Deep Leakage from Gradients (DLG) is an optimization-based attack that reconstructs private training data from publicly shared gradients in distributed learning. The adversary initializes dummy inputs and labels, computes their gradients, and minimizes the distance between these dummy gradients and the actual observed gradients using gradient matching. Through iterative optimization, the dummy data converges to closely resemble the private training samples, exposing sensitive information without direct access to the dataset.
Glossary
Deep Leakage from Gradients (DLG)

What is Deep Leakage from Gradients (DLG)?
An optimization-based attack that reconstructs private training data from shared model gradients by iteratively matching dummy inputs to the observed gradient updates.
The attack exploits the fact that gradients encode detailed information about their corresponding inputs. DLG uses an L-BFGS optimizer to minimize the Euclidean distance between real and synthetic gradients, requiring fewer iterations than prior methods. Defenses include gradient perturbation, gradient clipping, and secure aggregation protocols that prevent adversaries from observing individual gradient updates in plaintext.
Key Characteristics of DLG
Deep Leakage from Gradients (DLG) is an optimization-based attack that reconstructs private training data from shared model gradients. The following cards break down its core algorithmic properties and operational requirements.
Iterative Gradient Matching
The core mechanism of DLG is an iterative optimization loop that minimizes the distance between dummy gradients and real observed gradients. The attacker initializes a pair of dummy inputs and labels with random noise, performs a forward and backward pass on the shared model, and computes the loss between the resulting dummy gradients and the actual shared gradients. By backpropagating this matching loss into the dummy inputs themselves, the attacker progressively refines the dummy data until it visually converges to the original private training sample. The optimization objective is typically defined as minimizing the L2 distance or cosine similarity loss between the real gradient vector and the synthetic gradient vector.
White-Box Access Requirement
DLG operates under a strong threat model requiring full white-box access to the model architecture and its current parameter weights. The attacker must be able to compute exact gradients by executing the model's forward and backward passes locally. This distinguishes DLG from black-box attacks like Model Inversion or Membership Inference, which only require query access to confidence scores. In a federated learning context, this assumption holds because the central server or a malicious participant inherently possesses the model weights and receives the raw gradient updates from honest clients.
High-Fidelity Image Reconstruction
DLG is particularly devastating against computer vision models trained with small batch sizes. The attack can reconstruct pixel-level details of the private training images, including fine-grained textures, background elements, and even text present in the original sample. Reconstruction quality is quantitatively measured using metrics such as:
- Peak Signal-to-Noise Ratio (PSNR): Measures pixel-space fidelity.
- Structural Similarity Index (SSIM): Evaluates perceptual structure, luminance, and contrast.
- Learned Perceptual Image Patch Similarity (LPIPS): Uses deep features to assess perceptual similarity more aligned with human vision.
Sensitivity to Batch Size
The fidelity of DLG reconstruction is inversely correlated with the batch size used during training. When gradients are averaged over a large batch of diverse samples, the aggregated gradient signal becomes a blurred superposition of many data points, making it difficult to disentangle individual inputs. DLG is most effective when the batch size is 1, allowing exact reconstruction. As batch size increases, the attack degrades rapidly, often requiring modifications like Inverting Gradients (IG) or analytical separation techniques to handle multi-sample batches.
Label Inference from Gradients
DLG does not require prior knowledge of the ground-truth labels. The attack analytically extracts the correct label directly from the shared gradients of the final classification layer. For models trained with cross-entropy loss, the gradient with respect to the logits reveals the difference between the softmax probabilities and the one-hot encoded true label. By identifying the index with the minimum gradient value in the logit layer, the attacker can deterministically infer the correct label before initiating the input reconstruction process. This eliminates the need to jointly optimize for both inputs and labels.
