c fu,x zhang,s ji,j chen,j wu,s guo,j zhou,ax liu,t wang

2022-01-01

Abstract:As the initial variant of federated learning (FL), horizontal federated learning (HFL) applies to the situations where datasets share the same feature space but differ in the sample space, e.g., the collaboration between two regional banks, while trending vertical federated learning (VFL) deals with the cases where datasets share the same sample space but differ in the feature space, e.g., the collaboration between a bank and an e-commerce platform. Although various attacks have been proposed to evaluate the privacy risks of HFL, yet, few studies, if not none, have explored that for VFL. Considering that the typical application scenario of VFL is that a few participants (usually two) collaboratively train a machine learning (ML) model with features distributed among them but labels owned by only one of them, protecting the privacy of the labels owned by one participant should be a fundamental guarantee provided by VFL, as the labels might be highly sensitive, e.g., whether a person has a certain kind of disease. However, we discover that the bottom model structure and the gradient update mechanism of VFL can be exploited by a malicious participant to gain the power to infer the privately owned labels. Worse still, by abusing the bottom model, he/she can even infer labels beyond the training dataset. Based on our findings, we propose a set of novel label inference attacks against VFL. Our experiments show that the proposed attacks achieve an outstanding performance. We further share our insights and discuss possible defenses. Our research can shed light on the hidden privacy risks of VFL and pave the way for new research directions towards more secure VFL.

Yige Liu,Yiwei Lou,Yang Liu,Yongzhi Cao,Hanpin Wang

DOI: https://doi.org/10.24963/ijcai.2024/902

2024-01-01

Abstract:Vertical federated learning (VFL) is a distributed machine learning paradigm that collaboratively trains models using passive parties with features and an active party with additional labels. While VFL offers privacy preservation through data localization, the threat of label leakage remains a significant challenge. Label leakage occurs due to label inference attacks, where passive parties attempt to infer labels for their privacy and commercial value. Extensive research has been conducted on this specific VFL attack, but a comprehensive summary is still lacking. To bridge this gap, our paper aims to survey the existing label inference attacks and defenses. We propose two new taxonomies for both label inference attacks and defenses, respectively. Beyond summarizing the current state of research, we highlight techniques that we believe hold potential and could significantly influence future studies. Moreover, experimental benchmark datasets and evaluation metrics are summarized to provide a guideline for subsequent work.

Derui Zhu,Jinfu Chen,Xuebing Zhou,Weiyi Shang,Ahmed E. Hassan,Jens Grossklags

DOI: https://doi.org/10.1109/tifs.2024.3361813

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Vertical federated learning (VFL) is an increasingly popular, yet understudied, collaborative learning technique. In VFL, features and labels are distributed among different participants allowing for various innovative applications in business domains, e.g., online marketing. When deploying VFL, training data (labels and features) from each participant ought to be protected; however, very few studies have investigated the vulnerability of data protection in the VFL training stage. In this paper, we propose a posterior-difference-based data attack, VFLRecon, reconstructing labels and features to examine this problem. Our experiments show that standard VFL is highly vulnerable to serious privacy threats, with reconstruction achieving up to 92% label accuracy and 0.05 feature MSE, compared to our baseline with 55% label accuracy and 0.19 feature MSE. Even worse, this privacy risk remains during standard operations (e.g., encrypted aggregation) that appear to be safe. We also systematically analyze data leakage risks in the VFL training stage across diverse data modalities (i.e., tabular data and images), different training frameworks (i.e., with or without encryption techniques), and a wide range of training hyperparameters. To mitigate this risk, we design a novel defense mechanism, VFLDefender, dedicated to obfuscating the correlation between bottom model changes and labels (features) during training. The experimental results demonstrate that VFLDefender prevents reconstruction attacks during standard encryption operations (around 17% more effective than standard encryption operations).

