Turning Black Box into White Box: Dataset Distillation Leaks
This work exposes a critical privacy vulnerability in dataset distillation methods, which are widely used for data compression and assumed to be secure, highlighting a significant risk for applications relying on synthetic data for privacy preservation.
The paper tackles the problem of privacy leakage in dataset distillation, showing that synthetic datasets can be exploited to reveal sensitive information about the original data, such as membership and sample recovery, with attacks achieving high accuracy in predicting distillation algorithms and model architectures.
Dataset distillation compresses a large real dataset into a small synthetic one, enabling models trained on the synthetic data to achieve performance comparable to those trained on the real data. Although synthetic datasets are assumed to be privacy-preserving, we show that existing distillation methods can cause severe privacy leakage because synthetic datasets implicitly encode the weight trajectories of the distilled model, they become over-informative and exploitable by adversaries. To expose this risk, we introduce the Information Revelation Attack (IRA) against state-of-the-art distillation techniques. Experiments show that IRA accurately predicts both the distillation algorithm and model architecture, and can successfully infer membership and recover sensitive samples from the real dataset.