Existing face privacy protection methods are vulnerable to inversion attacks due to insufficient control over transform reversibility, often leading to identity leakage. This work proposes the ARFP framework, which for the first time integrates key-sensitive reversibility with robustness against recovery attacks. By introducing key-conditioned manifold binding, adversarial recovery-aware training, and a nonce-based authorized reversibility mechanism, ARFP establishes an asymmetric privacy defense architecture with tampering awareness. Experimental results demonstrate that the proposed method effectively resists diverse recovery attacks while enabling authorized users to reconstruct identities with high fidelity, thereby significantly enhancing both the security and controllability of face privacy preservation.

Face Recognition systems are widely deployed in real-world applications, but they also raise privacy concerns due to unauthorized collection and misuse of facial data. Existing adversarial privacy protection methods rely on input-space perturbations to obfuscate identity information, yet their protection can degrade when adversaries learn restoration or purification mappings that partially invert the transformation. We study this setting as an asymmetric adversarial attack, in which reverse manipulation becomes feasible because existing defense paradigms do not control reversibility. To address this problem, we propose Asymmetric Reversible Face Protection (ARFP), a restoration-aware extension of personalized face cloaking that integrates privacy protection, keyed recovery, and tamper indication in a single framework. ARFP consists of three components: Key-Conditioned Manifold Binding, which ties the protection transformation to a user-provided key; Adversarial Restoration-Aware Training, which introduces a surrogate restoration adversary during training to improve robustness against evaluated inverse purification attacks; and Authorized Reversible Restoration, which supports recovery with the correct key while providing nonce-based tamper indication. Extensive experiments under the threat models considered in this work show that ARFP improves resistance to the evaluated restoration attacks while preserving authorized recovery utility. These results provide empirical evidence of key-sensitive recovery behavior and tamper awareness in the tested settings.