959ab9a0695c467e7caf75431a872e5c-Supplemental.pdf

Inparticular,fromtheexpressionabove,theattackerneeds to pick out batches such that the difference between the batch gradient and the true gradient is in the opposite direction from the true gradient. In this section, we further investigate an attacker's ability to approximate out-of-distribution data usingnaturaldata. Clearly we can not get withinanyaccuracywith this reconstruction. One can now attain exact bounds usinge.g. Theory outlined here highlights thedifferences inattack performance observedforbatch reorder and reshuffle.