Federated learning is a framework for collaborative machine learning where clients only share gradient updates and not their private data with a server. However, it was recently shown that gradient inversion attacks can reconstruct this data from the shared gradients. In the important honest-but-curious setting, existing attacks enable exact reconstruction only for a batch size of $b=1$, with larger batches permitting only approximate reconstruction. In this work, we propose SPEAR, the first algorithm reconstructing whole batches with $b >1$ exactly. SPEAR combines insights into the explicit low-rank structure of gradients with a sampling-based algorithm. Crucially, we leverage ReLU-induced gradient sparsity to precisely filter out large numbers of incorrect samples, making a final reconstruction step tractable. We provide an efficient GPU implementation for fully connected networks and show that it recovers high-dimensional ImageNet inputs in batches of up to $b \lesssim 25$ exactly while scaling to large networks. Finally, we show theoretically that much larger batches can be reconstructed with high probability given exponential time.

翻译：联邦学习是一种协作式机器学习框架，其中客户端仅与服务器共享梯度更新而非其私有数据。然而，近期研究表明，梯度反演攻击能够从共享梯度中重构这些数据。在重要的诚实但好奇场景中，现有攻击仅能对批大小$b=1$实现精确重构，对于更大批次则仅允许近似重构。本文提出SPEAR，首个能够精确重构$b>1$完整批次的算法。SPEAR结合了对梯度显式低秩结构的深入洞察与基于采样的算法。关键之处在于，我们利用ReLU激活函数诱导的梯度稀疏性精确过滤大量错误样本，从而使最终重构步骤可处理。我们为全连接网络提供了高效的GPU实现，并证明该算法能够精确恢复高维ImageNet输入（批次大小可达$b \lesssim 25$），同时可扩展至大型网络。最后，我们从理论上证明，在指数级时间成本下，能够以高概率重构更大规模的批次。