F proxy while in whitebox attacks, the ElasticFace model is used as F proxy .Similarly, Table III also shows that ArcFace has a superior recognition performance than ElasticFace, and thus it can more help the training of the face reconstruction network.To further investigate the effect of F proxy for difference attacks, as another experiment we compare the performance of our method in whitebox attacks (attack 1) and blackbox attacks (attack 3 using ArcFace as F proxy ) against different FR systems on the MOBIO and LFW datasets.As the results in Table IX show, in all cases except attacks against Swin, blackbox attacks with ArcFace as F proxy achieve superior performance than whitebox attacks for templates of different FR In drawing our discussion to a close, our experiments in Section IV-B show the vulnerability of SOTA FR systems to TI attacks using our face reconstruction methods (GaFaR, GaFaR+GS, and GaFaR+CO).Similarly, our experiments in Section IV-C show that the reconstructed face images by our proposed methods can be used for presentation attacks against the same FR system or different FR systems that the corresponding user is enrolled (i.e., transferability of the reconstructed face images).In fact, our experiments show potential threats that can seriously jeopardize the security and privacy of users if the facial templates are leaked.In addition to the experiments in Sections IV-B and IV-C, we should note that our proposed method can generate 3D face from facial (as shown in Figs. 1 and 10).Such 3D reconstruction can be used for more sophisticated presentation attacks (e.g., 3D face mask, etc.) against FR systems, which require further studies in future works.

V. CONCLUSION
In this article, we presented a comprehensive vulnerability evaluation of SOTA FR systems to TI attacks using 3D face reconstruction from facial templates.We proposed a new method (called GaFaR) to reconstruct 3D faces from facial templates using a geometry-aware face generation network based on GNeRF.We learned a mapping from facial templates to the intermediate latent space of the GNeRF model with a semi-supervised learning approach using real and synthetic training data.For the real data, where we do not have correct intermediate latent code, we used a GAN-based training to learn the distribution of intermediate latent space of the GNeRF model (unsupervised learning).For the synthetic data, we have the corresponding intermediate latent code and directly learn the mapping (supervised learning).In addition, we proposed two optimization methods on the camera parameters in GNeRF to find a pose that improves the TI attack: grid search and continuous optimization.In the grid search method, we considered a grid for pitch and yaw rotations of the reconstructed face, and in continuous optimization, we used a gradient-based optimizer to optimize camera parameters.
We proposed our method in the whitebox and blackbox attacks against face recognition systems and comprehensively evaluated the vulnerability of SOTA FR systems to our method.Considering whitebox and blackbox blackbox scenarios and adversary's knowledge of target FR system, we defined five types of TI attacks and evaluated the transferability of our reconstructed face images across other FR systems on the MOBIO and LFW datasets.We evaluated the TI attacks by injecting reconstructed face images as queries to the target FR systems.In addition, we performed practical presentation attacks against SOTA FR systems using digital screen replay and printed photographs of reconstructed frontal and pose-optimized face images.Our experiments showed the vulnerability of SOTA FR models to our TI attacks and also presentation attacks using our reconstructed face images.
Last but not least, our proposed method can generate 3D faces from facial images, and we used the 3D reconstruction to find a pose that improves the adversary's success attack rate.However, 3D reconstruction of users' faces paves the way for new types of attacks (e.g., 3D face masks, etc.), which need to be investigated in the future.

Fig. 2 .
Fig. 2. General block diagram of the proposed method: we train a mapping network from facial templates (input) to the intermediate latent space W of GNeRF model.The mapped latent codes along with camera parameters are fed to the GNeRF generator and renderer network (fixed) to generate face image from desired view.Sample outputs of our model (frontal image, view-grid, and 3D face reconstruction) for face reconstruction from B. Obama's facial template are depicted.
model as a geometry-aware face generator network based on GNeRF.This model consists of two networks, a mapping network and a generator and renderer network.The mapping network M GNeRF takes a random noise z ∈ Z in the input and generates an intermediate latent code w = M GNeRF (z) ∈ W. The intermediate latent code w provides more control over the generated face images than input random noise z.The generator and renderer network G(•, •) takes the intermediate latent code w and camera parameters c, to generate a face image I = G(w, c) from an arbitrary view.To reconstruct 3D faces from facial templates, we learn a new mapping M rec : T → W from the facial templates t ∈ T to the intermediate latent space W of the GNeRF model.Then, we feed the mapped intermediate latent vector ŵ along with camera parameters c into the GNeRF model G(•, •) to generate a face image Î = G(

