Evaluating Selective Encryption Against Gradient Inversion Attacks

TL;DR

This paper evaluates the effectiveness of selective encryption methods with various significance metrics in defending against gradient inversion attacks in distributed training, aiming to balance privacy and computational efficiency.

Contribution

It introduces a systematic evaluation framework and a theoretical distance-based significance analysis for selecting critical gradient elements for encryption.

Findings

Gradient magnitude is an effective metric for protection.

Selective encryption reduces computational overhead.

No single strategy is optimal for all attack types.

Abstract

Gradient inversion attacks pose significant privacy threats to distributed training frameworks such as federated learning, enabling malicious parties to reconstruct sensitive local training data from gradient communications between clients and an aggregation server during the aggregation process. While traditional encryption-based defenses, such as homomorphic encryption, offer strong privacy guarantees without compromising model utility, they often incur prohibitive computational overheads. To mitigate this, selective encryption has emerged as a promising approach, encrypting only a subset of gradient data based on the data's significance under a certain metric. However, there have been few systematic studies on how to specify this metric in practice. This paper systematically evaluates selective encryption methods with different significance metrics against state-of-the-art attacks. Our findings demonstrate the feasibility of selective encryption in reducing computational overhead while maintaining resilience against attacks. We propose a distance-based significance analysis framework that provides theoretical foundations for selecting critical gradient elements for encryption. Through extensive experiments on different model architectures (LeNet, CNN, BERT, GPT-2) and attack types, we identify gradient magnitude as a generally effective metric for protection against optimization-based gradient inversions. However, we also observe that no single selective encryption strategy is universally optimal across all attack scenarios, and we provide guidelines for choosing appropriate strategies for different model architectures and privacy requirements.