I. Introduction

Currently, the importance of secure and convenient user authentication methods in smart mobile devices is increasing. The always-on face recognition (FR) system is already adopted in commercial products because it enables accurate user authentication without any physical contact [1]. However, always-on FR mobile devices require high recognition accuracy (> 95%) for accurate user authentication and low power consumption (< 1 mW) to ensure always-on operation under limited battery power conditions [2]. Recently, convolutional neural networks (CNNs) have been widely used in FR systems, as they can achieve the highest accuracy on FR tasks [3]. Despite the considerable success of CNN, adversarial attacks [4], [5] become a severe problem. That is an image with well-structured perturbation that induces misclassification and significantly degrades the recognition performance of the CNN. Even though the perturbation is too small to be distinguished by a human, each convolution layer of CNN amplifies the effect of the indistinguishable perturbation resulting in absolutely irrelevant recognition. In addition, if it is used in authentication, adversarial attack may allow an unauthorized user to access private data. For example, [6] found that FR CNN can be attacked with indistinguishable face images, and [7] proved that a malicious attacker could disguise himself with a well-designed accessory to become an authorized user with 100% attack success rate (Fig. 1). Fig. 1.

Adversarial attack on face recognition system. Source: adapted from [7].