Gradient Inversion of Federated Diffusion Models

TL;DR

This work investigates privacy risks in federated diffusion-model training by demonstrating gradient inversion attacks that recover training data from client gradients. It introduces GIDM, a two-phase attack that leverages the diffusion model as a prior to constrain the inversion search and a pixel-wise fine-tuning step to achieve high-fidelity reconstructions, and GIDM+ for scenarios where training noise $\boldsymbol{\epsilon}$ and timestep $t$ are privately held. The authors show that, when $\{\boldsymbol{\epsilon},t\}$ are known, 128×128 reconstructions can nearly reproduce ground-truth images, and even with private parameters, the triple-optimization strategy enables substantial reconstruction on smaller images like CIFAR-100 (32×32). The results underscore a strong privacy risk in gradient sharing for diffusion models and motivate the development of defense strategies for federated diffusion training.

Abstract

Diffusion models are becoming defector generative models, which generate exceptionally high-resolution image data. Training effective diffusion models require massive real data, which is privately owned by distributed parties. Each data party can collaboratively train diffusion models in a federated learning manner by sharing gradients instead of the raw data. In this paper, we study the privacy leakage risk of gradient inversion attacks. First, we design a two-phase fusion optimization, GIDM, to leverage the well-trained generative model itself as prior knowledge to constrain the inversion search (latent) space, followed by pixel-wise fine-tuning. GIDM is shown to be able to reconstruct images almost identical to the original ones. Considering a more privacy-preserving training scenario, we then argue that locally initialized private training noise $ε$ and sampling step t may raise additional challenges for the inversion attack. To solve this, we propose a triple-optimization GIDM+ that coordinates the optimization of the unknown data, $ε$ and $t$. Our extensive evaluation results demonstrate the vulnerability of sharing gradient for data protection of diffusion models, even high-resolution images can be reconstructed with high quality.

Figures (5)

• Figure 1: Original training image (left) v.s. Recover images (right) by gradient inversion of diffusion models.
• Figure 2: Gradient inversion on diffusion models with constrained space by the trained diffusion models. We utilize one $128 \times 128$ figure from CelebA dataset as an example to show every intermediate result above. The fusion optimization includes two phases: the generative phase (8000 iterations on this example) and the fine-tuning phase (1500 iterations), to reconstruct with efficiency and effectiveness. The output of the generative phase differs from the original data by hair, face, and background.
• Figure 3: Visualization of recovered images comparing with baselines on CelebA and LSUN-Bedroom datasets. Images reconstructed with server initializing $\{\boldsymbol{\epsilon}, t\}$ are $128 \times 128$ while with the private client initialization, $32 \times 32$ images are successfully recovered. "Generative" in the figure is the output of our generative phase before the fine-tuning phase.
• Figure 4: Step-by-step gradient inversion intermediate results visualization. The generative phase is marked by yellow arrows while the fine-tuning phase is red arrows. We initialize the latent code by $128 \times 128$ Gaussian noise. The generative phase is trained by 5000 iterations while the fine-tuning phase by 2000 iterations. We present the evenly divided iterations through the whole process.
• Figure 5: Step-by-step gradient inversion intermediate results visualization, comparing known or unknown $t$. We initialize the latent code by $128 \times 128$ Gaussian noise. We present some of the representative intermediate outputs through the whole process. The total number of inversion iterations is 3000.