I was reading a relatively new paper that proposed to split a nerual networks layers into groups and sending each group to different nodes to train them in a distributed manner. In order to not send sensitive data through the internet, only the layers outputs and gradients. The question is the following, If we consider only the case of a Multilayer Perceptron, and we take the output of one of its hidden layers, what are the conditions the layers passed to the node that stores the raw data need to meet in order to be very difficult (almost imposible) to reproduce the input from the hidden layer's output, keeping the data private. Also some other preconditions are:
- The node that owns the model is the one who initialize all the layers from the mlp and distributes the sections to the node that owns the data and the rest of the nodes (if there are more nodes participating).
- Gradients are propagated through this node too, so if he knows the gradients that should go to the node that trains the beginning section of the networks (the one that stores the raw data) he can optimize a copy of the beginning section by independently.
What conditions must be met to make it impossible to reproduce the input data having a hidden layer's output and what can be a mathematical prove of it?
