Gradient Inversion Attacks and Defenses

September 14, 2022 · View on GitHub

Here we provide a (growing) list of research papers for gradient inversion attacks and defenses. Please feel free to submit an issue to report any new or missing papers.

Papers for attacks

Recent research shows that sending gradients instead of data in Federated Learning can leak private information. These attacks demonstrate that an adversary eavesdropping on a client’s communications (i.e. observing the global modelweights and client update) can accurately reconstruct a client’s private data using a class of techniques known as “gradient inversion attacks", which raise serious concerns about such privacy leakage.

Attack namePaperVenueAdditional Information Other Than GradientsSupportedOfficial implementation
DLGDeep leakage from gradientsNeurIPS 2019NoYeslink
iDLGiDLG: Improved Deep Leakage from GradientsArxivNoYeslink
Inverting GradientsInverting Gradients -- How easy is it to break privacy in federated learning?NeurIPS 2020Batch Normalization statistics & private labelsYeslink
R-GAPR-GAP: Recursive Gradient Attack on PrivacyICLR 2021The rank of the rank of the coefficient matrix (see Section 3.1.2 of its paper)No (a relatively weak attack)link
GradInversionSee through Gradients: Image Batch Recovery via GradInversionCVPR 2021Batch Normalization statistics & Good approximation of private labelsNo (code unavailable)No
GIASGradient Inversion with Generative Image PriorNeurIPS 2021A GAN trained on the dirstribution of training dataNo (on our plan)link
CAFECAFE: Catastrophic Data Leakage in Vertical Federated LearningNeurIPS 2021Batch indiciesNo (on our plan)link

Papers for defenses

To counter these attacks, researchers have proposed defense mechanisms, including:

  • encrypting gradient such assecure aggregation protocol or homomorphic encryption, which are secure, but require special setups and may introduce substantial overheads,
  • perturbing gradient by adding deferentially private noise or gradient pruning which requires finding tradeoffs between accuracy and privacy leakage,
  • encoding the input such as InstaHide by encoding input data to the model, which also requires finding tradeoffs between accuracy and privacy leakage.

Defenses for plain-text gradients

Defense namePaperVenueSupportedOfficial implementation
DPSGDDeep Learning with Differential PrivacyCCS 2016Yeslink
Gradient PruningDeep leakage from gradientsNeurIPS 2019Yeslink
MixUpmixup: Beyond Empirical Risk MinimizationICLR 2018Yeslink
InstaHideInstaHide: Instance-hiding Schemes for Private Distributed LearningICML 2020Yeslink

Defenses that encrypt gradients

Defense namePaperVenueOfficial implementation
Secure AggregationPractical Secure Aggregation for Federated Learning on User-Held DataNeurIPS 2016No
FastSecAggFastSecAgg: Scalable Secure Aggregation for Privacy-Preserving Federated LearningCCS 2020No
LightSecAggLightSecAgg: Rethinking Secure Aggregation in Federated LearningArxivNo
Homomorphic EncryptionPrivacy-Preserving Deep Learning via Additively Homomorphic EncryptionATIS 2017No