DLG vs. Other Gradient Inversion Attacks
A technical comparison of Deep Leakage from Gradients against other prominent gradient inversion and data reconstruction attacks based on their mechanisms, requirements, and performance characteristics.
| Feature | Deep Leakage from Gradients (DLG) | Improved DLG (iDLG) | Inverting Gradients (IG) |
|---|---|---|---|
Optimization Objective | L-BFGS on Euclidean distance between real and dummy gradients | Analytical extraction of ground-truth label + L-BFGS on gradient distance | Cosine similarity loss with total variation and group consistency regularization |
Label Recovery Required | |||
Batch Size Capability | Single image only | Single image only | Up to 48 images (with priors) |
Convergence Time (CIFAR-10) | ~100-500 iterations | ~50-200 iterations | ~2,400-24,000 iterations |
Reconstruction Fidelity (PSNR) | ~15-20 dB | ~18-25 dB | ~25-35 dB |
Requires Batch Normalization Statistics | |||
Architecture Agnostic | |||
Analytical Label Extraction |
Frequently Asked Questions
Clear, technical answers to the most common questions about the DLG attack, its variants, and the defenses that protect federated learning systems from gradient-based data reconstruction.
Deep Leakage from Gradients (DLG) is an optimization-based privacy attack that reconstructs private training data from publicly shared model gradients. The attack works by first initializing a pair of dummy inputs and dummy labels, then performing a forward pass through the target model to compute dummy gradients. An iterative optimization loop minimizes the Euclidean distance between these dummy gradients and the real observed gradients. Because the gradient is a function of the input data, the optimization process forces the dummy inputs to converge toward the original private training samples. The attack exploits the fact that gradients encode detailed per-sample information, and with sufficient optimization steps, the reconstructed images or text become visually indistinguishable from the originals. DLG is particularly effective against models trained with small batch sizes, where individual sample information is not averaged away.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the attack mechanisms, optimization objectives, and defensive countermeasures that define the gradient leakage landscape.
Gradient Matching
The core optimization objective driving DLG. The attacker initializes dummy inputs and dummy labels, computes their gradients, and minimizes the distance between these synthetic gradients and the real observed gradients. Common distance functions include:
- Euclidean distance for direct magnitude matching
- Cosine similarity loss for faster convergence on angular alignment
- The attacker iteratively refines dummy data until the gradient signals align, at which point the dummy inputs closely approximate the private training data.
Reconstruction Quality Metrics
Researchers quantify DLG attack success using perceptual and pixel-space metrics:
- Peak Signal-to-Noise Ratio (PSNR): Measures pixel-level fidelity between original and reconstructed images
- Structural Similarity Index (SSIM): Evaluates perceived quality by comparing luminance, contrast, and structure
- Learned Perceptual Image Patch Similarity (LPIPS): Uses deep neural features to assess visual similarity in ways that correlate with human judgment High SSIM and LPIPS scores indicate the attack successfully recovered recognizable private data.
Gradient Pruning
A lightweight defense that selectively transmits only a subset of gradient elements during distributed training. By sharing only the top-k largest magnitude gradients and zeroing out the rest, pruning reduces the information bandwidth available to an adversary. This degrades DLG reconstruction quality because the attacker receives an incomplete gradient signal, making precise inversion mathematically harder without significantly harming model convergence.
Differential Privacy (DP-SGD)
The gold-standard defense against gradient leakage. Differentially Private Stochastic Gradient Descent provides provable privacy guarantees by:
- Per-sample gradient clipping to bound individual influence
- Gaussian noise injection into the aggregated batch gradient
- Privacy accounting to track cumulative epsilon expenditure The privacy budget (epsilon) quantifies the maximum information leakage, with smaller values enforcing stronger protections at a utility cost.
Secure Aggregation
A cryptographic protocol that prevents gradient leakage by design. Using secure multi-party computation or homomorphic encryption, a central server computes the sum of model updates from multiple clients without ever inspecting any individual contribution in plaintext. This eliminates the attack surface entirely—even if the server is compromised, there are no individual gradients to invert. Often combined with differential privacy for defense-in-depth.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us