List of Papers Browse by Subject Areas Author List
Abstract
Federated learning (FL) has become a crucial technique for medical imaging analysis, enabling multiple institutions to train machine learning models while preserving patient privacy collaboratively. However, recent research has uncovered the vulnerability of shared gradients in FL, which can be exploited through the gradient inversion attack (GIA) to reconstruct private medical images. While existing methods show promise in generic image tasks, their application to high-resolution medical images remains underexplored and ineffective due to data complexity. This paper introduces GradInvDiff, a novel GIA tailored for medical FL scenarios. Unlike traditional methods that rely solely on gradient guidance, our approach combines diffusion models with gradient matching optimization to iteratively refine the inference process. By replacing the standard random noise in the diffusion process with a direction derived from the difference between the optimized and original means, we inject a gradient-based condition into the noise to enhance image reconstruction quality. This method enables high-quality, pixel-level reconstruction of private medical images, even in the presence of large batch sizes or gradient noise. Our experiments demonstrate that GradInvDiff outperforms existing state-of-the-art gradient inversion methods and shows better accuracy and visibility when attacking medical FL models. We hope that this paper can raise public awareness of privacy leakage risks when using medical FL.
Links to Paper and Supplementary Materials
Main Paper (Open Access Version): https://papers.miccai.org/miccai-2025/paper/1362_paper.pdf
SharedIt Link: Not yet available
SpringerLink (DOI): Not yet available
Supplementary Material: Not Submitted
Link to the Code Repository
https://github.com/R00TSEN1650/GradInvDiff
Link to the Dataset(s)
N/A
BibTex
@InProceedings{WanZhi_GradInvDiff_MICCAI2025,
author = { Wang, Zhiyuan AND Gan, Daisong AND Fang, Wenzhuo AND Zhu, Yuliang AND Liu, Kun},
title = { { GradInvDiff: Stealing Medical Privacy in Federated Learning via Diffusion-Based Gradient Inversion } },
booktitle = {proceedings of Medical Image Computing and Computer Assisted Intervention -- MICCAI 2025},
year = {2025},
publisher = {Springer Nature Switzerland},
volume = {LNCS 15973},
month = {September},
page = {262 -- 272}
}
Reviews
Review #1
- Please describe the contribution of the paper
The paper introduces GradInvDiff, a novel gradient inversion attack framework tailored for medical federated learning (FL) scenarios. It has three contributions.
-
The authors propose a method that integrates adaptive mean optimization and time-variant gradient-diffusion blending. Unlike prior gradient inversion attacks (GIAs), GradInvDiff iteratively refines the diffusion sampling trajectory to align with gradient-matching objectives, significantly improving reconstruction fidelity.
-
A noise projection method is introduced to align stochastic noise injection with the gradient residual subspace. This way preserves essential details while minimizing deviations from the data manifold, addressing a key limitation of existing methods like GGDM.
-
Extensive experiments among multiple medical imaging modalities (ChestX-ray8, Acevedo-20, LiTS) and network architectures (LeNet, ResNet) demonstrate robustness under practical FL constraints, including large batch sizes (B=8) and differential privacy defenses (δ=0.01). The method outperforms state-of-the-art GIAs in metrics like PSNR (e.g., 23.6 vs. 19.2 for LiTS on LeNet) and LPIPS, proving its effectiveness in reconstructing diagnostically meaningful images.
-
- Please list the major strengths of the paper: you should highlight a novel formulation, an original way to use data, demonstration of clinical feasibility, a novel application, a particularly strong evaluation, or anything else that is a strong aspect of this work. Please provide details, for instance, if a method is novel, explain what aspect is novel and why this is interesting.
This paper proposes the integration of diffusion models with gradient inversion attacks, introducing Adaptive Mean Optimization (AMO) and Gradient-Aligned Noise Injection (GANI). AMO dynamically balances structural precision and detail retention by fusing gradient-matching optimization with diffusion priors (e.g., time-dependent mixing coefficients γ_t). GANI projects noise into the gradient residual subspace, preventing anatomical inconsistencies caused by traditional random noise. Compared to existing methods like GGDM with fixed-scale guidance, this design significantly enhances high-frequency details (e.g., PSNR of tumor boundaries in LiTS data reaches 23.6, surpassing GGDM’s 19.2).
Experiments demonstrate that GradInvDiff reconstructs medical images (e.g., pulmonary opacities in ChestX-ray8) while preserving critical pathological features, achieving an SSIM of 0.716 (ResNet), outperforming baseline methods (GGDM at 0.487). LPIPS metrics (0.107 vs. baseline 0.270) further validate perceptual similarity, ensuring clinically interpretable outputs.
