With the introduction of regulations related to the ``right to be forgotten", federated learning (FL) is facing new privacy compliance challenges. To address these challenges, researchers have proposed federated unlearning (FU). However, existing FU research has primarily focused on improving the efficiency of unlearning, with less attention paid to the potential privacy vulnerabilities inherent in these methods. To address this gap, we draw inspiration from gradient inversion attacks in FL and propose the federated unlearning inversion attack (FUIA). The FUIA is specifically designed for the three types of FU (sample unlearning, client unlearning, and class unlearning), aiming to provide a comprehensive analysis of the privacy leakage risks associated with FU. In FUIA, the server acts as an honest-but-curious attacker, recording and exploiting the model differences before and after unlearning to expose the features and labels of forgotten data. FUIA significantly leaks the privacy of forgotten data and can target all types of FU. This attack contradicts the goal of FU to eliminate specific data influence, instead exploiting its vulnerabilities to recover forgotten data and expose its privacy flaws. Extensive experimental results show that FUIA can effectively reveal the private information of forgotten data. To mitigate this privacy leakage, we also explore two potential defense methods, although these come at the cost of reduced unlearning effectiveness and the usability of the unlearned model.

本研究针对联邦学习中联邦不可学习（FU）方法的隐私漏洞进行了探讨，识别出现有研究仅集中于优化不可学习效率，而忽视了潜在的隐私风险。提出的联邦不可学习反演攻击（FUIA）通过利用模型更新前后的差异，揭示了无法遗忘的数据的隐私泄露风险，并对现有的FU方法提出了挑战。实验结果表明，FUIA能有效揭露被遗忘数据的私人信息，同时也探索了两种降低隐私泄露的防御方法，尽管这可能影响不可学习的有效性。 

FUIA：针对联邦不可学习的模型反演攻击