Existing evaluations of data reconstruction attacks and defenses in machine learning lack theoretical foundations, making it difficult to distinguish genuine defense efficacy from limitations imposed by attacker computational resources. Method: We propose a systematic evaluation framework grounded in inverse problem modeling. For two-layer neural networks, we derive the first algorithmic upper bound and information-theoretic lower bound on reconstruction error. We further design a unified utility–privacy metric to rectify misjudgments of defense strength prevalent in prior work. Contribution/Results: Through gradient inversion experiments under strong adversarial conditions, we empirically validate the true privacy-preserving capability of multiple defenses. Our analysis uncovers fundamental performance bottlenecks of mainstream defenses, establishes a reproducible and comparable benchmark suite, and introduces a novel paradigm bridging theoretical analysis and empirical assessment of privacy-preserving mechanisms.

Reconstruction attacks and defenses are essential in understanding the data leakage problem in machine learning. However, prior work has centered around empirical observations of gradient inversion attacks, lacks theoretical grounding, and cannot disentangle the usefulness of defending methods from the computational limitation of attacking methods. In this work, we propose to view the problem as an inverse problem, enabling us to theoretically and systematically evaluate the data reconstruction attack. On various defense methods, we derived the algorithmic upper bound and the matching (in feature dimension and architecture dimension) information-theoretical lower bound on the reconstruction error for two-layer neural networks. To complement the theoretical results and investigate the utility-privacy trade-off, we defined a natural evaluation metric of the defense methods with similar utility loss among the strongest attacks. We further propose a strong reconstruction attack that helps update some previous understanding of the strength of defense methods under our proposed evaluation metric.