EncGradInversion: Image Encoding and Gradient Inversion-Based Batch Attack in Federated Learning

The gradient attack problem has recently been studied to increase the awareness of people on privacy risks in federated learning. However, this attack is constrained under specific conditions such as small image batch sizes and low image resolutions. To address this challenge, we introduce a new three-phase image recovery architecture called EncGradInversion, which harnesses the power of image encoding and the shared gradient inversion. In the first phase, we attempt to extract the representation for all of the images using the gradient at the last layer. Then, in the second phase, the extracted encoding of a specific image is leveraged for reconstructing the image by matching the representation of dummy and approximated images. This allows a parallel algorithm to accelerate the image recovery. In the last phase, the reconstructed images are fine-tuned using the shared gradient of the whole network. In the second and third phases, we formulate an optimization problem to minimize the discrepancy between the shared and reconstructed gradients, while preserving the smoothness and natural appearance of the reconstructed images. Evaluated on various datasets and deep learning models, EncGradInversion shows its superiority to recover the original training images with resolutions as high as 1024×1024 and with the batch size of 512. Furthermore, the proposed architecture outperforms existing counterparts with a factor of up to 9.8 and 6.04, in terms of structural similarity performance and attack time. © 2014 IEEE.