The method remains stable under large batches (B=8) and differential privacy (δ=0.01), with only a 4% PSNR drop on the Acevedo-20 dataset (20.7→19.6). This robustness obtains from diffusion priors constraining the solution space and noise injection mechanisms adaptively handling gradient perturbations, making it suitable for privacy-defense scenarios in real-world federated learning.
- Please list the major weaknesses of the paper. Please provide details: for instance, if you state that a formulation, way of using data, demonstration of clinical feasibility, or application is not novel, then you must provide specific references to prior work.
-
While GGDM and optimization-based methods (DLG, IG) are included, newer non-diffusion approaches are not compared. These questions about whether diffusion models are inherently superior or if the gains stem from architectural choices.
-
Experiments focus on 2D slices (LiTS) and small-scale datasets (Acevedo-20). Complex 3D medical volumes or dynamic imaging are not tested, limiting claims about generalizability.
-
- Please rate the clarity and organization of this paper
Good
- Please comment on the reproducibility of the paper. Please be aware that providing code and data is a plus, but not a requirement for acceptance.
The authors claimed to release the source code and/or dataset upon acceptance of the submission.
- Optional: If you have any additional comments to share with the authors, please provide them here. Please also refer to our Reviewer’s guide on what makes a good review and pay specific attention to the different assessment criteria for the different paper categories: https://conferences.miccai.org/2025/en/REVIEWER-GUIDELINES.html
N/A
- Rate the paper on a scale of 1-6, 6 being the strongest (6-4: accept; 3-1: reject). Please use the entire range of the distribution. Spreading the score helps create a distribution for decision-making.
(3) Weak Reject — could be rejected, dependent on rebuttal
- Please justify your recommendation. What were the major factors that led you to your overall score for this paper?
- The novelty of this paper is limited. While GGDM and optimization-based methods (DLG, IG) are included, newer non-diffusion approaches are not compared. These questions about whether diffusion models are inherently superior or if the gains from architectural choices.
- More datasets should be considered to validate the robustness of the paper.
- The motivations of the paper are not clear in this paper.
- Reviewer confidence
Confident but not absolutely certain (3)
- [Post rebuttal] After reading the authors’ rebuttal, please state your final opinion of the paper.
N/A
- [Post rebuttal] Please justify your final decision from above.
N/A
Review #2
- Please describe the contribution of the paper
This paper introduces GradInvDiff, a novel gradient inversion attack tailored for medical FL scenarios.
- Please list the major strengths of the paper: you should highlight a novel formulation, an original way to use data, demonstration of clinical feasibility, a novel application, a particularly strong evaluation, or anything else that is a strong aspect of this work. Please provide details, for instance, if a method is novel, explain what aspect is novel and why this is interesting.
The topic is important and the paper is well-structured.
- Please list the major weaknesses of the paper. Please provide details: for instance, if you state that a formulation, way of using data, demonstration of clinical feasibility, or application is not novel, then you must provide specific references to prior work.
I think the novelty is very limited, it can be considered as introducing the FedProx and EMA in gradient inversion. Besides, I suggest the authors compare more methods published in near one year.
- The pipeline is almost the same with the others, which is the most important in security works. I can’t find the exact novelty.
- The difference between this work and the previous one is only the loss function. This function can be considered as adding a proximal item. This method is very similar with FedProx, just use it in attacking.
- Nothing about medical data, this method can be used in neural vision images. The authors should highlight what is the key component about medical data.
- The compared methods are too few, there are numerous works published in recent one year, the authors should compare with them.
- The authors should validate the effectiveness in different non-iid settings.
- Please rate the clarity and organization of this paper
Good
- Please comment on the reproducibility of the paper. Please be aware that providing code and data is a plus, but not a requirement for acceptance.
The submission does not mention open access to source code or data but provides a clear and detailed description of the algorithm to ensure reproducibility.
- Optional: If you have any additional comments to share with the authors, please provide them here. Please also refer to our Reviewer’s guide on what makes a good review and pay specific attention to the different assessment criteria for the different paper categories: https://conferences.miccai.org/2025/en/REVIEWER-GUIDELINES.html
N/A
- Rate the paper on a scale of 1-6, 6 being the strongest (6-4: accept; 3-1: reject). Please use the entire range of the distribution. Spreading the score helps create a distribution for decision-making.
(3) Weak Reject — could be rejected, dependent on rebuttal
- Please justify your recommendation. What were the major factors that led you to your overall score for this paper?
Please check the major weakness.
- Reviewer confidence
Very confident (4)
- [Post rebuttal] After reading the authors’ rebuttal, please state your final opinion of the paper.
N/A
- [Post rebuttal] Please justify your final decision from above.
