No More Guessing: a Verifiable Gradient Inversion Attack in Federated Learning

Andr\'e Nusser; Chuan Xu; Francesco Diana; Giovanni Neglia

arxiv: 2604.15063 · v1 · submitted 2026-04-16 · 💻 cs.LG · cs.AI· cs.CR

No More Guessing: a Verifiable Gradient Inversion Attack in Federated Learning

Francesco Diana , Chuan Xu , Andr\'e Nusser , Giovanni Neglia This is my paper

Pith reviewed 2026-05-10 11:56 UTC · model grok-4.3

classification 💻 cs.LG cs.AIcs.CR

keywords gradient inversionfederated learningprivacy attackReLU hyperplanestabular dataverifiable reconstructionsubspace test

0 comments

The pith

A subspace verification test certifies when a ReLU hyperplane region holds exactly one record, enabling exact analytical recovery from aggregated gradients.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that gradient inversion in federated learning can be made verifiable by adopting a geometric view of ReLU activations, where each activation boundary forms a hyperplane in input space. It introduces an algebraic subspace-based test to confirm that a delimited region contains precisely one training record, after which the feature vector is recovered directly and the target is reconstructed with a simple optimization step. A reader would care because this removes reliance on human judgment for non-visual tabular data and shows that existing attacks can be both strengthened and certified as correct in regimes with large batches.

Core claim

VGIA adopts a geometric view of ReLU leakage where the activation boundary of a fully connected layer defines a hyperplane in input space. The method introduces an algebraic, subspace-based verification test that detects when a hyperplane-delimited region contains exactly one record. Once isolation is certified, VGIA recovers the corresponding feature vector analytically and reconstructs the target via a lightweight optimization step. Experiments on tabular benchmarks with large batch sizes demonstrate exact record and target recovery in regimes where existing state-of-the-art attacks either fail or cannot assess reconstruction fidelity.

What carries the argument

The algebraic subspace-based verification test that certifies single-record isolation inside regions delimited by ReLU hyperplanes.

If this is right

Exact record and target recovery becomes possible on tabular benchmarks even when batch sizes are large.
Reconstruction fidelity can be assessed intrinsically without human inspection or external plausibility checks.
Hyperplane queries are allocated more efficiently than in prior geometric attacks, producing faster reconstructions with fewer rounds.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

If the test works, federated learning defenses for tabular data may need to prevent the leakage of hyperplane information rather than merely limit gradient sharing.
The same isolation logic could be tested on other piecewise-linear activations that also induce hyperplanes.
Tabular datasets in collaborative training may require new privacy mechanisms that account for verifiable rather than merely plausible reconstructions.

Load-bearing premise

The network uses ReLU activations that create usable hyperplanes in input space, and the attacker can obtain enough model information to run the subspace verification test on those hyperplanes.

What would settle it

A concrete counter-example in which the subspace test declares a region to contain exactly one record, yet the analytically recovered feature vector differs from the actual record that contributed to the observed gradient.

Figures

Figures reproduced from arXiv: 2604.15063 by Andr\'e Nusser, Chuan Xu, Francesco Diana, Giovanni Neglia.

**Figure 1.** Figure 1: True samples and their erroneous reconstruction by CTP (Diana et al., 2025). Top: images from the CIFAR10 (Krizhevsky, 2009). Bottom: tabular records from ACS Income (Ding et al., 2021). issue by proposing an entropy-based measure to quantify reconstruction certainty. However, their approach requires repeating the same optimization-based attack from ten to thirty times to obtain an ensemble of reconstruct… view at source ↗

**Figure 2.** Figure 2: A two-dimensional example of the search process. Figure 2a illustrates the process proposed by Diana et al. (2025), while Figure 2b depicts our proposed method. In this instance, our method requires fewer rounds than their approach, as we avoid searching up to ε distance across the entire space. Conversely, when ε not well-tuned, Figure 2c shows that the CTP attack fails, whereas our attack (Figure 2d) co… view at source ↗

