1: \begin{abstract}

2: Federated learning (FL) empowers privacy-preservation in model training by only exposing users' model gradients. Yet, FL users are susceptible to the gradient inversion (GI) attack which can reconstruct ground-truth training data such as images based on exposed model gradients. However, reconstructing high-resolution images by existing GI attack works faces two challenges: inferior accuracy under complicated contexts and slow-convergence. To address these challenges, in this work we present a $\textbf{R}$obust, $\textbf{A}$ccurate and $\textbf{F}$ast-convergent $\textbf{GI}$ attack algorithm, called $\textbf{RAFGI}$, with two components: 1) $\textbf{A}$dditional $\textbf{C}$onvolution $\textbf{B}$lock ($\textbf{ACB}$) which can infer labels with up to 13\% improvement compared with existing works; 2) $\textbf{T}$otal variance, three-channel m$\textbf{E}$an and c$\textbf{A}$nny edge detection regularization term ($\textbf{TEA}$), which is a white-box attack strategy to reconstruct images based on labels inferred by $\textbf{ACB}$. Moreover, $\textbf{RAFGI}$ is robust that can still accurately reconstruct ground-truth data when the training batch of each FL user has a size no more than 48 with duplicated labels. Our experimental results manifest that $\textbf{RAFGI}$ can diminish 87\% time costs while achieving superb inversion quality in ImageNet images. Notably, with a batch size of 1, $\textbf{RAFGI}$ exhibits a 9.4 higher Peak Signal-to-Noise Ratio (PSNR) compared to the state-of-the-art baselines.

3: \end{abstract}

4: