Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Perfect Gradient Inversion in Federated Learning: A New Paradigm from the Hidden Subset Sum Problem

Qiongxiu Li, Lixia Luo, Agnese Gini, Changlong Ji, Zhanhao Hu, Xiao Li, Chengfang Fang, Jie Shi, Xiaolin Hu

TL;DR

This is the first work to rigorously analyze privacy issues in FL by modeling them as HSSP, providing a concrete analytical foundation for further exploration and development of defense strategies.

Abstract

Federated Learning (FL) has emerged as a popular paradigm for collaborative learning among multiple parties. It is considered privacy-friendly because local data remains on personal devices, and only intermediate parameters -- such as gradients or model updates -- are shared. Although gradient inversion is widely viewed as a common attack method in FL, analytical research on reconstructing input training samples from shared gradients remains limited and is typically confined to constrained settings like small batch sizes. In this paper, we aim to overcome these limitations by addressing the problem from a cryptographic perspective. We mathematically formulate the input reconstruction problem using the gradient information shared in FL as the Hidden Subset Sum Problem (HSSP), an extension of the well-known NP-complete Subset Sum Problem (SSP). Leveraging this formulation allows us to achieve perfect input reconstruction, thereby mitigating issues such as dependence on label diversity and underperformance with large batch sizes that hinder existing empirical gradient inversion attacks. Moreover, our analysis provides insights into why empirical input reconstruction attacks degrade with larger batch sizes. By modeling the problem as HSSP, we demonstrate that the batch size \( B \) significantly affects attack complexity, with time complexity reaching \( \mathcal{O}(B^9) \). We further show that applying secure data aggregation techniques -- such as homomorphic encryption and secure multiparty computation -- provides a strong defense by increasing the time complexity to \( \mathcal{O}(N^9 B^9) \), where \( N \) is the number of local clients in FL. To the best of our knowledge, this is the first work to rigorously analyze privacy issues in FL by modeling them as HSSP, providing a concrete analytical foundation for further exploration and development of defense strategies.

Perfect Gradient Inversion in Federated Learning: A New Paradigm from the Hidden Subset Sum Problem

TL;DR

This is the first work to rigorously analyze privacy issues in FL by modeling them as HSSP, providing a concrete analytical foundation for further exploration and development of defense strategies.

Abstract

Federated Learning (FL) has emerged as a popular paradigm for collaborative learning among multiple parties. It is considered privacy-friendly because local data remains on personal devices, and only intermediate parameters -- such as gradients or model updates -- are shared. Although gradient inversion is widely viewed as a common attack method in FL, analytical research on reconstructing input training samples from shared gradients remains limited and is typically confined to constrained settings like small batch sizes. In this paper, we aim to overcome these limitations by addressing the problem from a cryptographic perspective. We mathematically formulate the input reconstruction problem using the gradient information shared in FL as the Hidden Subset Sum Problem (HSSP), an extension of the well-known NP-complete Subset Sum Problem (SSP). Leveraging this formulation allows us to achieve perfect input reconstruction, thereby mitigating issues such as dependence on label diversity and underperformance with large batch sizes that hinder existing empirical gradient inversion attacks. Moreover, our analysis provides insights into why empirical input reconstruction attacks degrade with larger batch sizes. By modeling the problem as HSSP, we demonstrate that the batch size significantly affects attack complexity, with time complexity reaching \( \mathcal{O}(B^9) \). We further show that applying secure data aggregation techniques -- such as homomorphic encryption and secure multiparty computation -- provides a strong defense by increasing the time complexity to \( \mathcal{O}(N^9 B^9) \), where is the number of local clients in FL. To the best of our knowledge, this is the first work to rigorously analyze privacy issues in FL by modeling them as HSSP, providing a concrete analytical foundation for further exploration and development of defense strategies.
Paper Structure (34 sections, 1 theorem, 44 equations, 8 figures, 2 tables)

This paper contains 34 sections, 1 theorem, 44 equations, 8 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Paper contribution
  3. Paper outline
  4. Preliminaries
  5. Notations
  6. Fundamentals of machine learning
  7. Fundamentals of Hidden Subset Sum Problem
  8. Threat model
  9. Problem formulation
  10. A special case where $B=1$
  11. A compact formulation when $B>1$
  12. Connection to HSSP
  13. HSSP and attacks
  14. Fundamentals of lattices
  15. NS attack
  16. ...and 19 more sections

Key Result

Theorem 1

The shared gradient $\mathbf{G}_w$ produced by the mini-batch data $\mathbf{X}$ can be compactly represented as a scaled version of the product of a weight matrix $\mathbf{D}$ and $\mathbf{X}$, formulated as: Here, $\mathbf{D}$ can be further decomposed into: where $\mathbf{L}\in \mathbb{R}^{M\times B}$ represents the partial gradient of the loss with respect to the output of the first layer and

Figures (8)

  • Figure 1: Visualization examples of input reconstruction results using three mHSSP attacks for three datasets, respectively.
  • Figure 2: Input reconstruction results using mHSSP attacks for a batch of samples from the same class label. Due to space limits, results from the multivariate and statistical attacks are presented in Fig. \ref{['fig.fl2c']} in Appendix \ref{['app.con']}.
  • Figure 3: Running time (red lines) and attack success rate (blue lines) as a function of subsample size $m\leq M$ using three mHSSP attacks for CIFAR-10 dataset.
  • Figure 4: Running time as a function of the batch size $B$ using three mHSSP attacks.
  • Figure 5: Continuation of Figure \ref{['fig.fl2']}
  • ...and 3 more figures

Theorems & Definitions (12)

  • Definition 1
  • Definition 2
  • Definition 3
  • Theorem 1
  • proof
  • Definition 4
  • Remark 1
  • Remark 2
  • Definition 5
  • Definition 6
  • ...and 2 more