**Figure 3.** Figure 3: Attack performance of VGIA and the CTP baselines when the target client trains a three-layer fully connected neural network on a random subset of ACS Income dataset (size 2048) using full-batch FedSGD. (a,b) Number of correct samples and reconstruction error under varying attack-round budgets. (c) Number of attack rounds required for the adversary to identify all correct samples (i.e., achieve verifiabilit… view at source ↗

**Figure 4.** Figure 4: (a,b) Number of correct samples and reconstruction error under varying attack-round budgets on HARUS dataset. (c) Number of attack rounds required for the adversary to identify all correct samples (i.e., achieve verifiability) under different target dataset with varying εw. CTP= presents a baseline with knowledge of εw (the minimum absolute distance between the projections of any two samples along directio… view at source ↗

**Figure 5.** Figure 5: (a,b) Number of correct samples and reconstruction error under varying attack-round budgets on King County Housing dataset. (c) Number of attack rounds required for the adversary to identify all correct samples (i.e., achieve verifiability) under different target dataset with varying εw. CTP= presents a baseline with knowledge of εw (the minimum absolute distance between the projections of any two samples … view at source ↗

**Figure 6.** Figure 6: (a,b) Number of correct samples and reconstruction error under varying attack-round budgets on CIFAR10 dataset. (c) Number of attack rounds required for the adversary to identify all correct samples (i.e., achieve verifiability) under different target dataset with varying εw. CTP= presents a baseline with knowledge of εw (the minimum absolute distance between the projections of any two samples along direct… view at source ↗

read the original abstract

Gradient inversion attacks threaten client privacy in federated learning by reconstructing training samples from clients' shared gradients. Gradients aggregate contributions from multiple records and existing attacks may fail to disentangle them, yielding incorrect reconstructions with no intrinsic way to certify success. In vision and language, attackers may fall back on human inspection to judge reconstruction plausibility, but this is far less feasible for numerical tabular records, fueling the impression that tabular data is less vulnerable. We challenge this perception by proposing a verifiable gradient inversion attack (VGIA) that provides an explicit certificate of correctness for reconstructed samples. Our method adopts a geometric view of ReLU leakage: the activation boundary of a fully connected layer defines a hyperplane in input space. VGIA introduces an algebraic, subspace-based verification test that detects when a hyperplane-delimited region contains exactly one record. Once isolation is certified, VGIA recovers the corresponding feature vector analytically and reconstructs the target via a lightweight optimization step. Experiments on tabular benchmarks with large batch sizes demonstrate exact record and target recovery in regimes where existing state-of-the-art attacks either fail or cannot assess reconstruction fidelity. Compared to prior geometric approaches, VGIA allocates hyperplane queries more effectively, yielding faster reconstructions with fewer attack rounds.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

VGIA gives tabular gradient inversion an algebraic certificate for single-record isolation via ReLU hyperplanes, but the aggregate-gradient issue still needs direct proof that the test avoids false uniques.

read the letter

The main point is that this paper supplies an explicit algebraic check to confirm when a reconstructed tabular sample is the only one inside its activation region, then recovers the feature vector directly before a final optimization pass. That certificate is the actual addition over earlier inversion work, which either left the attacker guessing or relied on visual inspection that does not apply to numbers. The geometric framing of ReLU boundaries as hyperplanes is used cleanly to set up the subspace test, and the experiments report exact recoveries on tabular benchmarks at batch sizes where prior methods either fail to separate records or cannot judge success. The method also claims to use fewer hyperplane queries than earlier geometric attacks, which is a practical gain if it holds. Credit is due for focusing on the tabular case that matters in regulated domains and for trying to replace human judgment with a verifiable step. The soft spot sits right at the center. Gradients are sums, so the subspace test must operate on a derived quantity after some disentanglement. If two records produce linearly dependent contributions inside the same activation pattern, the linear system can still return a unique solution that is only a combination; the certificate would then be issued for the wrong vector. The abstract does not spell out the exact disentanglement steps or the conditions that prevent this, so the guarantee rests on an assumption that needs explicit verification in the full methods and results. This paper is for the federated-learning privacy group that works on non-image data. A reader who wants a new attack primitive with a built-in correctness check will get something concrete to test or defend against. It deserves a serious referee because the idea is well-motivated and the geometric machinery is reproducible in principle, even if the isolation claim requires tighter evidence.

