Appendix

Chen et al., 2021] the adversary aims to steal the trained model functionality. It was shown that in certain cases the adversary can reconstruct the exact parameters of the target model. Fredrikson et al. [2015] showed that a face-recognition model can be used to reconstruct images of a certain person. This is done by using gradient descent for obtaining an input that maximizes the output probability that the face-recognition model assigns to a specific class. That is, they generate images where the target model outputs a high probability for the considered class (as in Fredrikson et al. [2015]), but also encourage realistic images using GAN.