Perfect Gradient Inversion in Federated Learning: A New Paradigm from the Hidden Subset Sum Problem

TL;DR

This paper introduces a cryptographic approach to perfectly reconstruct training data from shared gradients in federated learning by modeling the problem as a Hidden Subset Sum Problem, revealing new privacy vulnerabilities and defense strategies.

Contribution

It formulates the input reconstruction problem as HSSP, enabling perfect recovery of data and analyzing the impact of batch size and secure aggregation on attack complexity.

Findings

Perfect input reconstruction from gradients using HSSP formulation

Attack complexity scales as (B^9) with batch size B

Secure aggregation increases attack complexity to (N^9 B^9)

Abstract

Federated Learning (FL) has emerged as a popular paradigm for collaborative learning among multiple parties. It is considered privacy-friendly because local data remains on personal devices, and only intermediate parameters -- such as gradients or model updates -- are shared. Although gradient inversion is widely viewed as a common attack method in FL, analytical research on reconstructing input training samples from shared gradients remains limited and is typically confined to constrained settings like small batch sizes. In this paper, we aim to overcome these limitations by addressing the problem from a cryptographic perspective. We mathematically formulate the input reconstruction problem using the gradient information shared in FL as the Hidden Subset Sum Problem (HSSP), an extension of the well-known NP-complete Subset Sum Problem (SSP). Leveraging this formulation allows us to achieve perfect input reconstruction, thereby mitigating issues such as dependence on label diversity and underperformance with large batch sizes that hinder existing empirical gradient inversion attacks. Moreover, our analysis provides insights into why empirical input reconstruction attacks degrade with larger batch sizes. By modeling the problem as HSSP, we demonstrate that the batch size \( B \) significantly affects attack complexity, with time complexity reaching \( \mathcal{O}(B^9) \). We further show that applying secure data aggregation techniques -- such as homomorphic encryption and secure multiparty computation -- provides a strong defense by increasing the time complexity to \( \mathcal{O}(N^9 B^9) \), where \( N \) is the number of local clients in FL. To the best of our knowledge, this is the first work to rigorously analyze privacy issues in FL by modeling them as HSSP, providing a concrete analytical foundation for further exploration and development of defense strategies.