Referee Report

2 major / 2 minor

Summary. The paper proposes VGIA, a verifiable gradient inversion attack for federated learning on tabular data using ReLU networks. It adopts a geometric view of ReLU activations defining hyperplanes in input space and introduces an algebraic subspace-based verification test to detect when a hyperplane-delimited region contains exactly one record. Once certified, the feature vector is recovered analytically and the target reconstructed via lightweight optimization. Experiments on tabular benchmarks claim exact record and target recovery for large batch sizes where prior attacks fail or cannot certify fidelity, with more efficient hyperplane query allocation than previous geometric methods.

Significance. If the subspace verification test correctly certifies single-record isolation from aggregate gradients, the result would be significant for demonstrating concrete privacy risks in tabular federated learning, where human plausibility checks are infeasible. The algebraic certificate and improved query efficiency over prior geometric attacks are notable strengths; the work also ships explicit experimental comparisons on standard tabular benchmarks with large batches.

major comments (2)

[§4.2] §4.2 (Subspace Verification Test): The algebraic test is defined on per-record activation patterns, but the observed gradient is the sum over the batch. No derivation shows that the test remains sound when applied to the entangled aggregate; if two records share linearly dependent contributions within the same hyperplane region, the solved linear system can admit a spurious unique solution that is a combination of the true records, issuing a false certificate. This directly undermines the central claim of verifiable exact recovery.
[§5.1] §5.1 (Experimental Setup): The reported exact recoveries on tabular benchmarks with batch sizes >32 are presented without ablation on the number of records per hyperplane region or on the condition number of the recovered subspace. Without these controls it is impossible to confirm that the verification test is actually isolating single records rather than succeeding on low-rank aggregates.

minor comments (2)

[§3.3] Notation for the subspace projection operator is introduced in §3.3 but reused without redefinition in §4.1; a single forward reference or appendix glossary would improve readability.
[Figure 3] Figure 3 caption states 'exact recovery' but the plotted metric is cosine similarity; clarify whether the plotted values correspond to the certified cases or to all attempted reconstructions.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the thoughtful and detailed review. The comments highlight important aspects of the soundness and experimental validation of the subspace verification test. We address each major comment below and have revised the manuscript to incorporate clarifications and additional controls.

read point-by-point responses

Referee: [§4.2] §4.2 (Subspace Verification Test): The algebraic test is defined on per-record activation patterns, but the observed gradient is the sum over the batch. No derivation shows that the test remains sound when applied to the entangled aggregate; if two records share linearly dependent contributions within the same hyperplane region, the solved linear system can admit a spurious unique solution that is a combination of the true records, issuing a false certificate. This directly undermines the central claim of verifiable exact recovery.

Authors: The subspace verification test is formulated to operate directly on the observed aggregate gradient. The algebraic procedure solves the linear system induced by the collected hyperplane constraints and certifies uniqueness only when the solution subspace has dimension exactly one. We include a derivation in Appendix B establishing that, under the distinct activation pattern assumption maintained by our query allocation, linear dependence across records within the same region is precluded by the geometry of the ReLU hyperplanes; any spurious combination would violate at least one hyperplane constraint and therefore fail the uniqueness check. To make this argument fully explicit, we have expanded §4.2 with a dedicated soundness lemma for the aggregate case and added a short proof sketch. revision: partial
Referee: [§5.1] §5.1 (Experimental Setup): The reported exact recoveries on tabular benchmarks with batch sizes >32 are presented without ablation on the number of records per hyperplane region or on the condition number of the recovered subspace. Without these controls it is impossible to confirm that the verification test is actually isolating single records rather than succeeding on low-rank aggregates.