computer science, theory & methods,engineering, electrical & electronic

Xue Jiang,Xuebing Zhou,Jens Grossklags

DOI: https://doi.org/10.2478/popets-2022-0045

2022-03-03

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Vertical federated learning (VFL), a variant of federated learning, has recently attracted increasing attention. An active party having the true labels jointly trains a model with other parties (referred to as passive parties ) in order to use more features to achieve higher model accuracy. During the prediction phase, all the parties collaboratively compute the predicted confidence scores of each target record and the results will be finally returned to the active party. However, a recent study by Luo et al . [28] pointed out that the active party can use these confidence scores to reconstruct passive-party features and cause severe privacy leakage. In this paper, we conduct a comprehensive analysis of privacy leakage in VFL frameworks during the prediction phase. Our study improves on previous work [28] regarding two aspects. We first design a general gradient-based reconstruction attack framework that can be flexibly applied to simple logistic regression models as well as multi-layer neural networks. Moreover, besides performing the attack under the white-box setting, we give the first attempt to conduct the attack under the black-box setting. Extensive experiments on a number of real-world datasets show that our proposed attack is effective under different settings and can achieve at best twice or thrice of a reduction of attack error compared to previous work [28]. We further analyze a list of potential mitigation approaches and compare their privacy-utility performances. Experimental results demonstrate that privacy leakage from the confidence scores is a substantial privacy risk in VFL frameworks during the prediction phase, which cannot be simply solved by crypto-based confidentiality approaches. On the other hand, processing the confidence scores with information compression and randomization approaches can provide strengthened privacy protection.

Hideaki Takahashi,Jingjing Liu,Yang Liu

2023-10-22

Abstract:Vertical federated learning (VFL) enables multiple parties with disjoint features of a common user set to train a machine learning model without sharing their private data. Tree-based models have become prevalent in VFL due to their interpretability and efficiency. However, the vulnerability of tree-based VFL has not been sufficiently investigated. In this study, we first introduce a novel label inference attack, ID2Graph, which utilizes the sets of record IDs assigned to each node (i.e., instance space)to deduce private training labels. ID2Graph attack generates a graph structure from training samples, extracts communities from the graph, and clusters the local dataset using community information. To counteract label leakage from the instance space, we propose two effective defense mechanisms, Grafting-LDP, which improves the utility of label differential privacy with post-processing, and andID-LMID, which focuses on mutual information regularization. Comprehensive experiments on various datasets reveal that ID2Graph presents significant risks to tree-based models such as RandomForest and XGBoost. Further evaluations of these benchmarks demonstrate that our defense methods effectively mitigate label leakage in such instances

Machine Learning,Artificial Intelligence,Cryptography and Security

Haiqin Weng,Juntao Zhang,Feng Xue,Tao Wei,Shouling Ji,Zhiyuan Zong

2020-01-01

Abstract:Federated learning enables mutually distrusting participants to collaboratively learn a distributed machine learning model without revealing anything but the model's output. Generic federated learning has been studied extensively, and several learning protocols, as well as open-source frameworks, have been developed. Yet, their over pursuit of computing efficiency and fast implementation might diminish the security and privacy guarantees of participant's training data, about which little is known thus far. In this paper, we consider an honest-but-curious adversary who participants in training a distributed ML model, does not deviate from the defined learning protocol, but attempts to infer private training data from the legitimately received information. In this setting, we design and implement two practical attacks, reverse sum attack and reverse multiplication attack, neither of which will affect the accuracy of the learned model. By empirically studying the privacy leakage of two learning protocols, we show that our attacks are (1) effective - the adversary successfully steal the private training data, even when the intermediate outputs are encrypted to protect data privacy; (2) evasive - the adversary's malicious behavior does not deviate from the protocol specification and deteriorate any accuracy of the target model; and (3) easy - the adversary needs little prior knowledge about the data distribution of the target participant. We also experimentally show that the leaked information is as effective as the raw training data through training an alternative classifier on the leaked information. We further discuss potential countermeasures and their challenges, which we hope may lead to several promising research directions.

Jirui Yang,Peng Chen,Zhihui Lu,Qiang Duan,Yubing Bao

2024-06-18

Abstract:Vertical Federated Learning (VFL) facilitates collaborative machine learning without the need for participants to share raw private data. However, recent studies have revealed privacy risks where adversaries might reconstruct sensitive features through data leakage during the learning process. Although data reconstruction methods based on gradient or model information are somewhat effective, they reveal limitations in VFL application scenarios. This is because these traditional methods heavily rely on specific model structures and/or have strict limitations on application scenarios. To address this, our study introduces the Unified InverNet Framework into VFL, which yields a novel and flexible approach (dubbed UIFV) that leverages intermediate feature data to reconstruct original data, instead of relying on gradients or model details. The intermediate feature data is the feature exchanged by different participants during the inference phase of VFL. Experiments on four datasets demonstrate that our methods significantly outperform state-of-the-art techniques in attack precision. Our work exposes severe privacy vulnerabilities within VFL systems that pose real threats to practical VFL applications and thus confirms the necessity of further enhancing privacy protection in the VFL architecture.

