DAGER: Exact Gradient Inversion for Large Language Models

TL;DR

DAGER is a novel algorithm that enables exact recovery of full input text batches from large language models' gradients, significantly improving over prior gradient inversion attacks in speed, scalability, and accuracy.

Contribution

DAGER introduces the first method for exact batch recovery in text domain gradient inversion, exploiting low-rank and discrete structures in LLM gradients.

Findings

Recovers full text batches up to size 128 with high accuracy

Achieves 20x faster speed than prior attacks

Scales to larger batches and models with superior reconstruction quality

Abstract

Federated learning works by aggregating locally computed gradients from multiple clients, thus enabling collaborative training without sharing private client data. However, prior work has shown that the data can actually be recovered by the server using so-called gradient inversion attacks. While these attacks perform well when applied on images, they are limited in the text domain and only permit approximate reconstruction of small batches and short input sequences. In this work, we propose DAGER, the first algorithm to recover whole batches of input text exactly. DAGER leverages the low-rank structure of self-attention layer gradients and the discrete nature of token embeddings to efficiently check if a given token sequence is part of the client data. We use this check to exactly recover full batches in the honest-but-curious setting without any prior on the data for both encoder- and decoder-based architectures using exhaustive heuristic search and a greedy approach, respectively. We provide an efficient GPU implementation of DAGER and show experimentally that it recovers full batches of size up to 128 on large language models (LLMs), beating prior attacks in speed (20x at same batch size), scalability (10x larger batches), and reconstruction quality (ROUGE-1/2 > 0.99).