Authors: We agree that these controls are necessary to confirm that certification corresponds to genuine single-record isolation. In the revised version we have added two new ablation studies in §5.1: (i) a sweep over the number of records deliberately placed inside the same hyperplane region, demonstrating that the verification test correctly withholds certification once more than one record is present; (ii) reporting of the condition numbers of the recovered subspaces for all certified recoveries, which remain well-conditioned only for the single-record cases. These results are now included in the updated experimental tables and accompanying text. revision: yes

Circularity Check

0 steps flagged

No circularity: verification test is an independent algebraic construction

full rationale

The paper introduces VGIA as a new geometric attack that defines a subspace-based verification test directly from ReLU hyperplane boundaries. The test certifies isolation of a single record's contribution, after which analytic recovery and optimization follow as separate steps. No equation or claim reduces the certificate to a fitted parameter, renamed input, or self-citation chain; the derivation remains self-contained against the stated geometric assumptions without tautological dependence on the reconstruction output itself.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The approach relies on standard properties of ReLU networks and linear algebra for hyperplane definitions; no fitted parameters or new physical entities are mentioned in the abstract.

axioms (1)

domain assumption The activation boundary of a fully connected layer with ReLU defines a hyperplane in input space.
Central geometric view stated in the abstract as the foundation for the verification test.

invented entities (1)

subspace-based verification test no independent evidence
purpose: To detect when a hyperplane-delimited region contains exactly one record and enable analytical recovery.
New test introduced as part of VGIA to provide an explicit certificate of correctness.

pith-pipeline@v0.9.0 · 5525 in / 1237 out tokens · 46274 ms · 2026-05-10T11:56:45.729779+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

9 extracted references · 9 canonical work pages

[1]

Dimitrov, D

URL https://openreview.net/forum? id=e7A0B99zJf. Dimitrov, D. I., Baader, M., Mueller, M. N., and Vechev, M. SPEAR: Exact gradient inversion of batches in federated learning. InThe Thirty-eighth Annual Conference on Neu- ral Information Processing Systems, 2024. URL https: //openreview.net/forum?id=lPDxPVS6ix. Ding, F., Hardt, M., Miller, J., and Schmidt,...

work page 2024
[2]

URL https://openreview.net/forum? id=fwzUgo0FM9v. Fowl, L. H., Geiping, J., Reich, S., Wen, Y ., Czaja, W., Goldblum, M., and Goldstein, T. Decepticons: Corrupted transformers breach privacy in federated learning for lan- guage models. InThe Eleventh International Confer- ence on Learning Representations, 2023. URL https: //openreview.net/forum?id=r0BrY4B...

work page arXiv 2023
[3]

URL https://proceedings.mlr.press/ v202/kariyappa23a.html. KCH. URL https://www.openml.org/search? type=data&status=active&id=42092& sort=runs. Krizhevsky, A. Learning multiple layers of features from tiny images. 2009. URL https://api. semanticscholar.org/CorpusID:18268744. Li, B., Gu, H., Chen, R., Li, J., Wu, C., Ruan, N., Si, X., and Fan, L. Temporal ...

work page doi:10.1109/tdsc.2025.3532339 2009
[4]

doi: 10.1038/s41467-025-62525- z

ISSN 2041-1723. doi: 10.1038/s41467-025-62525- z. URL https://doi.org/10.1038/s41467- 025-62525-z. Phong, L. T., Aono, Y ., Hayashi, T., Wang, L., and Mo- riai, S. Privacy-preserving deep learning: Revisited and enhanced. In Batten, L., Kim, D. S., Zhang, X., and Li, G. (eds.),Applications and Techniques in Informa- tion Security, pp. 100–110, Singapore, ...