N/A
Review #3
- Please describe the contribution of the paper
The authors describe a method to invert gradients in an honest-but-curious setting. Notably, they incorporate image priors encoded in diffusion models, which they exploit in the image reconstruction process by guiding the image generation process of the diffusion model.
- Please list the major strengths of the paper: you should highlight a novel formulation, an original way to use data, demonstration of clinical feasibility, a novel application, a particularly strong evaluation, or anything else that is a strong aspect of this work. Please provide details, for instance, if a method is novel, explain what aspect is novel and why this is interesting.
The proposed method is a smart way of incorporating image priors in the form of a diffusion model in a classifier-guidance-free method into a gradient inversion attack. It is of utmost importance for the risk assessment in real-world scenarios to have such powerful attacks in realistic threat models available.
- Please list the major weaknesses of the paper. Please provide details: for instance, if you state that a formulation, way of using data, demonstration of clinical feasibility, or application is not novel, then you must provide specific references to prior work.
Overall, the results of your study are convincing. However, some points are not entirely clear to me.
Firstly, I’m wondering what the basis of Figure 1 is. Is this derived from a true example or is it rather a mere visualisation of how the optimisation process could look like? If it’s the latter, isn’t it a bit optimistic that the blended mean does point towards the true target when in a real-world application, the optimisation landscape is very high-dimensional and often not very smooth?
Secondly, you list results when the gradient, which is inverted, is privatised by Differential Privacy. I’m missing some information here, on how exactly this is done. I’m assuming DP-SGD was applied, but even then, there is no information about the clipping factor or noise multiplier. In the paper, you only list a delta of 0.01, however, privacy budgets typically consist of an (epsilon, delta)-pair, so I think some clarification here is needed. Moreover, I’m highly doubtful if a meaningful guarantee was used here as it was shown that DP, even with loose privacy guarantees, can impede attacks in a stronger threat model. For a typical privacy budget where epsilon ranges between 1-10, even the worst-case reconstruction success is limited to a small number of images. Although I am positive about your methodology, I would highly recommend double-checking this during the rebuttal period, as I think it is crucial for the acceptance of your paper.
Lastly, while I understand that you compare to attacks which operate in the same threat model, it would give a more holistic picture to compare to other attacks, which operate in other threat models. For example, Fowl et al. [1] propose an attack, which does not assume a prior but instead a malicious adversary with model access. It would be very interesting to see if a prior can compensate for the advantage a malicious adversary has compared to an honest-but-curious attacker.
Minor points:
-
You point out that your approach outperforms others when using LeNet on the LITS dataset. However, on the other datasets for LeNet your results are outperformed by GGDM.
-
LeNet and ResNet18 are both very small architectures. I understand that more complex architectures impede the optimisation process in the gradient inversion step, but for practitioners, it would be very interesting to see how this influences the results.
[1] Fowl, Liam, et al. “Robbing the fed: Directly obtaining private data in federated learning with modified models.” International Conference on Learning Representations (2022).
-
- Please rate the clarity and organization of this paper
Good
- Please comment on the reproducibility of the paper. Please be aware that providing code and data is a plus, but not a requirement for acceptance.
The submission does not mention open access to source code or data but provides a clear and detailed description of the algorithm to ensure reproducibility.
- Optional: If you have any additional comments to share with the authors, please provide them here. Please also refer to our Reviewer’s guide on what makes a good review and pay specific attention to the different assessment criteria for the different paper categories: https://conferences.miccai.org/2025/en/REVIEWER-GUIDELINES.html
The anonymized repository only contains a README file (without any meaningful contents). Hence, we could not cross-check the paper with the implementation.
- Rate the paper on a scale of 1-6, 6 being the strongest (6-4: accept; 3-1: reject). Please use the entire range of the distribution. Spreading the score helps create a distribution for decision-making.
(5) Accept — should be accepted, independent of rebuttal
- Please justify your recommendation. What were the major factors that led you to your overall score for this paper?
The authors make a substantial methodological contribution to the field and can impressively demonstrate the risk of successful reconstruction attacks in an honest-but-curious setting. The results are of great interest to the MICCAI community.
- Reviewer confidence
Very confident (4)
- [Post rebuttal] After reading the authors’ rebuttal, please state your final opinion of the paper.
Accept
- [Post rebuttal] Please justify your final decision from above.
I still like the paper and would like to keep my positive score.
Author Feedback
We thank all reviewers for the constructive comments.
