GradInvDiff: Stealing Medical Privacy in Federated Learning via Diffusion-Based Gradient Inversion

Zhiyuan Wang; Daisong Gan; Wenzhuo Fang; Yuliang Zhu; Kun Liu

doi:10.1007/978-3-032-05185-1_26

GradInvDiff: Stealing Medical Privacy in Federated Learning via Diffusion-Based Gradient Inversion

Zhiyuan Wang
, Daisong Gan
, Wenzhuo Fang
, Yuliang Zhu
, Kun Liu^*

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Federated learning (FL) has become a crucial technique for medical imaging analysis, enabling multiple institutions to train machine learning models while preserving patient privacy collaboratively. However, recent research has uncovered the vulnerability of shared gradients in FL, which can be exploited through the gradient inversion attack (GIA) to reconstruct private medical images. While existing methods show promise in generic image tasks, their application to high-resolution medical images remains underexplored and ineffective due to data complexity. This paper introduces GradInvDiff, a novel GIA tailored for medical FL scenarios. Unlike traditional methods that rely solely on gradient guidance, our approach combines diffusion models with gradient matching optimization to iteratively refine the inference process. By replacing the standard random noise in the diffusion process with a direction derived from the difference between the optimized and original means, we inject a gradient-based condition into the noise to enhance image reconstruction quality. This method enables high-quality, pixel-level reconstruction of private medical images, even in the presence of large batch sizes or gradient noise. Our experiments demonstrate that GradInvDiff outperforms existing state-of-the-art gradient inversion methods and shows better accuracy and visibility when attacking medical FL models. We hope that this paper can raise public awareness of privacy leakage risks when using medical FL.

Original language	English
Title of host publication	Medical Image Computing and Computer Assisted Intervention, MICCAI 2025 - 28th International Conference, 2025, Proceedings
Editors	James C. Gee, Jaesung Hong, Carole H. Sudre, Polina Golland, Jinah Park, Daniel C. Alexander, Juan Eugenio Iglesias, Archana Venkataraman, Jong Hyo Kim
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	262-272
Number of pages	11
ISBN (Print)	9783032051844
DOIs	https://doi.org/10.1007/978-3-032-05185-1_26
Publication status	Published - 2026
Externally published	Yes
Event	28th International Conference on Medical Image Computing and Computer Assisted Intervention, MICCAI 2025 - Daejeon, Korea, Republic of Duration: 23 Sept 2025 → 27 Sept 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	15973 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	28th International Conference on Medical Image Computing and Computer Assisted Intervention, MICCAI 2025
Country/Territory	Korea, Republic of
City	Daejeon
Period	23/09/25 → 27/09/25

Keywords

Diffusion Models
Federated Learning
Gradient Inversion Attack

Access to Document

10.1007/978-3-032-05185-1_26

Cite this

Wang, Z., Gan, D., Fang, W., Zhu, Y., & Liu, K. (2026). GradInvDiff: Stealing Medical Privacy in Federated Learning via Diffusion-Based Gradient Inversion. In J. C. Gee, J. Hong, C. H. Sudre, P. Golland, J. Park, D. C. Alexander, J. E. Iglesias, A. Venkataraman, & J. H. Kim (Eds.), Medical Image Computing and Computer Assisted Intervention, MICCAI 2025 - 28th International Conference, 2025, Proceedings (pp. 262-272). (Lecture Notes in Computer Science; Vol. 15973 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-032-05185-1_26

Wang, Zhiyuan ; Gan, Daisong ; Fang, Wenzhuo et al. / GradInvDiff : Stealing Medical Privacy in Federated Learning via Diffusion-Based Gradient Inversion. Medical Image Computing and Computer Assisted Intervention, MICCAI 2025 - 28th International Conference, 2025, Proceedings. editor / James C. Gee ; Jaesung Hong ; Carole H. Sudre ; Polina Golland ; Jinah Park ; Daniel C. Alexander ; Juan Eugenio Iglesias ; Archana Venkataraman ; Jong Hyo Kim. Springer Science and Business Media Deutschland GmbH, 2026. pp. 262-272 (Lecture Notes in Computer Science).