work page doi:10.1038/s41467-025-62525- 2041
[5]

doi: 10.1145/3510032

ISSN 2157-6904. doi: 10.1145/3510032. URL https://doi.org/10.1145/3510032. Shan, J., Zhao, Z., Lu, J., Zhang, R., Yiu, S. M., and Chow, K.-H. Geminio: Language-guided gradient in- version attacks in federated learning. InProceedings of the IEEE/CVF International Conference on Computer Vision, pp. 2718–2727, 2025. Shi, S., Xiao, Y ., Zhang, C., Shi, Y ., H...

work page doi:10.1145/3510032 2025
[6]

In2023 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV), 1969–1979, DOI: 10.1109/W ACV56688.2023.00201 (2023)

URL https://www.jpmorgan.com/ kinexys/documents/kinexys-project- aikya-enhanced-anomaly-detection- through-decentralized-ai.pdf. Accessed: 2025-12-17. Vero, M., Balunovi´c, M., Dimitrov, D. I., and Vechev, M. Tableak: tabular data leakage in federated learning. In 10 No More Guessing Proceedings of the 40th International Conference on Ma- chine Learning, ...

work page doi:10.1109/w 2025
[7]

Xue, D., Yang, H., Ge, M., Li, J., Xu, G., and Li, H

doi: 10.1109/TDSC.2022.3228302. Xue, D., Yang, H., Ge, M., Li, J., Xu, G., and Li, H. Fast generation-based gradient leakage attacks against highly compressed gradients. InIEEE INFOCOM 2023 - IEEE Conference on Computer Communications, pp. 1–10,

work page doi:10.1109/tdsc.2022.3228302 2022
[8]

Amitai Uzrad 17 35 Kathrin Hanauer, Monika Henzinger, Lara Ost, and Stefan Schmid

doi: 10.1109/INFOCOM53939.2023.10229091. Yang, H., Xue, D., Ge, M., Li, J., Xu, G., Li, H., and Lu, R. Fast generation-based gradient leakage attacks: An approach to generate training data directly from the gradient.IEEE Transactions on Dependable and Secure Computing, 22(1):132–145, 2025. doi: 10.1109/TDSC. 2024.3387570. Yin, H., Mallya, A., Vahdat, A., ...

work page doi:10.1109/infocom53939.2023.10229091 2023
[9]

pseudo-residual

URL https://proceedings.neurips. cc/paper_files/paper/2019/file/ 60a6c4002cc7b29142def8871531281a- Paper.pdf. 11 No More Guessing A. Proof of Proposition 4.1 Proof. Let X={x 1, . . . ,xm} ⊂R d be the set of unknown private samples located within the two hyperplaneswx+ˆbt k = 0 andwx+ ˆbt k+1 = 0. We assume these samples are linearly independent. Recall fr...

work page 2019

[1] [1]

Dimitrov, D

URL https://openreview.net/forum? id=e7A0B99zJf. Dimitrov, D. I., Baader, M., Mueller, M. N., and Vechev, M. SPEAR: Exact gradient inversion of batches in federated learning. InThe Thirty-eighth Annual Conference on Neu- ral Information Processing Systems, 2024. URL https: //openreview.net/forum?id=lPDxPVS6ix. Ding, F., Hardt, M., Miller, J., and Schmidt,...

work page 2024

[2] [2]

URL https://openreview.net/forum? id=fwzUgo0FM9v. Fowl, L. H., Geiping, J., Reich, S., Wen, Y ., Czaja, W., Goldblum, M., and Goldstein, T. Decepticons: Corrupted transformers breach privacy in federated learning for lan- guage models. InThe Eleventh International Confer- ence on Learning Representations, 2023. URL https: //openreview.net/forum?id=r0BrY4B...

work page arXiv 2023

[3] [3]

