Secure aggregation promises a heightened level of privacy in federated learning, maintaining that a server only has access to a decrypted aggregate update. Within this setting, linear layer leakage methods are the only data reconstruction attacks able to scale and achieve a high leakage rate regardless of the number of clients or batch size. This is done through increasing the size of an injected fully-connected (FC) layer. However, this results in a resource overhead which grows larger with an increasing number of clients. We show that this resource overhead is caused by an incorrect perspective in all prior work that treats an attack on an aggregate update in the same way as an individual update with a larger batch size. Instead, by attacking the update from the perspective that aggregation is combining multiple individual updates, this allows the application of sparsity to alleviate resource overhead. We show that the use of sparsity can decrease the model size overhead by over 327$\times$ and the computation time by 3.34$\times$ compared to SOTA while maintaining equivalent total leakage rate, 77% even with $1000$ clients in aggregation.

翻译：安全聚合在联邦学习中承诺提供更高的隐私保护级别，确保服务器仅能访问解密后的聚合更新。在此设定下，线性层泄露方法是唯一能够扩展并实现高泄露率的数据重构攻击，无论客户端数量或批量大小如何。该方法通过增大注入的全连接层规模来实现。然而，这会导致资源开销随客户端数量增加而增长。我们证明，这种资源开销源于先前所有工作中存在的错误视角：即将对聚合更新的攻击等同于对更大批量大小的单个更新的攻击。相反，通过从"聚合是多个独立更新的组合"这一视角攻击更新，我们可以利用稀疏性来缓解资源开销。我们证明，与当前最优方法相比，使用稀疏性可将模型规模开销降低超过327倍，计算时间减少3.34倍，同时保持等效的总泄露率，即使在聚合中包含1000个客户端时仍可达77%。