Private Graph Reconstruction (PGR)
- Private Graph Reconstruction (PGR) is a framework for recovering hidden graph topologies from indirect artifacts such as GNN explanations, gradients, and secure protocol outputs.
- The methodology spans several algorithmic families including explanation-based similarity attacks, model inversion via GANs, and algebraic graph reconstruction using common-neighbor matrices.
- Empirical studies show high reconstruction fidelity under various threat models, while defenses like synthetic graph training and privacy bottlenecks aim to suppress topology leakage.
Private Graph Reconstruction (PGR) denotes a family of attack and defense problems in which a hidden graph, subgraph, or topology is recovered from released artifacts other than the raw adjacency itself. In recent work, the released artifact may be a GNN explanation vector, a differentially private explanation, a model output or embedding, a common-neighbor matrix produced by a secure protocol, a federated gradient update, or a sequence of Graph RAG responses. The reconstruction target likewise varies: an adjacency matrix , a target subgraph , an edge set , or a graph distribution conditioned on leaked labels or embeddings. Across these formulations, PGR studies ask how much structural information survives in ostensibly indirect views of a graph, how that leakage can be quantified, and which defenses preserve task utility while suppressing topology inference (Sahoo et al., 5 May 2026, Olatunji et al., 2022, Fu et al., 5 Sep 2025, Azogagh et al., 2024, Drencheva et al., 3 Mar 2025, Song et al., 6 Feb 2026, Keji et al., 29 Jun 2026, Zhou et al., 2023).
1. Scope and canonical problem formulations
A common formal substrate represents a graph as or , with adjacency matrix , node features , and sometimes labels . The private object is typically the edge set or the full topology. In explanation-based settings, the server withholds both and the trained GNN but exposes node-level attributions such as 0, optionally after privacy perturbation 1; reconstruction then means predicting whether 2 and producing a reconstructed adjacency 3 (Sahoo et al., 5 May 2026, Olatunji et al., 2022). In topology-inference settings, the attacker queries a black-box node classifier and reconstructs a target subgraph 4 by selecting an attack graph 5 over the same node set (Fu et al., 5 Sep 2025). In Graph RAG, the target is usually the one-hop subgraph around an entity 6, with 7, reconstructed from closed-box LLM answers (Song et al., 6 Feb 2026).
Other formulations broaden the leakage channel. In federated learning, the attack may reconstruct both graph structure and node features from a single client gradient 8, yielding exact or near-exact recovery of 9 (Drencheva et al., 3 Mar 2025). In secure multiparty computation, the released object may be the full common-neighbor matrix 0, from which the adversary reconstructs a graph 1 satisfying 2, usually only up to the equivalence notion of co-squareness (Azogagh et al., 2024). In graph-level model inversion, the target is not necessarily one specific training instance but a conditional graph distribution such as 3 or 4, reconstructed from labels or embeddings returned by a queried target model (Keji et al., 29 Jun 2026).
| Setting | Released artifact | Reconstruction target |
|---|---|---|
| DP GNN explanations | 5, 6 | adjacency 7 |
| Feature-explanation attacks | 8 | edge set / 9 |
| Black-box topology inference | posterior vectors 0 | target subgraph 1 |
| Secure protocol leakage | common-neighbor matrix 2 | graph up to co-squareness |
| Federated gradient inversion | 3 | exact 4 |
| Graph RAG extraction | LLM responses | one-hop subgraph 5 |
A terminological ambiguity is now standard. In most of this literature, PGR refers to the attack problem of reconstructing private graph structure. In "Safeguarding Graph Neural Networks against Topology Inference Attacks," however, "Private Graph Reconstruction (PGR)" names a defense that trains a released GNN on a synthetic graph 6 whose edges do not overlap with the original graph, thereby protecting topology privacy (Fu et al., 5 Sep 2025).
2. Reconstruction channels and algorithmic families
Explanation leakage has become one of the most technically developed PGR channels. "Private Graph Extraction via Feature Explanations" studies explanation-only similarity attacks and explanation-augmented structure learning. Explanation-only reconstruction computes pairwise similarity, typically cosine similarity, between explanation vectors 7, while stronger GSEF-style attacks learn a parameterized adjacency so that denoising autoencoders reconstruct features and explanations and a GCN predicts labels under the learned graph (Olatunji et al., 2022). "Graph Reconstruction from Differentially Private GNN Explanations" extends this to the case where only differentially private explanations are observable. Its PRIVX attack identifies Gaussian DP perturbation with a single DDPM forward step at effective timestep
8
then performs reverse diffusion with a graph-transformer denoiser conditioned on the noisy signal via cross-attention, finally decoding a reconstructed adjacency by sigmoid thresholding (Sahoo et al., 5 May 2026).