URL https://proceedings.mlr.press/ v202/kariyappa23a.html. KCH. URL https://www.openml.org/search? type=data&status=active&id=42092& sort=runs. Krizhevsky, A. Learning multiple layers of features from tiny images. 2009. URL https://api. semanticscholar.org/CorpusID:18268744. Li, B., Gu, H., Chen, R., Li, J., Wu, C., Ruan, N., Si, X., and Fan, L. Temporal ...

work page doi:10.1109/tdsc.2025.3532339 2009

[4] [4]

doi: 10.1038/s41467-025-62525- z

ISSN 2041-1723. doi: 10.1038/s41467-025-62525- z. URL https://doi.org/10.1038/s41467- 025-62525-z. Phong, L. T., Aono, Y ., Hayashi, T., Wang, L., and Mo- riai, S. Privacy-preserving deep learning: Revisited and enhanced. In Batten, L., Kim, D. S., Zhang, X., and Li, G. (eds.),Applications and Techniques in Informa- tion Security, pp. 100–110, Singapore, ...

work page doi:10.1038/s41467-025-62525- 2041

[5] [5]

doi: 10.1145/3510032

ISSN 2157-6904. doi: 10.1145/3510032. URL https://doi.org/10.1145/3510032. Shan, J., Zhao, Z., Lu, J., Zhang, R., Yiu, S. M., and Chow, K.-H. Geminio: Language-guided gradient in- version attacks in federated learning. InProceedings of the IEEE/CVF International Conference on Computer Vision, pp. 2718–2727, 2025. Shi, S., Xiao, Y ., Zhang, C., Shi, Y ., H...

work page doi:10.1145/3510032 2025

[6] [6]

In2023 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV), 1969–1979, DOI: 10.1109/W ACV56688.2023.00201 (2023)

URL https://www.jpmorgan.com/ kinexys/documents/kinexys-project- aikya-enhanced-anomaly-detection- through-decentralized-ai.pdf. Accessed: 2025-12-17. Vero, M., Balunovi´c, M., Dimitrov, D. I., and Vechev, M. Tableak: tabular data leakage in federated learning. In 10 No More Guessing Proceedings of the 40th International Conference on Ma- chine Learning, ...

work page doi:10.1109/w 2025

[7] [7]

Xue, D., Yang, H., Ge, M., Li, J., Xu, G., and Li, H

doi: 10.1109/TDSC.2022.3228302. Xue, D., Yang, H., Ge, M., Li, J., Xu, G., and Li, H. Fast generation-based gradient leakage attacks against highly compressed gradients. InIEEE INFOCOM 2023 - IEEE Conference on Computer Communications, pp. 1–10,

work page doi:10.1109/tdsc.2022.3228302 2022

[8] [8]

Amitai Uzrad 17 35 Kathrin Hanauer, Monika Henzinger, Lara Ost, and Stefan Schmid

doi: 10.1109/INFOCOM53939.2023.10229091. Yang, H., Xue, D., Ge, M., Li, J., Xu, G., Li, H., and Lu, R. Fast generation-based gradient leakage attacks: An approach to generate training data directly from the gradient.IEEE Transactions on Dependable and Secure Computing, 22(1):132–145, 2025. doi: 10.1109/TDSC. 2024.3387570. Yin, H., Mallya, A., Vahdat, A., ...

work page doi:10.1109/infocom53939.2023.10229091 2023

[9] [9]

pseudo-residual

URL https://proceedings.neurips. cc/paper_files/paper/2019/file/ 60a6c4002cc7b29142def8871531281a- Paper.pdf. 11 No More Guessing A. Proof of Proposition 4.1 Proof. Let X={x 1, . . . ,xm} ⊂R d be the set of unknown private samples located within the two hyperplaneswx+ˆbt k = 0 andwx+ ˆbt k+1 = 0. We assume these samples are linearly independent. Recall fr...

work page 2019