Client-Side Gradient Inversion Attack in Federated Learning Using Secure Aggregation

As a privacy-preserving enhancement to the Federated Learning (FL) framework, Secure Aggregation (SA) enables multiparty summation without any party needing to reveal their updates to the aggregator in Internet of Things applications. However, conventional threat model underestimates the potential inversion attacks on aggregated gradients from an honest-but-curious client, due to the considering information loss caused by SA. This study for the first time, demonstrates the gradient inversion attack against SA schemes in which gradients are quantized and aggregated. Then an enhanced gradient inversion from client side is proposed to address two roadblocks caused by SA, i.e., aggregation information loss and quantization rounding error. To countermeasure the information loss, we utilize class-wise representation matching to achieve category-level decomposition. This relies on a prior restoration of the class-wise representations and instance-wise labels, whose numerical accuracy is cyclically calibrated through prior-based offset estimation. Since cryptographic operators involved in SA schemes usually operates in the integer domain, gradient quantization is introduced. Regarding the rounding errors from gradient quantization, quantization-aware gradient matching is presented to align with a more precise optimization objective. Extensive experiments demonstrate that a semi-honest client is sufficient to infer sensitive data from the aggregated gradients after even 8-bit quantization. Moreover, a defense scheme based on 1-bit gradient quantization is proposed. The new attack from client side in SA-based FL urges the community to take necessary defensive measures.