Towards Eliminating Hard Label Constraints in Gradient Inversion Attacks

Thanks for the detailed review and insightful questions! The paper is revised, and due to the 9-page limitation, we added the global minimum figure in Section H.

Firstly, we do assume that we know the label type in detail. For our algorithm, the two settings are the same, because only knowing the label is soft without the specific type cannot help design the loss function to replace the variance, and one-hot labels, a.k.a. hard labels, are just a special case of label smoothing: the smoothing factor is 0. I would prefer to split the setting in this way:

1. we do not know anything about the label.
2. we do know the label may belong to mixup, label smoothing, or other types. we have a finite set with all possibilities.

So, the question is: "Could the algorithm recover images under the two circumstances mentioned above?" It is a little complicated. As stated in Section 3.4, if we know nothing about the label, then we only get the first condition: All entries of the valid label are and only could be non-negative. From this condition, we could only design this loss to replace the variance:

$\mathcal{L}_{label}(\lambda_r)=\sum\limits_{i=1}^{C}{|\hat{y_i}|}-1$

For label smoothing, We first executed label recovery on ResNet18 and LeNet for 200 samples each, finding that both recovery accuracies are 0 (the loss is always above the bound).

We then executed experiments on image reconstruction with the $L_2$ match function. we randomly picked 2 images for each class and repeated 3 times. Other settings are kept identical to Tabel 3. The results are shown below.

Clearly, inaccurate labels cause a performance drop in image reconstructions. The PSNR and SSIM in the Ours column are lower than those in the GT label. It is because without variance supervision, as shown in Fig. 2, multiple labels could all generate the same gradients. Under such circumstances, the algorithm may randomly stay at one label whose entries are all above zero. Here is a corner example. The ground-truth label is[0.031, 0.031, 0.031, 0.031, 0.031, 0.031, 0.031, 0.717, 0.031, 0.031], but the recovered is [0.086, 0.125, 0.147, 0.080, 0.139, 0.078, 0.089, 0.100, 0.080, 0.077], which diverges a lot. Distribution change could cause bad data recovery. The results for this instance are as below.

For the second setting, we could simply try different label types iteratively. If the labels could only be label smoothing or mixup, then we could directly try mixup type first. We tested it on Resnet18 for 200 images with label smoothing augmentation, getting 100% accuracy. Image reconstruction results have no obvious difference from Table 3.

In summary, the mathematical analysis has demonstrated that knowing nothing about the label is not enough to recover smoothed labels, it is not the limitation of our algorithm, but the limitation of the information contained in gradients. Inaccurate labels could cause bad image reconstruction in general, and it is also related to the extent to which the label diverges from the ground truth.

Thanks for the time you spent on our manuscript!

1. “Introductory background may lack clarity.” Due to the 9-page limitation, we eliminated some contents in the introduction and related work, which sacrifices some clarity. The main contribution of this work is to propose a novel algorithm to recover soft labels from gradients analytically, especially when the fully connected layer does not have the bias term, while previous works could only handle one-hot labels.
2. “Algorithm derivation may lack clarity. Why the label vector can be viewed as a function of the gradient in equation (3)?” The problem is to calculate the ground-truth label, and we only know two conditions: the gradients of the last layer $\mathbf{g}$, and the ground-truth input is a scaled vector of the gradients. If we know the ground-truth scalar $\lambda_r^\ast=p_r-y_r$, then we know the ground-truth inputs $\mathbf{x}^\ast$. Put it in the last layer, we get the post-softmax probability $\mathbf{p}$, and the ground-truth label could be recovered as the first line in Eqn. (3). Just because we do not have access to the exact value of $\lambda_r^\ast$, we set it as $\lambda_r$. Different $\lambda_r$ will generate different input $\mathbf{x}$, therefore different $\hat{p_i}$, and finally different $\hat{y_i}$. That is why $y_i$ is a function of $\lambda_r$, as shown in Eqn.(3),(4). Hope this could be helpful.

Please do not hesitate to post other questions about the details if you still have any. We are happy to explain more.

Dear reviewer xaET,

Sorry for bothering you. We genuinely appreciate the time and effort you've invested in our paper. As our rebuttal has been submitted for a while, we do want to know whether our explanations have settled the concerns. We are eager to have further discussions, so please let us know if you have additional feedback.

Best,

Authors of submission 5392.

Thanks for your detailed review!

