Exploring User-level Gradient Inversion with a Diffusion Prior
This addresses privacy risks in distributed learning by enabling more effective inference of sensitive user information from gradients, though it is an incremental improvement over existing attacks.
The paper tackles the problem of poor reconstruction quality in user-level gradient inversion attacks by proposing a novel method that uses a denoising diffusion model as an image prior to recover representative facial images and private user attributes, demonstrating realistic recovery in experiments with face images.
We explore user-level gradient inversion as a new attack surface in distributed learning. We first investigate existing attacks on their ability to make inferences about private information beyond training data reconstruction. Motivated by the low reconstruction quality of existing methods, we propose a novel gradient inversion attack that applies a denoising diffusion model as a strong image prior in order to enhance recovery in the large batch setting. Unlike traditional attacks, which aim to reconstruct individual samples and suffer at large batch and image sizes, our approach instead aims to recover a representative image that captures the sensitive shared semantic information corresponding to the underlying user. Our experiments with face images demonstrate the ability of our methods to recover realistic facial images along with private user attributes.