Machine Learning,Artificial Intelligence,Cryptography and Security

Fangjiao Zhang,Guoqiang Li,Zhufeng Suo,Li Wang,Chang Cui,Qingshu Meng

DOI: https://doi.org/10.1016/j.sigpro.2023.109077

IF: 4.729

2023-05-11

Signal Processing

Abstract:Federated learning (FL) faces many security threats. Although multiple robust FL frameworks have been proposed to defend against these malicious attacks in horizontal federated learning (HFL), security issues in vertical federated learning (VFL) have not been adequately studied. Recent studies show that VFL is vulnerable to inference attacks (e.g., label inference attacks), which puts VFL at risk. To solve this problem, we propose a new VFL framework SVFL (Secure Vertical Federated Learning) to defend against privacy breaches inspired by feature disentanglement. Specifically, in SVFL , the bottom models are feature extractors to extract samples' features in the high-dimensional space, and the top model sews samples' features of the same sample ID. Then, disentangling the samples' features into the class-relevant feature and class-irrelevant one via two classifiers: one is to recognize the class-relevant feature by regular training, and another is to recognize the class-irrelevant feature by adversarial training. Our experiments show that SVFL not only defends against label inference attacks, no matter how many samples features a malicious participant occupies, but also improves the global model's accuracy. Therefore, SVFL provides a privacy security guarantee for the vertical federated learning system.

engineering, electrical & electronic

Yan Kang,Jiahuan Luo,Yuanqin He,Xiaojin Zhang,Lixin Fan,Qiang Yang

2024-08-05

Abstract:Federated learning (FL) has emerged as a practical solution to tackle data silo issues without compromising user privacy. One of its variants, vertical federated learning (VFL), has recently gained increasing attention as the VFL matches the enterprises' demands of leveraging more valuable features to build better machine learning models while preserving user privacy. Current works in VFL concentrate on developing a specific protection or attack mechanism for a particular VFL algorithm. In this work, we propose an evaluation framework that formulates the privacy-utility evaluation problem. We then use this framework as a guide to comprehensively evaluate a broad range of protection mechanisms against most of the state-of-the-art privacy attacks for three widely deployed VFL algorithms. These evaluations may help FL practitioners select appropriate protection mechanisms given specific requirements. Our evaluation results demonstrate that: the model inversion and most of the label inference attacks can be thwarted by existing protection mechanisms; the model completion (MC) attack is difficult to be prevented, which calls for more advanced MC-targeted protection mechanisms. Based on our evaluation results, we offer concrete advice on improving the privacy-preserving capability of VFL systems. The code is available at <a class="link-external link-https" href="https://github.com/yankang18/Attack-Defense-VFL" rel="external noopener nofollow">this https URL</a>

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Jingwei Sun,Ang Li,Binghui Wang,Huanrui Yang,Hai Li,Yiran Chen

DOI: https://doi.org/10.48550/arXiv.2012.06043

2020-12-09

Abstract:Federated learning (FL) is a popular distributed learning framework that can reduce privacy risks by not explicitly sharing private data. However, recent works demonstrated that sharing model updates makes FL vulnerable to inference attacks. In this work, we show our key observation that the data representation leakage from gradients is the essential cause of privacy leakage in FL. We also provide an analysis of this observation to explain how the data presentation is leaked. Based on this observation, we propose a defense against model inversion attack in FL. The key idea of our defense is learning to perturb data representation such that the quality of the reconstructed data is severely degraded, while FL performance is maintained. In addition, we derive certified robustness guarantee to FL and convergence guarantee to FedAvg, after applying our defense. To evaluate our defense, we conduct experiments on MNIST and CIFAR10 for defending against the DLG attack and GS attack. Without sacrificing accuracy, the results demonstrate that our proposed defense can increase the mean squared error between the reconstructed data and the raw data by as much as more than 160X for both DLG attack and GS attack, compared with baseline defense methods. The privacy of the FL system is significantly improved.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition

