Search papers, labs, and topics across Lattice.
This paper introduces SOMP, a novel gradient inversion attack that leverages head-wise geometric structure and sample-level sparsity in transformer gradients to reconstruct private training data from large language models. SOMP formulates text recovery as a sparse signal recovery problem, enabling it to scale to larger batch sizes and longer sequences where prior methods struggle due to signal mixing and computational cost. Experiments across various LLMs and languages demonstrate that SOMP significantly outperforms existing techniques, even under extreme gradient aggregation, highlighting persistent privacy leakage.
LLMs are more vulnerable to gradient inversion attacks than previously thought: SOMP recovers meaningful training text even with batch sizes up to 128, where prior attacks fail.
Gradient inversion attacks reveal that private training text can be reconstructed from shared gradients, posing a privacy risk to large language models (LLMs). While prior methods perform well in small-batch settings, scaling to larger batch sizes and longer sequences remains challenging due to severe signal mixing, high computational cost, and degraded fidelity. We present SOMP (Subspace-Guided Orthogonal Matching Pursuit), a scalable gradient inversion framework that casts text recovery from aggregated gradients as a sparse signal recovery problem. Our key insight is that aggregated transformer gradients retain exploitable head-wise geometric structure together with sample-level sparsity. SOMP leverages these properties to progressively narrow the search space and disentangle mixed signals without exhaustive search. Experiments across multiple LLM families, model scales, and five languages show that SOMP consistently outperforms prior methods in the aggregated-gradient regime.For long sequences at batch size B=16, SOMP achieves substantially higher reconstruction fidelity than strong baselines, while remaining computationally competitive. Even under extreme aggregation (up to B=128), SOMP still recovers meaningful text, suggesting that privacy leakage can persist in regimes where prior attacks become much less effective.
