Unveiling Client Privacy Leakage from Public Dataset Usage in Federated Distillation

TL;DR

This paper reveals that public dataset-assisted federated distillation can leak private client information, demonstrating novel attacks that compromise label distributions and membership privacy, highlighting the need for stronger privacy protections.

Contribution

It provides the first comprehensive privacy analysis of PDA-FD, introducing new inference attacks and evaluating their effectiveness on existing frameworks.

Findings

Attacks achieve minimal KL-divergence in label distribution inference.

Membership inference attacks have high True Positive Rates.

Current PDA-FD frameworks pose significant privacy risks.

Abstract

Federated Distillation (FD) has emerged as a popular federated training framework, enabling clients to collaboratively train models without sharing private data. Public Dataset-Assisted Federated Distillation (PDA-FD), which leverages public datasets for knowledge sharing, has become widely adopted. Although PDA-FD enhances privacy compared to traditional Federated Learning, we demonstrate that the use of public datasets still poses significant privacy risks to clients' private training data. This paper presents the first comprehensive privacy analysis of PDA-FD in presence of an honest-but-curious server. We show that the server can exploit clients' inference results on public datasets to extract two critical types of private information: label distributions and membership information of the private training dataset. To quantify these vulnerabilities, we introduce two novel attacks specifically designed for the PDA-FD setting: a label distribution inference attack and innovative membership inference methods based on Likelihood Ratio Attack (LiRA). Through extensive evaluation of three representative PDA-FD frameworks (FedMD, DS-FL, and Cronus), our attacks achieve state-of-the-art performance, with label distribution attacks reaching minimal KL-divergence and membership inference attacks maintaining high True Positive Rates under low False Positive Rate constraints. Our findings reveal significant privacy risks in current PDA-FD frameworks and emphasize the need for more robust privacy protection mechanisms in collaborative learning systems.