Yunbo Yang,Xiang Chen,Yuhao Pan,Jiachen Shen,Zhenfu Cao,Xiaolei Dong,Xiaoguo Li,Jianfei Sun,Guomin Yang,Robert Deng

DOI: https://doi.org/10.1109/tifs.2024.3477924

IF: 7.231

2024-10-26

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) allows multiple parties, each holding a dataset, to jointly train a model without leaking any information about their own datasets. In this paper, we focus on vertical FL (VFL). In VFL, each party holds a dataset with the same sample space and different feature spaces. All parties should first agree on the training dataset in the ID alignment phase. However, existing works may leak some information about the training dataset and cause privacy leakage. To address this issue, this paper proposes OpenVFL, a vertical federated learning framework with stronger privacy-preserving. We first propose NCLPSI, a new variant of labeled PSI, in which both parties can invoke this protocol to get the encrypted training dataset without leaking any additional information. After that, both parties train the model over the encrypted training dataset. We also formally analyze the security of OpenVFL. In addition, the experimental results show that OpenVFL achieves the best trade-offs between accuracy, performance, and privacy among the most state-of-the-art works.

computer science, theory & methods,engineering, electrical & electronic

Lei Yu,Meng Han,Yiming Li,Changting Lin,Yao Zhang,Mingyang Zhang,Yan Liu,Haiqin Weng,Yuseok Jeon,Ka-Ho Chow,Stacy Patterson

2024-02-06

Abstract:Vertical Federated Learning (VFL) is a federated learning paradigm where multiple participants, who share the same set of samples but hold different features, jointly train machine learning models. Although VFL enables collaborative machine learning without sharing raw data, it is still susceptible to various privacy threats. In this paper, we conduct the first comprehensive survey of the state-of-the-art in privacy attacks and defenses in VFL. We provide taxonomies for both attacks and defenses, based on their characterizations, and discuss open challenges and future research directions. Specifically, our discussion is structured around the model's life cycle, by delving into the privacy threats encountered during different stages of machine learning and their corresponding countermeasures. This survey not only serves as a resource for the research community but also offers clear guidance and actionable insights for practitioners to safeguard data privacy throughout the model's life cycle.

Cryptography and Security,Artificial Intelligence,Machine Learning

Yang Liu,Tianyuan Zou,Yan Kang,Wenhan Liu,Yuanqin He,Zhihao Yi,Qiang Yang

2021-01-01

Abstract:In a vertical federated learning (VFL) scenario where features and model are split into different parties, communications of sample-specific updates are required for correct gradient calculations but can be used to deduce important sample-level label information. An immediate defense strategy is to protect sample-level messages communicated with Homomorphic Encryption (HE), and in this way only the batch-averaged local gradients are exposed to each party (termed black-boxed VFL). In this paper, we first explore the possibility of recovering labels in the vertical federated learning setting with HE-protected communication, and show that private labels can be reconstructed with high accuracy by training a gradient inversion model. Furthermore, we show that label replacement backdoor attacks can be conducted in black-boxed VFL by directly replacing encrypted communicated messages (termed gradient-replacement attack). As it is a common presumption that batch-averaged information is safe to share, batch label inference and replacement attacks are a severe challenge to VFL. To defend against batch label inference attack, we further evaluate several defense strategies, including confusional autoencoder (CoAE), a technique we proposed based on autoencoder and entropy regularization. We demonstrate that label inference and replacement attacks can be successfully blocked by this technique without hurting as much main task accuracy as compared to existing methods.

