Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
153 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

SPEAR:Exact Gradient Inversion of Batches in Federated Learning (2403.03945v3)

Published 6 Mar 2024 in cs.LG, cs.CR, and cs.DC

Abstract: Federated learning is a framework for collaborative machine learning where clients only share gradient updates and not their private data with a server. However, it was recently shown that gradient inversion attacks can reconstruct this data from the shared gradients. In the important honest-but-curious setting, existing attacks enable exact reconstruction only for batch size of $b=1$, with larger batches permitting only approximate reconstruction. In this work, we propose SPEAR, the first algorithm reconstructing whole batches with $b >1$ exactly. SPEAR combines insights into the explicit low-rank structure of gradients with a sampling-based algorithm. Crucially, we leverage ReLU-induced gradient sparsity to precisely filter out large numbers of incorrect samples, making a final reconstruction step tractable. We provide an efficient GPU implementation for fully connected networks and show that it recovers high-dimensional ImageNet inputs in batches of up to $b \lesssim 25$ exactly while scaling to large networks. Finally, we show theoretically that much larger batches can be reconstructed with high probability given exponential time.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (33)
  1. Deep learning with differential privacy. In CCS, 2016.
  2. K-svd: An algorithm for designing overcomplete dictionaries for sparse representation. IEEE Transactions on signal processing, 54(11):4311–4322, 2006.
  3. LAMP: extracting text from gradients with language model priors. In NeurIPS, 2022a.
  4. Bayesian framework for gradient leakage. In ICLR, 2022b.
  5. When the curious abandon honesty: Federated learning is not private. arXiv, 2021.
  6. Practical secure aggregation for federated learning on user-held data. NIPS, 2016.
  7. Chen, Z. H2 Maths Handbook. Educational Publishing House, 2011.
  8. Data leakage in federated averaging. Transactions on Machine Learning Research, 2022. ISSN 2835-8856. URL https://openreview.net/forum?id=e7A0B99zJf.
  9. Decepticons: Corrupted transformers breach privacy in federated learning for language models. ICLR, 2022a.
  10. Robbing the fed: Directly obtaining private data in federated learning with modified models. In ICLR, 2022b.
  11. Inverting gradients-how easy is it to break privacy in federated learning? NeurIPS, 2020.
  12. Towards general deep leakage in federated learning. arXiv, 2021.
  13. Recovering private text in federated learning of language models. Advances in Neural Information Processing Systems, 35:8130–8143, 2022.
  14. Cocktail party attack: Breaking aggregation-based privacy in federated learning using independent component analysis. In International Conference on Machine Learning, pp. 15884–15899. PMLR, 2023.
  15. Learning multiple layers of features from tiny images. 2009.
  16. Tiny imagenet visual recognition challenge. CS 231N, 7(7), 2015.
  17. Mnist handwritten digit database. ATT Labs [Online]. Available: http://yann.lecun.com/exdb/mnist, 2, 2010.
  18. Auditing privacy defenses in federated learning via generative gradient leakage. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  10132–10142, 2022.
  19. Communication-efficient learning of deep networks from decentralized data. In AISTATS, 2017.
  20. Parameswaran, R. Statistics for experimenters: an introduction to design, data analysis, and model building. JMR, Journal of Marketing Research (pre-1986), 16(000002):291, 1979.
  21. Pytorch: An imperative style, high-performance deep learning library. In Wallach, H. M., Larochelle, H., Beygelzimer, A., d’Alché-Buc, F., Fox, E. B., and Garnett, R. (eds.), Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, December 8-14, 2019, Vancouver, BC, Canada, pp.  8024–8035, 2019. URL https://proceedings.neurips.cc/paper/2019/hash/bdbca288fee7f92f2bfa9f7012727740-Abstract.html.
  22. Privacy-preserving deep learning via additively homomorphic encryption. IEEE Trans. Inf. Forensics Secur., (5), 2018.
  23. Exact recovery of sparsely-used dictionaries. In Conference on Learning Theory, pp.  37–1. JMLR Workshop and Conference Proceedings, 2012.
  24. Complete dictionary recovery over the sphere i: Overview and the geometric picture. IEEE Transactions on Information Theory, 63(2):853–884, 2016.
  25. On random pm 1 matrices: singularity and determinant. In Proceedings of the thirty-seventh annual ACM symposium on Theory of computing, pp.  431–440, 2005.
  26. Tikhomirov, K. Singularity of random bernoulli matrices. Annals of Mathematics, 191(2):593–634, 2020.
  27. Tillmann, A. M. On the computational intractability of exact and approximate dictionary learning. IEEE Signal Processing Letters, 22(1):45–49, 2014.
  28. Data leakage in tabular federated learning. ICML, 2022.
  29. Fishing for user data in large-batch federated learning via gradient magnification. In ICML, 2022.
  30. See through gradients: Image batch recovery via gradinversion. In CVPR, 2021.
  31. idlg: Improved deep leakage from gradients. arXiv, 2020.
  32. R-GAP: recursive gradient attack on privacy. In ICLR, 2021.
  33. Deep leakage from gradients. In NeurIPS, 2019.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now