A second family treats PGR as model inversion from outputs, embeddings, or learned representations. "Rethinking Generative Reconstruction Attacks against Graph Neural Network Models" introduces two GAN-based attacks: GLC, which reconstructs graphs conditioned on predicted labels and approximates 9, and ELC, which conditions on intermediate embeddings and labels to approximate 0 (Keji et al., 29 Jun 2026). "On Strengthening and Defending Graph Reconstruction Attack with Markov Chain Approximation" instead models the GNN forward pass as an ORI-chain 1 and an attack chain 2. Its MC-GRA attack maximizes a composite objective over propagation approximation, output approximation, label approximation, and adjacency complexity, using mutual-information surrogates between chain states (Zhou et al., 2023).
A third family exploits artifacts that expose more direct algebraic structure. "GRAND: Graph Reconstruction from potential partial Adjacency and Neighborhood Data" takes the common-neighbor matrix 3 as input and combines deterministic topological inference, spectral sign selection, targeted error forgetting, and explicit handling of co-square ambiguities (Azogagh et al., 2024). "GRAIN: Exact Graph Reconstruction from Gradients" uses the low-rank factorization
4
to recover discrete node features by span checks, build locally consistent 5-hop neighborhoods, and then glue them through a DFS-based search until the reconstructed graph reproduces the observed client gradient (Drencheva et al., 3 Mar 2025).
Graph RAG adds a closed-box, multi-turn variant of PGR. "Subgraph Reconstruction Attacks on Graph RAG Deployments with Practical Defenses" defines targeted one-hop subgraph reconstruction against a Graph-RAG-backed LLM. Its GRASP attack reframes extraction as relation processing rather than explicit exfiltration, enforces per-record identifiers to preserve row-level grounding, and uses a momentum-aware scheduler over diversity templates to maximize newly extracted relations under a small query budget (Song et al., 6 Feb 2026). This differs from GNN inversion attacks in that the adversary never sees model weights, logits, or raw retrieved subgraphs.
3. Identifiability, adversary models, and evaluation criteria
PGR does not have a single identifiability notion. In explanation-based link reconstruction, the target is usually binary edge prediction, and performance is evaluated by AUC-ROC and Average Precision over edge/non-edge pairs (Sahoo et al., 5 May 2026, Olatunji et al., 2022). In topology privacy, the main metric is Topology Privacy Leakage,
6
the Jaccard similarity between the true and inferred edge sets of the target subgraph (Fu et al., 5 Sep 2025). In Graph RAG, reconstruction is scored by macro Precision, Recall, and F1 under either strict RType matching, which requires the full typed triple to be correct, or Naïve matching, which ignores relation type and focuses on topology (Song et al., 6 Feb 2026). In graph-distribution inversion, the comparison is distributional rather than edgewise and uses FGD, EGD, MMD, and GKS (Keji et al., 29 Jun 2026). In federated gradient inversion, the paper introduces GSM-0, GSM-1, and GSM-2, graph-similarity metrics built from matched 7-hop neighborhood embeddings and designed to be polynomial-time computable and invariant to graph isomorphisms (Drencheva et al., 3 Mar 2025).
One of the sharpest formal adversary models appears in the DP-explanation setting. There the attacker is parameterized by a knowledge tuple
8
where 9 is the believed DP mechanism, 0 are estimated privacy parameters, 1 is the observed node subset, and 2 is the observation fraction. The paper defines Type I, II, and III adversaries ranging from oblivious to oracle, and derives endpoint-matched two-sided bounds on Type-II reconstruction AUC: 3 These bounds are exact at 4 and 5, bracket realistic partial-observation attackers, and make the dependence on observation fraction explicit (Sahoo et al., 5 May 2026).
A different kind of non-identifiability arises in reconstruction from common-neighbor matrices. GRAND introduces co-squareness: two graphs 6 and 7 on the same labeled vertex set are co-square when 8. This is distinct from both graph isomorphism and co-spectrality, and it implies that releasing 9 identifies the original graph only up to its co-square class (Azogagh et al., 2024). A plausible implication is that PGR should often be read as exact recovery of the private graph object modulo the invariances induced by the leakage channel, rather than literal recovery of one canonical adjacency in all settings.
