FaceLinkGen: Identity Leakage in PPFR

• The paper demonstrates that FaceLinkGen can extract semantic identity features from PPFR templates even when subjected to significant pixel-level distortion.
• FaceLinkGen employs a three-stage attack pipeline—feature distillation, identity linkage, and face regeneration—to achieve high matching and regeneration accuracy across various PPFR systems.
• Evaluation on systems like PartialFace, MinusFace, and FracFace shows that traditional pixel-level metrics fail to protect identity, urging a shift toward identity-centric privacy evaluations.

FaceLinkGen is a methodology and attack pipeline designed for extracting identity information—specifically identity linkage and face regeneration—from privacy-preserving face recognition (PPFR) templates, even when these templates are subjected to heavy pixel-level distortion. FaceLinkGen exposes a fundamental mismatch between evaluation metrics based on visual similarity (e.g., PSNR, SSIM) and true privacy against identity inference, demonstrating that structural and semantic identity features remain accessible despite strong visual obfuscation (Guo et al., 2 Feb 2026).

1. Background: Transformation-Based PPFR and Its Privacy Limitation

Transformation-based privacy-preserving face recognition systems operate by mapping a user’s face image $X$ through a transformation $T$ into a protected template $T(X)$. The design goal is to preserve identity-discriminative features $z_I$ (e.g., high-level embeddings for recognition) while removing or distorting nuisance factors $z_N$ such as lighting, pose, and expression. The conventional privacy evaluation for such schemes uses pixel-level reconstruction distortion metrics—peak signal-to-noise ratio (PSNR) and structural similarity index (SSIM)—operating under the assumption that a low-quality pixelwise reconstruction implies security against identity theft. However, it is now established that low PSNR/SSIM does not ensure identity protection: two images can have near-zero pixel similarity but match on identity, or vice versa (Guo et al., 2 Feb 2026).

The key research problem addressed by FaceLinkGen is: can adversaries extract semantic identity information from protected templates, bypassing defenses premised on blocking pixel-level reconstruction?

2. Threat Model, Problem Formalization, and Metrics

FaceLinkGen’s attack model considers two broad adversarial scenarios:

• Untrusted service provider (insider): full access to $T$ and observed templates, capable of unlimited queries.
• External intruder (outsider): no direct access to $T$’s internals, but can observe templates and make limited queries.

The pipeline’s objective is to, given $T(X)$ for an original face $X$, produce both a match decision $M \in \{0,1\}$—linkage of templates or queries to subjects—and a synthetic face image $Y$ intended to match the identity of $X$.

Two core quantitative metrics are used:

• Matching accuracy: Top-1 recall/verification accuracy between the true and extracted identity embeddings over $N$ samples, via cosine similarity threshold.
• Regeneration success: Proportion ($\operatorname{Success}@k$) of regenerated faces $Y_{i,j}$ from a template $T(X_i)$ that match the true identity $X_i$ under a commercial face verification API, across $k$ samples per template.

These are evaluated under both “known-key” (full access) and “near-zero-knowledge” (≈30 paired samples for calibration, no privileged access) conditions (Guo et al., 2 Feb 2026).

3. FaceLinkGen Attack Pipeline

FaceLinkGen’s pipeline consists of three main stages:

• Feature Distillation: A student model $f_s$ is trained to mimic the identity discrimination capability of a teacher model $f_t$, which is optimized on raw images, by minimizing the cosine similarity loss on pairs $\{T(X_k), X_k\}$. This adapts architectures such as Antelopev2 with a front convolutional adaptation layer to template data.
• Identity Linkage/Matching: Linkage is performed by retrieving the most similar template in the protected space using $f_s$, by maximizing cosine similarity to a query embedding $e_q$ (derived from either $f_t(X)$ or $f_s(T(X))$).
• Face Regeneration: A generator (e.g., diffusion backbone such as Stable Diffusion 1.5 or Arc2Face) is conditioned on the extracted identity embedding $z'_I = f_s(T(X))$ and stochastic noise $\epsilon \sim \mathcal N(0, I)$ to fill in missing nuisance factors $z'_N$, synthesizing a face $Y = g_{\text{diff}}(z'_I, \epsilon)$. Losses include Euclidean reconstruction error and identity similarity, optionally with a weighting parameter $\lambda$ (Guo et al., 2 Feb 2026).

A combined approach allows: (a) direct matching/linkage in embedding space, and (b) high-fidelity face regeneration for attacker-driven visual and API attribute inference.