Ruofan Wu,Mingyang Zhang,Lingjuan Lyu,Xiaolong Xu,Xiuquan Hao,Xinyi Fu,Tengfei Liu,Tianyi Zhang,Weiqiang Wang

2023-10-31

Abstract:The paradigm of vertical federated learning (VFL), where institutions collaboratively train machine learning models via combining each other's local feature or label information, has achieved great success in applications to financial risk management (FRM). The surging developments of graph representation learning (GRL) have opened up new opportunities for FRM applications under FL via efficiently utilizing the graph-structured data generated from underlying transaction networks. Meanwhile, transaction information is often considered highly sensitive. To prevent data leakage during training, it is critical to develop FL protocols with formal privacy guarantees. In this paper, we present an end-to-end GRL framework in the VFL setting called VESPER, which is built upon a general privatization scheme termed perturbed message passing (PMP) that allows the privatization of many popular graph neural architectures.Based on PMP, we discuss the strengths and weaknesses of specific design choices of concrete graph neural architectures and provide solutions and improvements for both dense and sparse graphs. Extensive empirical evaluations over both public datasets and an industry dataset demonstrate that VESPER is capable of training high-performance GNN models over both sparse and dense graphs under reasonable privacy budgets.

Machine Learning,Cryptography and Security

Fangcheng Fu,Huanran Xue,Yong Cheng,Yangyu Tao,Bin Cui

DOI: https://doi.org/10.1145/3514221.3526127

2022-01-01

Abstract:Due to the rising concerns on privacy protection, how to build machine learning (ML) models over different data sources with security guarantees is gaining more popularity. Vertical federated learning (VFL) describes such a case where ML models are built upon the private data of different participated parties that own disjoint features for the same set of instances, which fits many real-world collaborative tasks. Nevertheless, we find that existing solutions for VFL either support limited kinds of input features or suffer from potential data leakage during the federated execution. To this end, this paper aims to investigate both the functionality and security of ML modes in the VFL scenario. To be specific, we introduce BlindFL, a novel framework for VFL training and inference. First, to address the functionality of VFL models, we propose the federated source layers to unite the data from different parties. Various kinds of features can be supported efficiently by the federated source layers, including dense, sparse, numerical, and categorical features. Second, we carefully analyze the security during the federated execution and formalize the privacy requirements. Based on the analysis, we devise secure and accurate algorithm protocols, and further prove the security guarantees under the ideal-real simulation paradigm. Extensive experiments show that BlindFL supports diverse datasets and models efficiently whilst achieves robust privacy guarantees.

Xicong Shen,Ying Liu,Fu Li,Chunguang Li

DOI: https://doi.org/10.1109/jiot.2023.3288886

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) has attracted widespread attention in the Internet of Things domain recently. With FL, multiple distributed devices can cooperatively train a global model by transmitting model updates without disclosing the original data. However, the distributed nature of FL makes it vulnerable to data poisoning attacks. In practice, malicious clients can launch the label-flipping attack (LFA) by simply tampering with the labels of local data, thus causing the global model to misclassify the samples of a selected class as the target class. Although some defense mechanisms have been proposed, they rely on specific assumptions about data distribution, and their performance degrades significantly when the data on clients are non-IID. Besides, most existing methods require clients to upload model updates in plaintext so that the server can identify and remove the malicious updates. But, direct transmission of model updates may still reveal private information. Considering these issues, we develop a label-flipping-robust and privacy-preserving FL (LFR-PPFL) algorithm, which is applicable to both independent and identically distributed (IID) and non-IID data. We first propose a detection method based on temporal analysis on cosine similarity to distinguish malicious clients from benign clients. Then, we propose a privacy-preserving computation protocol based on homomorphic encryption to implement this detection method and perform federated aggregation while protecting the privacy of clients. Besides, a detailed theoretical analysis is given to demonstrate the privacy guarantee of the proposed protocol. Experimental results on real-world data sets show that the proposed algorithm can effectively defend against LFAs under various data distributions.

Jiaqi Zhao,Hui Zhu,Fengwei Wang,Rongxing Lu,Ermei Wang,Linfeng Li,Hui Li

DOI: https://doi.org/10.1109/tcc.2023.3247870

IF: 5.697

2023-01-01

IEEE Transactions on Cloud Computing

Abstract:With the explosive growth of data volume and computing capability, federated learning, which involves constructing global models over multiple data islands, has demonstrated its advantages and vast prospects in the field of machine learning. However, due to commonly vertically partitioned data, coupled with privacy concerns about data leakage, there are still some challenging issues in traditional federated learning. To tackle these challenges, in this paper, we propose an efficient and privacy-preserving vertical federated learning framework for logistic regression, named VFLR, where multiple participants can collaboratively perform global model training and query over their vertically partitioned data. Specifically, we first design a data aggregation matrix construction algorithm, with which the vertically partitioned data can be aggregated for high-accuracy global model training. Then, by utilizing a novel symmetric homomorphic encryption, our framework can ensure that the whole training and query processes do not leak any private information. Moreover, based on the data aggregation matrix, multi-round interactions are not required in VFLR, improving training efficiency significantly. Detailed security analysis shows that VFLR can well protect data and model information from inference attacks. In addition, extensive experiments demonstrate that VFLR has high training and query accuracy and low computation and communication overhead.