4. Structural determinants of leakage
Graph structure, explanation family, and model architecture strongly modulate reconstructability. In the DP-explanation setting, the relevant distinction is not merely between local and global explainers but between neighborhood-aggregating and per-node gradient explainers. On homophilic graphs, GraphLIME and GNNExplainer leak more structure than Grad or GradInput under the same DP budget because neighborhood aggregation boosts signal-to-noise ratio before noise is added; on strongly heterophilic graphs, the ordering reverses, and anti-correlation across edges yields usable reconstruction signal even when label homophily is low (Sahoo et al., 5 May 2026). The same work defines edge fidelity
0
and shows that homophily aligns edge fidelity with label fidelity, whereas heterophily can decouple them.
Earlier non-DP work on feature explanations reported a different ranking: gradient-based explanations can reveal the most graph structure despite low fidelity, while privacy leakage for perturbation-based and surrogate methods tends to increase with explanation utility (Olatunji et al., 2022). This suggests that leakage rankings are sensitive to both the release mechanism and the graph regime. The same paper also finds that large, informative feature spaces and strong feature-edge correlation materially strengthen reconstruction, whereas disassortative graphs or weakly correlated features weaken both feature-only and explanation-based attacks (Olatunji et al., 2022).
Backbone choice is another recurrent determinant. Under DP explanation release, GraphSAGE consistently yields the highest reconstruction AP, reported as 1–2 pp above GCN, because mean-pooling averages noise and produces smoother representations that survive perturbation (Sahoo et al., 5 May 2026). In the Markov-chain view of GRA, more accurate and expressive GNNs are usually more vulnerable because they store more link-sensitive information, although deeper models can compress adjacency information in later representations and thereby modestly improve privacy at the cost of over-smoothing risk (Zhou et al., 2023). In federated inversion, GAT is particularly exposed because full-rank attention matrices make span-based reconstruction especially effective; the paper reports near-complete recovery in many GAT settings (Drencheva et al., 3 Mar 2025).
The retrieval substrate also matters. In Graph RAG, increasing the number of retrieved relations per query improves recall, and undirected frameworks such as LightRAG and nano-GraphRAG are easier targets than directed GraphRAG because direction errors are less punitive under evaluation (Song et al., 6 Feb 2026). In topology-defense experiments, sparse graphs are easier to protect with synthetic-graph substitution, while denser graphs such as Emory remain the hardest cases for low-leakage defense (Fu et al., 5 Sep 2025).
5. Empirical performance across attack surfaces
The empirical record shows that PGR is not confined to pathological white-box settings. Against DP-protected explanations, PRIVX attains AUC above 3 at 4 on five of seven datasets, with representative values including Cora with GNNExplainer and GraphSAGE at AUC 5, AP 6, Chameleon with GNNExplainer and GraphSAGE at AUC 7, and IMDB with Grad and GCN at AUC 8. The paper further notes that AP remains above chance down to 9 on Cora and IMDB and approaches chance only near 0 (Sahoo et al., 5 May 2026).
Feature-explanation attacks can be even stronger when DP is absent. On Cora, the explanation-augmented GSEF-ExpOnly attack using Grad explanations reaches AUC approximately 1 and AP approximately 2; on CiteSeer, the same configuration reaches AUC approximately 3 and AP approximately 4. Explanation-only cosine-similarity attacks often outperform feature similarity baselines for Grad, Grad-I, Zorro, and Zorro-S, and partial explanations for only about 5 of nodes still permit strong reconstruction on several datasets (Olatunji et al., 2022).
In topology inference from black-box node posteriors, the escalation from edge-level attacks to graph-level reconstruction is particularly stark. Metric-based and classifier-based TIAs produce substantial leakage, while influence-based I-TIA attains 6 for subgraphs of 7 nodes and even for the whole graph in the reported experiments, and also accurately recovers community structure and influential nodes (Fu et al., 5 Sep 2025). In federated learning, GRAIN reports reconstruction of up to 8 of all graphs exactly, while the baseline achieves up to 9 correctly positioned nodes; on multiple molecule and social-network settings, exact recovery rates are substantial and much higher for GAT than for GCN (Drencheva et al., 3 Mar 2025).
