This work addresses adversarial attacks against black-box face recognition systems. We propose a non-adaptive adversarial face generation method based on attribute-conditioned subsphere modeling—requiring only a single batch query (100 images) and eschewing iterative optimization, transfer-based attacks, or surrogate model dependencies. Our approach explicitly models high-level semantic attributes (e.g., gender, ethnicity) as disjoint feature subspheres in the embedding space, enabling targeted identity impersonation via attribute-controllable synthesis and cross-domain feature alignment. Crucially, it eliminates adaptive querying and model-specific assumptions. The core contribution is the first formulation of facial attributes as structured subspheres in the recognition embedding space, facilitating both attribute-aware adversarial perturbation and robust feature-space alignment without access to model internals or gradients. Evaluated on the AWS CompareFaces API, our method achieves a 93.2% attack success rate—the highest among existing non-adaptive attacks and with the fewest queries to date.

Adversarial attacks on face recognition systems (FRSs) pose serious security and privacy threats, especially when these systems are used for identity verification. In this paper, we propose a novel method for generating adversarial faces-synthetic facial images that are visually distinct yet recognized as a target identity by the FRS. Unlike iterative optimization-based approaches (e.g., gradient descent or other iterative solvers), our method leverages the structural characteristics of the FRS feature space. We figure out that individuals sharing the same attribute (e.g., gender or race) form an attributed subsphere. By utilizing such subspheres, our method achieves both non-adaptiveness and a remarkably small number of queries. This eliminates the need for relying on transferability and open-source surrogate models, which have been a typical strategy when repeated adaptive queries to commercial FRSs are impossible. Despite requiring only a single non-adaptive query consisting of 100 face images, our method achieves a high success rate of over 93% against AWS's CompareFaces API at its default threshold. Furthermore, unlike many existing attacks that perturb a given image, our method can deliberately produce adversarial faces that impersonate the target identity while exhibiting high-level attributes chosen by the adversary.