4. Experimental Evaluation and Results

FaceLinkGen was applied to three state-of-the-art PPFR systems:

• PartialFace (ICCV 2023): random channel dropout in the DCT domain,
• MinusFace (CVPR 2024): masking in wavelet subbands,
• FracFace (NeurIPS 2025): filtering in the fractional Fourier domain.

Key datasets included CASIA-WebFace (10k identities), LFW, and synthetic TPDNE.

Main Results Summary

System	Top-1 Recall (CASIA)	Verification Acc. (LFW)	Regeneration (Success@5, CASIA)
PartialFace	0.8270	0.992	0.992
MinusFace	0.7206	0.992	0.989
FracFace	0.7863	0.988	0.991

• Reaching 98.5%+ matching and >96% regeneration under full knowledge, and exceeding 92%/94% for matching/regeneration in near-zero-knowledge (30 paired examples, no $T$ access).
• Regenerated faces satisfy high acceptance rates from black-box commercial APIs, confirming that identity information is sufficiently preserved in templates for both automated and visual recovery.
• Pixel-level metrics (SSIM, PSNR) are statistically uncorrelated with identity similarity, confirming the structural privacy gap. For example, two real images of the same person show SSIM ≈ 0.235 (very low) but identity similarity ≈ 0.59 (Guo et al., 2 Feb 2026).

5. Mechanistic Analysis: Why PPFR Templates Leak Identity

Transformation-based PPFR systems are built to preserve $z_I$, the embedding capturing the identity, and only distort or discard $z_N$. This is a direct consequence of the need for recognition utility. The efficacy of FaceLinkGen results from the following:

• Feature Invertibility: Sufficient non-linearity and capacity in student/generator networks enable accurate recovery of semantic identity even from highly transformed or visually distorted templates, as long as $z_I$ is not cryptographically protected.
• Embedding Robustness: Modern recognition embeddings (e.g., ArcFace, Antelopev2) are robust to nuisance factor corruption, making them easy for attackers to learn mappings from $T(X)$ back to identity (Guo et al., 2 Feb 2026, Duong et al., 2020).

This demonstrates a provable structural mismatch between hiding pixels and hiding identity—a critical distinction for biometric privacy.

6. Recommendations and Implications for PPFR System Design

The FaceLinkGen findings necessitate a paradigm shift in the privacy evaluation of face biometrics:

• Metric Redesign: Identity-centric metrics (verification/identification accuracy in embedding space, success rate under adversarial pipelines) should supplant pixel-level distortion (PSNR, SSIM) as principal privacy criteria.
• Algorithmic Defenses: Secure template construction requires cryptographic methods (e.g., user-held secret keys, homomorphic encryption, keyed transforms) so that $T$ is non-invertible without possessing a secret. Purely algorithmic distortion is insufficient for privacy as demonstrated by matching and regeneration results.
• Multi-factor Authentication: Relying exclusively on biometric templates for remote authentication is structurally unsafe under transformation-based PPFR, as linkage and attribute leakage remain tractable (Guo et al., 2 Feb 2026).

A plausible implication is that regulatory and practical deployments of biometric authentication must reevaluate PPFR designs, prioritizing cryptographic or multi-factor strategies.

7. Relationship to Allied Research Domains

FaceLinkGen advances over prior face inversion and feature-to-image pipelines such as DiBiGAN (Duong et al., 2020), which demonstrated photorealistic and ID-consistent regeneration from high-level (even blackbox) embeddings. Those systems, however, presumed cooperative usage, whereas FaceLinkGen is explicitly designed for adversarial template re-identification and regeneration from deliberately obfuscated representations.

FaceLinkGen’s attack methodology also indirectly reinforces the argument, echoed in cross-modal generation research (e.g., (Mitsui et al., 2023, Park et al., 2022, Ji et al., 2024)), that deep representation spaces can retain significant semantic and personal information—even after dimensionality reduction, embedding, or domain transfer. This suggests that defense against identity inference requires not only pixel-level obfuscation but also formal mechanisms at the level of semantics and embeddings.

---

References:

• (Guo et al., 2 Feb 2026) FaceLinkGen: Rethinking Identity Leakage in Privacy-Preserving Face Recognition with Identity Extraction
• (Duong et al., 2020) Vec2Face: Unveil Human Faces from their Blackbox Features in Face Recognition
• (Mitsui et al., 2023) UniFLG: Unified Facial Landmark Generator from Text or Speech
• (Park et al., 2022) SyncTalkFace: Talking Face Generation with Precise Lip-Syncing via Audio-Lip Memory
• (Ji et al., 2024) RealTalk: Real-time and Realistic Audio-driven Face Generation with 3D Facial Prior-guided Identity Alignment Network