Closed-box Graph RAG is likewise vulnerable. GRASP attains the strongest type-faithful reconstruction across four safety-aligned LLMs, reaching up to 0 F1 on Enron and 1 F1 on HealthCareMagic under the RType metric, whereas prior prompt-based extraction attacks frequently collapse under safe prompting, especially on GPT-5-mini and Claude Haiku (Song et al., 6 Feb 2026). Generative black-box inversion on graph classification models also remains viable under restricted queries: the GAN-based GLC and ELC attacks outperform VAE baselines across NCI1, PROTEINS, and AIDS, and the 2-query Ours-- variants retain good or comparable performance (Keji et al., 29 Jun 2026).
These results are not numerically comparable across papers because the targets, metrics, and observables differ. What is comparable is the qualitative pattern: high-fidelity reconstruction is repeatedly achievable from explanations, outputs, embeddings, gradients, secure-protocol outputs, and Graph RAG responses, often under black-box or partially informed adversaries.
6. Defenses, privacy notions, and unresolved tensions
A persistent conclusion is that privacy mechanisms aligned to the wrong object do not adequately protect topology. Differential privacy on explanations alone is insufficient in the DP-explanation setting at commonly deployed budgets: with 3, reconstruction remains strong on multiple datasets, and meaningful suppression of leakage often requires 4, where explanation utility deteriorates. The same study reports that Laplace DP is slightly less protective than Gaussian at the same nominal 5 because it preserves more exploitable small-magnitude structure (Sahoo et al., 5 May 2026). Earlier explanation work proposed a randomized response defense for explanation release and proved a 6-local differential privacy guarantee. On Zorro explanations for Cora, this defense reduces ExSim from AUC approximately 7, AP approximately 8 to AUC approximately 9, AP approximately 0 at 1, with fidelity dropping from 2 to 3 and roughly 4 of original 5-bits retained (Olatunji et al., 2022).
A more targeted training-time defense is the Markov-chain Graph Privacy Bottleneck. MC-GPB minimizes
6
thereby encouraging representations that remain predictive of labels while forgetting link-sensitive information. Reported results include an average reduction of about 7 in attack AUC on Polblogs for about 8 accuracy loss, with larger reductions in some regimes (Zhou et al., 2023). This framework directly encodes the privacy objective as compression of 9, rather than perturbing outputs after the fact.
The paper that explicitly names its defense "Private Graph Reconstruction" takes an even stronger stance: protect topology by replacing the training graph itself with a synthetic graph 00 satisfying 01. Its bi-level objective is
02
with 03. The synthetic graph is built incrementally from meta-gradients masked by the complement adjacency. Empirically, this reduces M-TIA, C-TIA, and I-TIA leakage from values such as 04, 05, and 06 on Cora to 07, 08, and 09, with maximal accuracy drop bounded by 10. The same work argues that existing edge-DP methods are misaligned with graph-level topology privacy: some hardly reduce TPL, while others suppress leakage only by severely damaging accuracy (Fu et al., 5 Sep 2025).
Graph RAG defenses underscore the same point. Safe prompts, abstractive summarization, and extractive summarization substantially weaken explicit exfiltration prompts but do little against GRASP, which is framed as benign relation processing. By contrast, context-level manipulations aimed at the attack’s grounding mechanism are much stronger: ID Alignment removes unique per-row identifiers, while Decoy injects misleading entity columns that benign prompts ignore but attack prompts latch onto. On Enron, GRASP drops from RType F1 11 to 12 under ID Alignment, to 13 under Decoy, and to roughly 14–15 under layered combinations, while QA utility remains roughly stable; PAD-like decoding defenses show a markedly worse defense–utility trade-off (Song et al., 6 Feb 2026).
Finally, some settings show that the issue lies not in the protocol but in the informativeness of the released function. GRAND demonstrates that secure multiparty computation of the common-neighbor matrix can remain cryptographically sound while still leaking the graph itself up to co-squareness (Azogagh et al., 2024). GRAIN, in turn, indicates that federated learning with per-client gradients is structurally vulnerable unless gradients are hidden or heavily perturbed, with secure aggregation emerging as the most credible mitigation mentioned in the paper (Drencheva et al., 3 Mar 2025). Taken together, these results place PGR at the intersection of graph privacy, inversion attacks, explainability, and secure systems: the central question is not whether a release is indirect, but whether it preserves enough structural signal to support reconstruction.