Fig. 4 .
Fig.4.Block diagram of our proposed TI attack: during the training process, a semi-supervised approach is used to learn our mapping M rec (illustrated as a green block) from the facial templates to the intermediate latent space of the GNeRF model.We use real training data (where we don't have the corresponding latent code) and synthetic training data (where we have the corresponding latent code w), simultaneously, for unsupervised and supervised learning in our method.In the inference stage, the leaked template t is fed into our mapping network to find corresponding vector ŵ = M rec ([n, t]) in the intermediate latent space of the GNeRF.Then, camera parameters c along with ŵ are given to the generator and renderer of GNeRF G to generate a reconstructed face image Î = G( ŵ, c).To enhance the attack, we propose an optimization (grid search or continuous optimization) on two of the camera parameters, θ and ψ, from c, to find the best pose, which minimizes the distance between the template of reconstructed face image and the leaked template t.
) and critic network C(.) every n WGAN M iterations, respectively.Algorithm 1 represents our training process.We should note that our mapping network M rec has 2 fully-connected layers with Leaky ReLU activation function.

Fig. 5 .
Fig. 5. Block diagram of a FR system and data flows in normal usage (gray solid arrows), TI attack by injecting the reconstructed face image (orange dashed arrows), and performing presentation attack using the reconstructed face image (red dashed arrows).

Fig.
Fig. Sample face images from the FFHQ dataset (first row) and their corresponding frontal face reconstruction (second row) as well as reconstructed face images within the camera parameters sub-grid (third row) using our method in the whitebox TI attacks (i.e., attacks 1-2) against ArcFace.The values below each image show the cosine similarity between templates of original and frontal reconstructed face images.

Fig. 8 .
Fig. 8.Our evaluation setup for performing different types of presentation and capturing presentation using mobile devices: (a) replay attack using Apple iPad Pro, and (b) presentation attack using printed photograph.

F
proxy .Similar to attacks 1-2, the reconstructed face images in attacks 3-5 are the same, however, they are used to enter different target FR system.

Fig. 10 .
Fig. 10.(a) Sample face image from the FFHQ dataset, (b) its frontal reconstructed face image, (c) its 3D face reconstruction, and (d) the corresponding reconstructed face images with camera parameters grid using our method in the whitebox attack against ArcFace.The cosine similarity between templates of original (a) and frontal (b) reconstructed face images is 0.679.

Fig. 11 .
Fig.11.Ablation study on the effect of different hyperparameters in grid search for camera parameters optimization in terms of success attack rate (SAR) and average execution time for each image reconstruction for whitebox attack (i.e., attack 1) against a FR system based on ArcFace configured at FMR=10 −3 on the MOBIO dataset: a) grid size, b) interval of Φ, and c) interval of Θ.

Fig. 13 .
Fig. 13.Histogram of pitch and yaw in (a) original, (b) GaFaR+GS, and (c) GaFaR+CO for attack 1 against ArcFace on the MOBIO (first row) and LFW (second row) datasets.Note that for GaFaR without any camera parameter optimization, the reconstructed face images are frontal (i.e., pitch and yaw values are zero), and thus the histogram for GaFaR is not depicted in this figure.

Fig. 14 .
Fig. 14.Reconstruction of sample images from the MOBIO dataset in whitebox and blackbox (using ElasticFace) TI attacks against ArcFace templates using our methods.

Algorithm 1 :
Training Process of Our New Mapping Network.Require: θ M , parameters of M rec (.) network.θ C , parameters of network C(.).Require: n epoch , no. epochs.n iteration , no. iterations in each epoch.n WGAN , learning rate for optimizing θ C in WGAN.Require: D real , a dataset of real face images and corresponding facial templates extracted using F template .1: procedure Training 2: Initialize θ C and θ M 3: for epoch = 1, . .., n epoch do

TABLE III RECOGNITION
PERFORMANCE OF FACE RECOGNITION MODELS USED IN OUR EXPERIMENTS IN TERMS OF TRUE MATCH RATE (TMR) AT THE THRESHOLDS CORRESPOND TO FALSE MATCH RATES (FMRS) OF 10 −2 AND 10 −3 EVALUATED ON THE MOBIO AND LFW DATASETS • , +45 • ] and θ ∈ [−30 • , +30 • ] for a 11 × 11 grid with step sizes of ψ step = 9 • and θ step = 6

