ML Security PapersEvaluating Selective Encryption Against Gradient Inversion Attacks
Jiajun Gu 1, Yuhang Yao 2, Shuaiqi Wang 1, Carlee Joe-Wong 1
Published on arXiv
2508.04155
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Gradient magnitude is the most generally effective selective encryption metric against optimization-based gradient inversion attacks, though no single strategy is universally optimal across all model architectures and attack types.
Distance-based significance analysis for selective gradient encryption
Novel technique introduced
Gradient inversion attacks pose significant privacy threats to distributed training frameworks such as federated learning, enabling malicious parties to reconstruct sensitive local training data from gradient communications between clients and an aggregation server during the aggregation process. While traditional encryption-based defenses, such as homomorphic encryption, offer strong privacy guarantees without compromising model utility, they often incur prohibitive computational overheads. To mitigate this, selective encryption has emerged as a promising approach, encrypting only a subset of gradient data based on the data's significance under a certain metric. However, there have been few systematic studies on how to specify this metric in practice. This paper systematically evaluates selective encryption methods with different significance metrics against state-of-the-art attacks. Our findings demonstrate the feasibility of selective encryption in reducing computational overhead while maintaining resilience against attacks. We propose a distance-based significance analysis framework that provides theoretical foundations for selecting critical gradient elements for encryption. Through extensive experiments on different model architectures (LeNet, CNN, BERT, GPT-2) and attack types, we identify gradient magnitude as a generally effective metric for protection against optimization-based gradient inversions. However, we also observe that no single selective encryption strategy is universally optimal across all attack scenarios, and we provide guidelines for choosing appropriate strategies for different model architectures and privacy requirements.
Key Contributions
- Systematic evaluation of selective encryption significance metrics (magnitude, layer-wise, random, etc.) against state-of-the-art gradient inversion attacks
- Distance-based significance analysis framework providing theoretical foundations for identifying critical gradient elements to encrypt
- Practical guidelines showing gradient magnitude is generally effective for optimization-based gradient inversions, with architecture-specific recommendations
🛡️ Threat Analysis
Gradient inversion attacks reconstruct private training data from shared gradients in federated learning — a direct data reconstruction threat. The paper evaluates selective encryption defenses against these attacks, with an adversary explicitly modeled as reconstructing local training data from gradient communications.