See through Gradients: Image Batch Recovery via GradInversion

TL;DR

This paper demonstrates that gradients in deep neural networks can be inverted to recover original input images from large batches, challenging prior assumptions about privacy safety in gradient sharing.

Contribution

The authors introduce GradInversion, a novel method to recover images from gradients in large batches for complex networks and datasets, surpassing previous limitations.

Findings

Gradients encode extensive information about input data.

High-fidelity image recovery is possible from large batches and deep networks.

Gradient sharing poses significant privacy risks.

Abstract

Training deep neural networks requires gradient estimation from data batches to update parameters. Gradients per parameter are averaged over a set of data and this has been presumed to be safe for privacy-preserving training in joint, collaborative, and federated learning applications. Prior work only showed the possibility of recovering input data given gradients under very restrictive conditions - a single input point, or a network with no non-linearities, or a small 32x32 px input batch. Therefore, averaging gradients over larger batches was thought to be safe. In this work, we introduce GradInversion, using which input images from a larger batch (8 - 48 images) can also be recovered for large networks such as ResNets (50 layers), on complex datasets such as ImageNet (1000 classes, 224x224 px). We formulate an optimization task that converts random noise into natural images, matching gradients while regularizing image fidelity. We also propose an algorithm for target class label recovery given gradients. We further propose a group consistency regularization framework, where multiple agents starting from different random seeds work together to find an enhanced reconstruction of original data batch. We show that gradients encode a surprisingly large amount of information, such that all the individual images can be recovered with high fidelity via GradInversion, even for complex datasets, deep networks, and large batch sizes.