@inproceedings{7fad8aa8b3224b81a84d1b0c6870749d,

title = "GradInvDiff: Stealing Medical Privacy in Federated Learning via Diffusion-Based Gradient Inversion",

abstract = "Federated learning (FL) has become a crucial technique for medical imaging analysis, enabling multiple institutions to train machine learning models while preserving patient privacy collaboratively. However, recent research has uncovered the vulnerability of shared gradients in FL, which can be exploited through the gradient inversion attack (GIA) to reconstruct private medical images. While existing methods show promise in generic image tasks, their application to high-resolution medical images remains underexplored and ineffective due to data complexity. This paper introduces GradInvDiff, a novel GIA tailored for medical FL scenarios. Unlike traditional methods that rely solely on gradient guidance, our approach combines diffusion models with gradient matching optimization to iteratively refine the inference process. By replacing the standard random noise in the diffusion process with a direction derived from the difference between the optimized and original means, we inject a gradient-based condition into the noise to enhance image reconstruction quality. This method enables high-quality, pixel-level reconstruction of private medical images, even in the presence of large batch sizes or gradient noise. Our experiments demonstrate that GradInvDiff outperforms existing state-of-the-art gradient inversion methods and shows better accuracy and visibility when attacking medical FL models. We hope that this paper can raise public awareness of privacy leakage risks when using medical FL.",

keywords = "Diffusion Models, Federated Learning, Gradient Inversion Attack",

author = "Zhiyuan Wang and Daisong Gan and Wenzhuo Fang and Yuliang Zhu and Kun Liu",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.; 28th International Conference on Medical Image Computing and Computer Assisted Intervention, MICCAI 2025 ; Conference date: 23-09-2025 Through 27-09-2025",

year = "2026",

doi = "10.1007/978-3-032-05185-1\_26",

language = "English",

isbn = "9783032051844",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "262--272",

editor = "Gee, \{James C.\} and Jaesung Hong and Sudre, \{Carole H.\} and Polina Golland and Jinah Park and Alexander, \{Daniel C.\} and Iglesias, \{Juan Eugenio\} and Archana Venkataraman and Kim, \{Jong Hyo\}",

booktitle = "Medical Image Computing and Computer Assisted Intervention, MICCAI 2025 - 28th International Conference, 2025, Proceedings",

address = "Germany",

}

Wang, Z, Gan, D, Fang, W, Zhu, Y & Liu, K 2026, GradInvDiff: Stealing Medical Privacy in Federated Learning via Diffusion-Based Gradient Inversion. in JC Gee, J Hong, CH Sudre, P Golland, J Park, DC Alexander, JE Iglesias, A Venkataraman & JH Kim (eds), Medical Image Computing and Computer Assisted Intervention, MICCAI 2025 - 28th International Conference, 2025, Proceedings. Lecture Notes in Computer Science, vol. 15973 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 262-272, 28th International Conference on Medical Image Computing and Computer Assisted Intervention, MICCAI 2025, Daejeon, Korea, Republic of, 23/09/25. https://doi.org/10.1007/978-3-032-05185-1_26

GradInvDiff: Stealing Medical Privacy in Federated Learning via Diffusion-Based Gradient Inversion. / Wang, Zhiyuan; Gan, Daisong; Fang, Wenzhuo et al.
Medical Image Computing and Computer Assisted Intervention, MICCAI 2025 - 28th International Conference, 2025, Proceedings. ed. / James C. Gee; Jaesung Hong; Carole H. Sudre; Polina Golland; Jinah Park; Daniel C. Alexander; Juan Eugenio Iglesias; Archana Venkataraman; Jong Hyo Kim. Springer Science and Business Media Deutschland GmbH, 2026. p. 262-272 (Lecture Notes in Computer Science; Vol. 15973 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - GradInvDiff

T2 - 28th International Conference on Medical Image Computing and Computer Assisted Intervention, MICCAI 2025

AU - Wang, Zhiyuan

AU - Gan, Daisong

AU - Fang, Wenzhuo

AU - Zhu, Yuliang

AU - Liu, Kun

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.