TABLE IV EVALUATION
OFWHITEKBOX ATTACKS (I.E., ATTACKS 1-2) AGAINST SOTA FR MODELS IN TERMS OF ADVERSARY'S SUCCESS ATTACK RATE (SAR) WHEN INJECTING RECONSTRUCTED FACE IMAGE GENERATED USING OUR FACE RECONSTRUCTION METHODS EVALUATED ON THE MOBIO AND LFW DATASETS

TABLE V EVALUATION
OF BLACKBOX ATTACKS (I.E., ATTACKS 3-5) AGAINST SOTA FR MODELS IN TERMS OF ADVERSARY'S SUCCESS ATTACK RATE (SAR) WHEN INJECTING RECONSTRUCTED FACE IMAGE GENERATED USING DIFFERENT FACE RECONSTRUCTION METHODS EVALUATED ON THE MOBIO AND LFW DATASETS

TABLE VI VULNERABILITY
EVALUATION OF THE SIMULATION (I.E., INJECTION) AND PRACTICAL WHITEBOX AND BLACKBOX TI ATTACKS USING ARCFACE TEMPLATES AGAINST DIFFERENT FR SYSTEMS AS TARGET IN TERMS OF SAR/IAPMR FOR FR SYSTEMS WITH FMR OF 10 −3 EVALUATED ON THE MOBIO DATASET

TABLE VII COMPARISON
OF OUR PROPOSED METHOD WITH PREVIOUS BLACKBOX TI METHODS IN PRACTICAL PRESENTATION ATTACKS (REPLAY ATTACKS CAPTURED BY IPHONE 12) USING ARCFACE TEMPLATES AGAINST DIFFERENT FR SYSTEM (I.E., ATTACKS 3-5) IN TERMS OF SAR/IAPMR AT FMR OF 10 −3 ON THE MOBIO DATASET types of presentation attacks (replay attack and printed photograph), and based on the adversary's knowledge of the FR system from which the template is leaked F template ) and the target FR system (i.e., F target ), we have five different TI attacks (as described in Section III-A) and thus five different corresponding presentation attacks.The results in Table VI show that SOTA FR models as target systems are vulnerable to our attacks.In general, and as also seen in Section IV-B, attack 1 is the easiest attack, and as the adversary's knowledge becomes more limited, the attack gets more difficult in attack 2, attack 3, attack 4, and attack 5, respectively.Comparing our different reconstruction methods (i.e., GaFaR, GaFaR+GS, and GaFaR+CO), we can observe that camera parameter optimizations improve SAR values.The results also show that replay attacks achieve higher SAR values compared to presentation attacks using printed photographs.Comparing the results in Table VI for different mobile devices, the SAR values are comparable across different methods and in different attack types.

TABLE VIII ABLATION
STUDY ON THE PROPOSED SEMI-SUPERVISED LEARNING APPROACH AND EVALUATION OF THE EFFECT OF LOSS TERMS IN ATTACK 1 AGAINST ARCFACE MODEL IN TERMS OF SUCCESS ATTACK RATE (SAR) ON THE MOBIO AND LFW DATASETS e., using real training data where we don't have the true value of intermediate latent codes for each training data) helps our mapping network M rec to learn the distribution of GNeRF intermediate latent space W.However, if we do not use WGAN in training with real data, our mapping network M rec cannot learn the distribution of GNeRF intermediate latent space W, and therefore the generated latent codes by our mapping network M rec will be out of distribution W.This will cause the generator part of GNeRF to generate non-face-like images.In addition to WGAN training, the results in TableVIIIshow that each of the pixel loss and ID loss terms enhances the reconstruction performance of our method in training with either synthetic (supervised learning) or real (unsupervised learning) data.

TABLE IX WHITEBOX
(ATTACK 1) AND BLACKBOX (ATTACK 3) TI ATTACKS WITH OUR METHOD, GAFAR, AGAINST DIFFERENT TARGET FR SYSTEMS IN TERMS OF SAR AT FMR OF 10 −3 ON THE MOBIO AND LFW DATASETS models.In contrast to other FR models in our experiments which are CNN-based, Swin is a transformer-based FR model, which can be the reason why in blackbox attacks with Swin templates using ArcFace (which is a CNN-based FR model) as F proxy could not lead to superior performance.