We analyze the number of queries that a whitebox adversary needs to make to a private learner in order to reconstruct its training data. For $(\epsilon, \delta)$ DP learners with training data drawn from any arbitrary compact metric space, we provide the \emph{first known lower bounds on the adversary's query complexity} as a function of the learner's privacy parameters. \emph{Our results are minimax optimal for every $\epsilon \geq 0, \delta \in [0, 1]$, covering both $\epsilon$-DP and $(0, \delta)$ DP as corollaries}. Beyond this, we obtain query complexity lower bounds for $(\alpha, \epsilon)$ R\'enyi DP learners that are valid for any $\alpha > 1, \epsilon \geq 0$. Finally, we analyze data reconstruction attacks on locally compact metric spaces via the framework of Metric DP, a generalization of DP that accounts for the underlying metric structure of the data. In this setting, we provide the first known analysis of data reconstruction in unbounded, high dimensional spaces and obtain query complexity lower bounds that are nearly tight modulo logarithmic factors.

翻译：我们分析了白盒攻击者为了重构私有学习器的训练数据所需进行的查询次数。对于从任意紧致度量空间中抽取训练数据的$(\epsilon, \delta)$差分隐私学习器，我们给出了攻击者查询复杂度的**首个已知下界**，该下界以学习器的隐私参数为变量。**我们的结果对于所有$\epsilon \geq 0, \delta \in [0, 1]$均为极小化最优，其中$\epsilon$-差分隐私和$(0, \delta)$差分隐私可作为推论涵盖在内**。在此基础之上，我们进一步获得了$(\alpha, \epsilon)$ Rényi差分隐私学习器的查询复杂度下界，该下界对任意$\alpha > 1, \epsilon \geq 0$均成立。最后，我们通过度量差分隐私框架分析了局部紧致度量空间上的数据重构攻击。度量差分隐私是差分隐私的一种推广形式，它考虑了数据的内在度量结构。在该设定下，我们首次对无界高维空间中的数据重构进行了分析，并获得了近乎紧的查询复杂度下界（对数因子除外）。