PY - 2026

Y1 - 2026

N2 - Federated learning (FL) has become a crucial technique for medical imaging analysis, enabling multiple institutions to train machine learning models while preserving patient privacy collaboratively. However, recent research has uncovered the vulnerability of shared gradients in FL, which can be exploited through the gradient inversion attack (GIA) to reconstruct private medical images. While existing methods show promise in generic image tasks, their application to high-resolution medical images remains underexplored and ineffective due to data complexity. This paper introduces GradInvDiff, a novel GIA tailored for medical FL scenarios. Unlike traditional methods that rely solely on gradient guidance, our approach combines diffusion models with gradient matching optimization to iteratively refine the inference process. By replacing the standard random noise in the diffusion process with a direction derived from the difference between the optimized and original means, we inject a gradient-based condition into the noise to enhance image reconstruction quality. This method enables high-quality, pixel-level reconstruction of private medical images, even in the presence of large batch sizes or gradient noise. Our experiments demonstrate that GradInvDiff outperforms existing state-of-the-art gradient inversion methods and shows better accuracy and visibility when attacking medical FL models. We hope that this paper can raise public awareness of privacy leakage risks when using medical FL.

AB - Federated learning (FL) has become a crucial technique for medical imaging analysis, enabling multiple institutions to train machine learning models while preserving patient privacy collaboratively. However, recent research has uncovered the vulnerability of shared gradients in FL, which can be exploited through the gradient inversion attack (GIA) to reconstruct private medical images. While existing methods show promise in generic image tasks, their application to high-resolution medical images remains underexplored and ineffective due to data complexity. This paper introduces GradInvDiff, a novel GIA tailored for medical FL scenarios. Unlike traditional methods that rely solely on gradient guidance, our approach combines diffusion models with gradient matching optimization to iteratively refine the inference process. By replacing the standard random noise in the diffusion process with a direction derived from the difference between the optimized and original means, we inject a gradient-based condition into the noise to enhance image reconstruction quality. This method enables high-quality, pixel-level reconstruction of private medical images, even in the presence of large batch sizes or gradient noise. Our experiments demonstrate that GradInvDiff outperforms existing state-of-the-art gradient inversion methods and shows better accuracy and visibility when attacking medical FL models. We hope that this paper can raise public awareness of privacy leakage risks when using medical FL.

KW - Diffusion Models

KW - Federated Learning

KW - Gradient Inversion Attack

UR - https://www.scopus.com/pages/publications/105018055253

U2 - 10.1007/978-3-032-05185-1_26

DO - 10.1007/978-3-032-05185-1_26

M3 - Conference contribution

AN - SCOPUS:105018055253

SN - 9783032051844

T3 - Lecture Notes in Computer Science

SP - 262

EP - 272

BT - Medical Image Computing and Computer Assisted Intervention, MICCAI 2025 - 28th International Conference, 2025, Proceedings

A2 - Gee, James C.

A2 - Hong, Jaesung

A2 - Sudre, Carole H.

A2 - Golland, Polina

A2 - Park, Jinah

A2 - Alexander, Daniel C.

A2 - Iglesias, Juan Eugenio

A2 - Venkataraman, Archana

A2 - Kim, Jong Hyo

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 23 September 2025 through 27 September 2025

ER -

Wang Z, Gan D, Fang W, Zhu Y, Liu K. GradInvDiff: Stealing Medical Privacy in Federated Learning via Diffusion-Based Gradient Inversion. In Gee JC, Hong J, Sudre CH, Golland P, Park J, Alexander DC, Iglesias JE, Venkataraman A, Kim JH, editors, Medical Image Computing and Computer Assisted Intervention, MICCAI 2025 - 28th International Conference, 2025, Proceedings. Springer Science and Business Media Deutschland GmbH. 2026. p. 262-272. (Lecture Notes in Computer Science). doi: 10.1007/978-3-032-05185-1_26