Enhanced Privacy Leakage from Noise-Perturbed Gradients via Gradient-Guided Conditional Diffusion Models

TL;DR

This paper addresses the privacy leakage risk in Federated Learning where leaked gradients can reveal private data. It introduces Gradient-guided Conditional Diffusion Models (GG-CDMs), which leverage the denoising capabilities of conditional diffusion models to reconstruct high-fidelity images from Gaussian-noised gradients without requiring target-data priors. The authors provide rigorous reconstruction-error bounds, convergence guarantees for the attack loss, and a new Reconstruction Vulnerability (RV) metric to quantify model susceptibility. Extensive experiments across multiple datasets and attacked architectures show that GG-CDMs achieve superior reconstructions under noise defenses, underscoring a significant privacy risk and motivating stronger defenses in gradient leakage settings.

Abstract

Federated learning synchronizes models through gradient transmission and aggregation. However, these gradients pose significant privacy risks, as sensitive training data is embedded within them. Existing gradient inversion attacks suffer from significantly degraded reconstruction performance when gradients are perturbed by noise-a common defense mechanism. In this paper, we introduce gradient-guided conditional diffusion models for reconstructing private images from leaked gradients, without prior knowledge of the target data distribution. Our approach leverages the inherent denoising capability of diffusion models to circumvent the partial protection offered by noise perturbation, thereby improving attack performance under such defenses. We further provide a theoretical analysis of the reconstruction error bounds and the convergence properties of the attack loss, characterizing the impact of key factors-such as noise magnitude and attacked model architecture-on reconstruction quality. Extensive experiments demonstrate our attack's superior reconstruction performance with Gaussian noise-perturbed gradients, and confirm our theoretical findings.

Figures (5)

• Figure 1: An overview of our proposed gradient-guided conditional diffusion model, with a detailed view of the gradient guidance procedure applied at timestep $t$.
• Figure 2: An overview of GGSS at timestep $t$, mapping from data manifold $M_t$ to $M_{t-1}$. The green annulus represents the concentration region of samples in unconditional DDIM reverse sampling, and the blue annulus denotes the concentration region under accurate conditional guidance.
• Figure 3: Reconstruction process of GGSS-R across diverse datasets and attacked models. The Reconstruction Process columns display the intermediate results $\hat{\mathbf{x}}_0(\mathbf{x}_t)$, with final reconstructions and target image presented in the Result and Target columns.
• Figure 4: Reconstruction processes on CelebA with Gaussian noise-perturbed CNN gradients. Reconstructions at peak performance and upon GIA completion are displayed.
• Figure 5: Explanations for Theorem 5.4.

Theorems & Definitions (16)

• Definition 4.1: Jensen Gap pre-trained_diffusion
• Lemma 4.1: Laurent-Massart Bound laurent2000adaptive
• Theorem 5.1: Upper Bound of the Reconstruction Error
• Definition 5.1: Reconstruction Vulnerability (RV)
• Theorem 5.2: Lower Bound of the Reconstruction Error
• Theorem 5.3: Convergence of the Attack Loss
• Theorem 5.4: Upper Bound on the Convergence Rate of the Attack Loss
• proof : Proof of Theorem 5.1
• Lemma A.1: b19
• Lemma A.2: b19