Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
Non-Adaptive Adversarial Face Generation
Authors: Sunpill Kim, Seunghun Paik, Chanwoo Hwang, Minsu Kim, Jae Hong Seo
NeurIPS 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this paper, we propose a novel method for generating adversarial faces synthetic facial images that are visually distinct yet recognized as a target identity by the FRS. Unlike iterative optimization-based approaches (e.g., gradient descent or other iterative solvers), our method leverages the structural characteristics of the FRS feature space. We figure out that individuals sharing the same attribute (e.g., gender or race) form an attributed subsphere. By utilizing such subspheres, our method achieves both non-adaptiveness and a remarkably small number of queries. This eliminates the need for relying on transferability and open-source surrogate models, which have been a typical strategy when repeated adaptive queries to commercial FRSs are impossible. Despite requiring only a single non-adaptive query consisting of 100 face images, our method achieves a high success rate of over 93% against AWS s Compare Faces API at its default threshold. |
| Researcher Affiliation | Academia | Sunpill Kim Seunghun Paik Chanwoo Hwang Minsu Kim Jae Hong Seo Department of Mathematics & Research Institute for Natural Sciences, Hanyang University EMAIL |
| Pseudocode | Yes | Algorithm 1 Projection (line 1-6) and Adversarial Face Generation (line 7-8) |
| Open Source Code | No | To prevent misuse, we will not release the adversarial generation pipeline or related APIs. Benchmarking code for FRS evaluation will be shared under controlled access (e.g., to verified academic researchers via a private repository) to ensure responsible dissemination. |
| Open Datasets | Yes | We conducted evaluations on four face datasets: LFW [29], CFP-FP[64], and Age-DB[56], and the Fair Face[35], which offers demographically balanced data to assess attack generalizability. |
| Dataset Splits | Yes | For the method of [63], we used our three open-source face recognition models (F1, F2, F3) as surrogate models to generate adversarial examples, consistent with the original protocol which involves multiple surrogate networks. However, our method differs fundamentally in that it does not require a source image. Instead, we project feature vectors into attribute-specific subspheres (e.g., gender, race) to generate adversarial faces. Therefore, for each training image, we created one adversarial face per attribute category and reported the attribute-wise transfer attack success rates against AWS Compare Face, as shown in Tab. 4. |
| Hardware Specification | Yes | All experiments were conducted on a single NVIDIA A100 GPU using Py Torch [60]. |
| Software Dependencies | No | All experiments were conducted on a single NVIDIA A100 GPU using Py Torch [60]. |
| Experiment Setup | Yes | For obtaining an appropriate set O for Conj. 1, we extract attributed-specific PCA matrices (k = 100) using VGGFace2 [5] with annotations from [70] and annotated Fair Face data. Thresholds τ were selected per dataset: accuracy-optimal values for Verification 3-sets and fixed thresholds for Fair Face. Additional details and results for open-source FRSs and Tencent API are in Appendix A. For commercial FRSs, we used two thresholds provided by the corresponding service provider. Additional details for each model and results for open-source FRSs [16, 40] and Tencent API [13] is given in appendix, due to space constraints. |