SoK: On Gradient Leakage in Federated Learning

TL;DR

This work reframes gradient leakage threats in federated learning by evaluating GIAs under practical FL conditions rather than idealized settings. It develops a systematization of GIAs across system model, threat model, attack, and defense, and identifies training setup, model, and post-processing as the three pivotal factors shaping leakage risk. Through theoretical analysis and extensive experiments, the authors show that GIAs are constrained, fragile, and easily defensible in real-world FL, with leakage most pronounced in early training and highly sensitive to architectural choices. They also demonstrate that simple post-processing techniques can defend effectively with minimal utility loss, suggesting that practical FL systems can be made robust against GIAs without heavy cryptographic overhead. The study culminates in actionable guidance and metrics (e.g., IGSA, BRR, WSRR) and calls for realistic, cross-domain defense and threat analyses as FL usage expands into language, multimodal, and large-scale settings.

Abstract

Federated learning (FL) facilitates collaborative model training among multiple clients without raw data exposure. However, recent studies have shown that clients' private training data can be reconstructed from shared gradients in FL, a vulnerability known as gradient inversion attacks (GIAs). While GIAs have demonstrated effectiveness under \emph{ideal settings and auxiliary assumptions}, their actual efficacy against \emph{practical FL systems} remains under-explored. To address this gap, we conduct a comprehensive study on GIAs in this work. We start with a survey of GIAs that establishes a timeline to trace their evolution and develops a systematization to uncover their inherent threats. By rethinking GIA in practical FL systems, three fundamental aspects influencing GIA's effectiveness are identified: \textit{training setup}, \textit{model}, and \textit{post-processing}. Guided by these aspects, we perform extensive theoretical and empirical evaluations of SOTA GIAs across diverse settings. Our findings highlight that GIA is notably \textit{constrained}, \textit{fragile}, and \textit{easily defensible}. Specifically, GIAs exhibit inherent limitations against practical local training settings. Additionally, their effectiveness is highly sensitive to the trained model, and even simple post-processing techniques applied to gradients can serve as effective defenses. Our work provides crucial insights into the limited threats of GIAs in practical FL systems. By rectifying prior misconceptions, we hope to inspire more accurate and realistic investigations on this topic.

Figures (11)

• Figure 1: Evolution of Gradient Inversion Attack.
• Figure 2: Three Fundamental Aspects of GIA.
• Figure 3: Dependence between Gradient $\frac{\partial\ell}{\partial \mathbf{W}}$, $\mu$ and Input $\mathbf{x}$. The ground-truth gradient corresponds to $\mu^{*}$, $\mathbf{x}^{*}$. When the gradients are obfuscated, they correspond to the inaccurate $\mu^{1}$, $\mu^{2}$, and $\mathbf{x}^{1}$, $\mathbf{x}^{2}$.
• Figure 4: GIA on Series of Data Dimensions.
• Figure 5: Failure to Reconstruct Semantic Details, Limited Privacy Leakage. (Left: Ground-Truth, Middle: Results of GIA-O, Right: Results of GIA-L, LPIPS$\downarrow$).

Theorems & Definitions (5)

• Definition 1: GIA with Observable Space Optimization
• Definition 2: GIA with Latent Space Optimization
• Lemma 4.1
• Theorem 4.2
• Theorem 4.3