- Comparison with Existing GIAs: For R2Q1/R3Q4: We will provide a more comprehensive comparison with existing GIAs in the paper. Existing GIAs generally fall into three categories. Optimization-based GIAs directly optimize pixel values but often struggle with convergence in high-dimensional spaces. Analytics-based GIAs (e.g., ‘Robbing-the-Fed’ referenced in R1Q3) require model modifications, limiting their practicality in honest-but-curious settings. Generation-based GIAs, mostly using GAN [12-14], reconstruct images by optimizing latent codes but typically produce only semantically similar outputs. Our method leverages diffusion models, which beat GAN on image synthesis [26], and the denoising process naturally integrates with gradient-matching optimization, enabling progressive and high-fidelity reconstructions.
- Novelty and Method: For R2Q3/R3Q1: We will clarify the novelty and motivation of our method in Section 2.3. Our method builds on the GGDM [16] pipeline and introduces two new mechanisms—AMO and GANI—into the diffusion sampling process to address the manifold-deviation problem [27]. The main novelties of our approach are as follows: (1) We employ a novel hybrid mean formulation similar to classifier-free guidance, dynamically adjusting gradient conditioning strength (with linear decay as t→0) while constraining each step’s mean near the data manifold. (2) We project the noise term in the sampling process onto the gradient-matching direction to replace reverse diffusion’s randomness. For R1Q1: Fig2 illustrates the sampling processes in Eq4/5/8; the blended mean does not point directly to the true target image but rather reflects the dynamic interpolation between the conditional and unconditional means. For R3Q2: While our manifold-deviation solution bears some resemblance to proximal optimization, it is novel in the context of diffusion model sampling and offers unique advantages for GIA problems on medical data compared to other approaches. Furthermore, our method introduces additional improvements, including dynamic adjustment of conditional guidance strength and modification of the random noise during sampling. For R3Q3: Our method excels at medical imaging by preserving microstructures, which are clinically more critical than the semantic information prioritized in natural images. We achieve progressive refinement by using medical-pre-trained DDPM as priors, firstly correcting global structures and then optimising fine details. This approach enables superior reconstruction of anatomical details (Fig3).
- Experiment: For R1Q4: The slightly lower PSNR/SSIM scores on higher-dimensional datasets are expected, as these metrics poorly reflect perceptual quality. This aligns with the perception-distortion trade-off (CVPR 2018), where our method’s emphasis on reconstructing finer visual details naturally results in slightly compromised distortion metrics. For R2Q2: Our method maintains inherent compatibility with 3D data, requiring only the replacement of the pre-trained diffusion backbone with a 3D version (e.g., 3D U-Net) and selecting an attackable 3D FL model. The AMO and GANI mechanisms remain functionally identical as they depend solely on gradient inner products. For R1Q2/R3Q5: We follow the standard FL settings used in earlier GIA studies. To test robustness under privacy noise, we add zero-mean Gaussian noise perturbation with 0.01 standard deviation perturbation to each shared gradient instead of applying full DP-SGD. We do not consider non-iid distribution, but we strictly ensure all target images out of the diffusion-prior training set. Due to page limitations, we couldn’t provide results on 3D datasets for R2Q2 (e.g., ADNI, ImageCHD), larger target models for R1Q4 (e.g., ViT, DenseNet), more baseline methods for R1Q3/R2Q1/R3Q4, or more practical FL settings for R1Q2/R3Q5, but we plan to explore these comprehensively in our extended journal version.
Meta-Review
Meta-review #1
- Your recommendation
Invite for Rebuttal
- If your recommendation is “Provisional Reject”, then summarize the factors that went into this decision. In case you deviate from the reviewers’ recommendations, explain in detail the reasons why. You do not need to provide a justification for a recommendation of “Provisional Accept” or “Invite for Rebuttal”.
N/A
- After you have reviewed the rebuttal and updated reviews, please provide your recommendation based on all reviews and the authors’ rebuttal.
Accept
- Please justify your recommendation. You may optionally write justifications for ‘accepts’, but are expected to write a justification for ‘rejects’
N/A
Meta-review #2
- After you have reviewed the rebuttal and updated reviews, please provide your recommendation based on all reviews and the authors’ rebuttal.
Accept
- Please justify your recommendation. You may optionally write justifications for ‘accepts’, but are expected to write a justification for ‘rejects’
While the reviewers are mixed (2 × weak rejects, 1 accept), the major weaknesses raised—such as missing comparisons—are not backed by references. The concerns from the one engaged reviewer were addressed in the rebuttal. Overall, I recommend acceptance.
Meta-review #3
- After you have reviewed the rebuttal and updated reviews, please provide your recommendation based on all reviews and the authors’ rebuttal.
Accept
- Please justify your recommendation. You may optionally write justifications for ‘accepts’, but are expected to write a justification for ‘rejects’
N/A