1. “Please provide more discussion of variance loss.” It is reasonable to doubt the strength of the simple variance loss. Here, we provide an intuitive explanation. After successfully simplifying the vector-recovery problem into one-value picking, the label distribution is constrained and can only change in the dimension of $\lambda_r$. Let's say we pick $\mathbf{g}_0$ as the initialization and have found the ground truth $\lambda_r^\ast$. Under real circumstances, according to the property of the SoftMax function, if we move $\lambda_r$ away from $\lambda_r^\ast$, each entry will change at a different speed or in a different direction, and they will only meet once, as shown in Fig. 2 of the paper. For Mixup, the result of such a movement is similar. Therefore, for multi-class classification tasks, it is nearly impossible for all-but-the-top entries to firstly meet at $\lambda_r^\ast$, change with different speed and direction, and eventually meet again under another $\lambda_r$. Extensive experiments also demonstrate the performance.
2. “Please provide more comparisons in label recovery evaluation.” As stated in the paper, previous works mostly focus on recovering batched one-hot labels, and they are all unable to handle soft labels. The comparison with iDLG in Table 1 aims to show that our algorithm, designed for soft labels though, could still handle one-hot labels with identical performance as IDLG. Currently we do not have other methods handling soft labels as baseline.
3. "Please explain the metrics in soft label recovery." If we execute the one-hot label recovery, it is easy to define the accuracy as we could simply report the index of the class to check whether it is the case. For soft labels, the values are continuous, therefore we define $\mathcal{L}_r$ to describe how close two vectors are. Assuming $\mathbf{a}$, $\mathbf{b}$ are two vectors with $n$ entry, $\mathcal{L}_r$ refers to the sum of $L_1$ loss of every entry:

$\mathcal{L}_r=\sum_{i=1}^{n}{\lvert\mathbf{a}_{i}-\mathbf{b}_{i}\rvert}$

4. "The starting point of ±1 needs more explanation." It is really a precious point. when searching, we understand that $\lambda_r^\ast=1/(p_r-y_r)$. Therefore, it is larger than $1$ or smaller than $-1$. The searching starters correspond to the range of value. In codes, to increase efficiency and accuracy, we always pick the entry $i$ with the largest gradients (abstract value). From experiments, with such picking the ground-truth $\lambda_r^\ast$ is mainly in the range of [-10,10]. Detailed algorithms are also attached in Section E.

Thanks for the detailed review.

1. For questions "vector divide by vector", thanks for pointing it out. From Eqn. (2) we know the gradient $\mathbf{g}_i$ is a scaled input vector, so here the division is to calculate this scalar. It could be executed at item level, since they all get the same results. In codes, considering numerical stability, we use the mean value of item-level division. It is a precious point, and we will add footnotes in our manuscript to make it more clear.
2. For “top two entries”, your understanding is correct. The two items in $y_i$ with the highest values in our algorithm are regarded as entries involved in mixup, so we exclude them and penalize the variance of other entries.
3. For error bars, we added the standard deviation and attached the full version of Table 3 and Table 4 in Section G to make the comparisons more persuasive. For Table 2, we repeated the experiment to recover the smoothed label on untrained Lenet 5 times, 400 samples each time, and the Acc. is 0.998 $\pm$ 0.004. The first two tables aim to show the accuracy of our label recovery algorithm, where we tested 1000 samples with the specific label distribution on every network to demonstrate the performance. From experiments and our experience, it is quite stable.
4. For practical value, our work is based on federated learning framework, where in each step, the central server collects uploaded gradients from several clients, figures out the optimal updating direction, and then sends all updated (trained) parameters back to each client (this is the most common horizontal FL framework) [1][2]. As stated in threat model, the server could get access to the uploaded gradients. In practice, instance-wise gradients and batched gradients from clients are all possible. Our work is the first to handle soft labels, and we will extend it to batched situations in future works.
5. We do appreciate that you mentioned the typo. We will correct it in the latest version.

[1] Qiang Yang, Yang Liu, Tianjian Chen, and Yongxin Tong. Federated machine learning: Concept and applications. ACM Transactions on Intelligent Systems and Technology (TIST), 10(2):1–19, 2019

[2]Ligeng Zhu, Zhijian Liu, and Song Han. Deep leakage from gradients. In Advances in neural information processing systems, volume 32, 2019.

Dear reviewer pnnF,

Sorry for bothering you. We appreciate the review you provided for our paper, and we have added the revised tables in the appendix. We are eager to have further discussions, please feel free to let us know if you have additional feedback!

Best,

Authors of submission 5392.