Gradient inversion attacks aim to reconstruct local training data from intermediate gradients exposed in the federated learning framework. Despite successful attacks, all previous methods, starting from reconstructing a single data point and then relaxing the single-image limit to batch level, are only tested under hard label constraints. Even for single-image reconstruction, we still lack an analysis-based algorithm to recover augmented soft labels. In this work, we change the focus from enlarging batchsize to investigating the hard label constraints, considering a more realistic circumstance where label smoothing and mixup techniques are used in the training process. In particular, we are the first to initiate a novel algorithm to simultaneously recover the ground-truth augmented label and the input feature of the last fully-connected layer from single-input gradients, and provide a necessary condition for any analytical-based label recovery methods. Extensive experiments testify to the label recovery accuracy, as well as the benefits to the following image reconstruction. We believe soft labels in classification tasks are worth further attention in gradient inversion attacks.

翻译：梯度反转攻击旨在从联邦学习框架中暴露的中间梯度重建局部训练数据。尽管攻击取得了成功，但所有先前的方法——从重建单个数据点开始，随后将单图像限制放宽到批次级别——仅在硬标签约束下进行测试。即使对于单图像重建，我们仍缺乏基于分析的算法来恢复增强后的软标签。在这项工作中，我们将焦点从扩大批次大小转向研究硬标签约束，考虑训练过程中使用标签平滑和混合技术这一更现实的情况。具体而言，我们首次提出一种新颖算法，能够同时从单输入梯度中恢复真实增强标签和最后一个全连接层的输入特征，并为任何基于分析的标签恢复方法提供了必要条件。大量实验验证了标签恢复的准确性，以及对后续图像重建的益处。我们认为，分类任务中的软标签在梯度反转攻击中值得进一步关注。