We analyze the number of queries that a whitebox adversary needs to make to a private learner in order to reconstruct its training data. For $(\epsilon, \delta)$ DP learners with training data drawn from any arbitrary compact metric space, we provide the \emph{first known lower bounds on the adversary's query complexity} as a function of the learner's privacy parameters. \emph{Our results are minimax optimal for every $\epsilon \geq 0, \delta \in [0, 1]$, covering both $\epsilon$-DP and $(0, \delta)$ DP as corollaries}. Beyond this, we obtain query complexity lower bounds for $(\alpha, \epsilon)$ R\'enyi DP learners that are valid for any $\alpha > 1, \epsilon \geq 0$. Finally, we analyze data reconstruction attacks on locally compact metric spaces via the framework of Metric DP, a generalization of DP that accounts for the underlying metric structure of the data. In this setting, we provide the first known analysis of data reconstruction in unbounded, high dimensional spaces and obtain query complexity lower bounds that are nearly tight modulo logarithmic factors.

翻译：我们分析了白盒攻击者为了重构私有学习器的训练数据所需执行的查询次数。针对从任意紧致度量空间中抽取训练数据的$(\epsilon,\delta)$差分隐私学习器，我们首次给出了攻击者查询复杂度关于学习器隐私参数的下界。我们的结果对任意$\epsilon \geq 0,\delta \in [0,1]$均达到极小极大最优，并涵盖$\epsilon$-差分隐私与$(0,\delta)$差分隐私作为特例。除此之外，我们为$(\alpha,\epsilon)$ Rényi差分隐私学习器获得了对任意$\alpha>1,\epsilon\geq 0$成立的查询复杂度下界。最后，我们通过度量差分隐私（一种考虑数据内在度量结构的差分隐私泛化框架）分析了局部紧致度量空间上的数据重构攻击。在此设定下，我们首次给出了无界高维空间中数据重构的分析，并获得了对数因子范围内几乎紧的查询复杂度下界。