Verifiably Forgotten? Gradient Differences Still Enable Data Reconstruction in Federated Unlearning
Fuyao Zhang, Wenjie Li, Yurong Hao, Xinyu Yan, Yang Cao, Wei Yang Bryan Lim
TL;DR
This paper reveals a privacy vulnerability in federated unlearning where gradient differences can be exploited to reconstruct forgotten data, and proposes an attack method (IGF) along with a defense mechanism to mitigate this risk.
Contribution
The paper introduces a novel learning-based attack framework (IGF) that effectively reconstructs forgotten data from gradient differences and proposes an orthogonal obfuscation defense to prevent such reconstruction.
Findings
IGF surpasses existing methods in reconstruction fidelity.
The orthogonal obfuscation defense effectively prevents data reconstruction.
Experiments validate the attack's success and the defense's robustness.
Abstract
Federated Unlearning (FU) has emerged as a critical compliance mechanism for data privacy regulations, requiring unlearned clients to provide verifiable Proof of Federated Unlearning (PoFU) to auditors upon data removal requests. However, we uncover a significant privacy vulnerability: when gradient differences are used as PoFU, honest-but-curious auditors may exploit mathematical correlations between gradient differences and forgotten samples to reconstruct the latter. Such reconstruction, if feasible, would face three key challenges: (i) restricted auditor access to client-side data, (ii) limited samples derivable from individual PoFU, and (iii) high-dimensional redundancy in gradient differences. To overcome these challenges, we propose Inverting Gradient difference to Forgotten data (IGF), a novel learning-based reconstruction attack framework that employs Singular Value…
Peer Reviews
Decision·ICLR 2026 Conference Withdrawn Submission
1. Novel viewpoint – The first to reveal privacy leakage via gradient differences in PoFU. 2. Thorough experimentation – Covers diverse datasets, architectures, and FU scenarios. 3. Strong writing and organization – Clear structure and academic rigor suitable for ICLR publication.
1. Strong assumptions – The auditor’s access to gradients and auxiliary datasets is unrealistic in many FU deployments (e.g., DP, sparsification). 2. Limited defense evaluation – The defense lacks quantitative utility–privacy trade-off metrics. 3. Narrow interpretation of results – The analysis focuses mainly on reconstruction fidelity, not systemic implications for FU protocols. 4. Experiments are limited to image datasets; generalization to NLP or tabular FU tasks remains untested. 5. The
+ The problem statement and motivation are clear. + The paper is generally well written. + The method and the proposed defense are discussed in reasonable detail.
The paper's central threat model relies on an honest-but-curious auditor receiving a PoFU. This premise is not sufficiently justified. Why can't the client who requested the unlearning simply act as their own auditor by downloading the unlearned global model and verifying the data's removal directly (e.g., via membership inference)? What specific limitations of such a direct, client-side verification justify the introduction of a third-party auditor? Considering the paper's premise that a third
1. Novel Problem Formulation: The paper identifies a previously underexplored vulnerability in federated unlearning verification, namely, that even verifiable unlearning proofs may unintentionally reveal private information. This perspective bridges two research domains, machine unlearning and gradient inversion, making the work conceptually novel and timely. 2. Methodological Creativity: IGF cleverly integrates dimensionality reduction (SVD) and learned gradient inversion, significantly reducin
While the paper is technically competent and raises a novel concern about the privacy of FU verification, several key assumptions and modeling choices significantly limit its practical relevance and generality. 1. Overly Strong Assumption on Auxiliary Data (D_aux): The attack assumes that the auditor possesses an auxiliary dataset drawn from the same or nearly identical distribution as the forgotten data. This is a strong and often unrealistic assumption in real-world federated scenarios, where
1. In FU, auditing is an important research question, as well as its privacy risks. 2. The authors conducted broad experiments to present the performance of the proposed attack.
1. The scenario lacks solid evidence. The authors assume that the PoFU will share the gradient difference with the auditor, which lacks sufficient discussion on related works, in order to present that such an auditing method is general or widely used. 2. Besides, why does a sufficiently small L2 norm of gradient difference indicate successful forgetting? The authors should explain more about it, because this appears unreasonable (the gradient difference should be sufficiently large rather than
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Privacy-Preserving Technologies in Data · Cryptography and Data Security