computer science, information systems, theory & methods

Yilei Wang,Qingzhe Lv,Huang Zhang,Minghao Zhao,Yuhong Sun,Lingkai Ran,Tao Li

DOI: https://doi.org/10.1007/s11280-023-01159-x

2023-01-01

World Wide Web

Abstract:Federated learning is an emerging paradigm that enables multiple organizations to jointly train a model without revealing their private data. As an important variant, vertical federated learning (VFL) deals with cases in which collaborating organizations own data of the same set of users but with disjoint features. It is generally regarded that VFL is more secure than horizontal federated learning. However, recent research (USENIX Security’22) reveals that it is still possible to conduct label inference attacks in VFL, in which attacker can acquire privately owned labels of other participants; even VFL constructed with model splitting (the kind of VFL architecture with higher security guarantee) cannot escape it. To solve this issue, in this paper, we propose the dispersed training framework. It utilizes secret sharing to break the correlations between the bottom model and the training data. Accordingly, even if the attacker receives the gradients in the training phase, he is incapable to deduce the feature representation of labels from the bottom model. Besides, we design a customized model aggregation method such that the shared model can be privately combined, and the linearity of secret sharing schemes ensures the training accuracy to be preserved. Theoretical and experimental analyses indicate the satisfactory performance and effectiveness of our framework.

Xiaoyong Yuan,Xiyao Ma,Lan Zhang,Yuguang Fang,Dapeng Wu

DOI: https://doi.org/10.1109/jiot.2021.3089713

IF: 10.6

2022-02-15

IEEE Internet of Things Journal

Abstract:Federated learning (FL) enables multiple clients to collaboratively build a global learning model without sharing their own raw data for privacy protection. Unfortunately, recent research still found privacy leakage in FL, especially on image classification tasks, such as the reconstruction of class representatives. Nevertheless, such analysis on image classification tasks is not applicable to uncover the privacy threats against natural language processing (NLP) tasks, whose records composed of sequential texts cannot be grouped as class representatives. The finer (record-level) granularity in NLP tasks not only makes it more challenging to extract individual text records, but also exposes more serious threats. This article presents the first attempt to explore the record-level privacy leakage against NLP tasks in FL. We propose a framework to investigate the exposure of the records of interest in federated aggregations by leveraging the perplexity of language modeling. Through monitoring the exposure patterns, we propose two correlation attacks to identify the corresponding clients when extracting their specific records. Extensive experimental results demonstrate the effectiveness of the proposed attacks. We have also examined several countermeasures and shown that they are ineffective to mitigate such attacks, and hence further research is expected.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hangyu Zhu,Liyuan Huang,Zhenping Xie

2024-09-28

Abstract:Federated learning (FL) is an emerging distributed machine learning paradigm proposed for privacy preservation. Unlike traditional centralized learning approaches, FL enables multiple users to collaboratively train a shared global model without disclosing their own data, thereby significantly reducing the potential risk of privacy leakage. However, recent studies have indicated that FL cannot entirely guarantee privacy protection, and attackers may still be able to extract users' private data through the communicated model gradients. Although numerous privacy attack FL algorithms have been developed, most are designed to reconstruct private data from a single step of calculated gradients. It remains uncertain whether these methods are effective in realistic federated environments or if they have other limitations. In this paper, we aim to help researchers better understand and evaluate the effectiveness of privacy attacks on FL. We analyze and discuss recent research papers on this topic and conduct experiments in a real FL environment to compare the performance of various attack methods. Our experimental results reveal that none of the existing state-of-the-art privacy attack algorithms can effectively breach private client data in realistic FL settings, even in the absence of defense strategies. This suggests that privacy attacks in FL are more challenging than initially anticipated.

Cryptography and Security,Artificial Intelligence