Stage - generative privacy attacks and defenses in federated learning via diffusion models h/f

Le CEA est un acteur majeur de la recherche, au service des citoyens, de l'économie et de l'Etat.

Il apporte des solutions concrètes à leurs besoins dans quatre domaines principaux : transition énergétique, transition numérique, technologies pour la médecine du futur, défense et sécurité sur un socle de recherche fondamentale. Le CEA s'engage depuis plus de 75 ans au service de la souveraineté scientifique, technologique et industrielle de la France et de l'Europe pour un présent et un avenir mieux maîtrisés et plus sûrs.

Implanté au coeur des territoires équipés de très grandes infrastructures de recherche, le CEA dispose d'un large éventail de partenaires académiques et industriels en France, en Europe et à l'international.

Les 20 000 collaboratrices et collaborateurs du CEA partagent trois valeurs fondamentales :

- La conscience des responsabilités
- La coopération
- La curiosité Context
Federated Learning (FL) enables multiple clients to collaboratively train machine learning models without sharing their data. Instead, clients exchange local model updates with a central server, which uses them to improve a global model. While this paradigm enhances data privacy, recent studies have shown that FL remains vulnerable to privacy breaches. In particular, gradient inversion attacks can reconstruct sensitive client data from transmitted updates, posing serious privacy concerns [1]. Traditional approaches such as Deep Leakage from Gradients (DLG) [1], demonstrated that even simple models can leak identifiable information.
At the same time, diffusion models [3,4] have emerged as powerful generative frameworks capable of synthesizing realistic data from noisy or partial information. Recent works demonstrate that diffusion models can enhance gradient-based privacy attacks [5] and inspire novel privacy-preserving strategies [6,7].

Objectives
The goal of this internship is to explore the dual role of diffusion models in attacking and defending Federated Learning systems:
Attack ObjectivesImplement diffusion-based gradient inversion attacks inspired by GGDM [5], conditioning the diffusion process on client gradients or embeddings to reconstruct original inputs.
Compare against existing attack baselines, such as DLG [1], iDLG [2], and GAN-based approaches [8], evaluating reconstruction quality and scalability.
Defense ObjectivesDesign a diffusion-inspired privacy mechanism based on forward stochastic noising of client updates, making gradient inversion harder while preserving model convergence.
Explore hybrid mechanisms integrating differential privacy with diffusion-based noise injection, inspired by DP-Fed-FinDiff [6] and Personalized Federated Diffusion [7].
Comparative StudyBenchmark the proposed approaches against established FL defenses, such as Secure Aggregation [9], DP-SGD [10].
Analyze trade-offs between privacy and robustness in different scenarios, including non-i.i.d. data distributions.

[1] Zhu et al. Deep Leakage from Gradients. NeurIPS 2019.
[2] Zhao et al. iDLG: Improved Deep Leakage from Gradients. ICLR 2020.
[3] Ho et al. Denoising Diffusion Probabilistic Models. NeurIPS 2020.
[4] Song et al. Score-Based Generative Modeling through SDEs. ICLR 2021.
[5] Gu et al. Gradient-Guided Diffusion Models for Privacy Attacks. 2024.

[6] Liu et al. DP-Fed-FinDiff: Differentially Private Federated Diffusion for Tabular Data. 2024.
[7] Chen et al. Personalized Federated Diffusion with Privacy Guarantees. 2025.
[8] Fang et al. GIFD: A Generative Gradient Inversion Method with Feature Domain Optimization ICCV 2023.
[9] Bonawitz et al. Practical Secure Aggregation for Privacy-Preserving ML. CCS 2017.
[10] Abadi et al. Deep Learning with Differential Privacy. CCS 2016.