Data fabrication attacks threaten data governance and privacy auditing by synthesizing small batches of data that yield gradients equivalent to those of legitimate training data. Method: We systematically assess the practical feasibility of such attacks via (i) a gradient-consistency analysis framework revealing substantial gradient deviations in state-of-the-art attacks—rendering them detectable; (ii) a rigorous theoretical proof, under realistic constraints (e.g., pixel values in [0,255], one-hot labels), that constructing gradient-equivalent batches is nontrivial; and (iii) derivation of fundamental impossibility bounds for stealthy fabrication within constrained domains. Contribution/Results: We establish the first verifiable benchmark for trustworthy data auditing, demonstrating that gradient-equivalent data fabrication is inherently detectable in practice. Our findings necessitate a downward revision of the attack’s real-world threat level, as it cannot reliably evade detection under standard training conditions.

Data forging attacks provide counterfactual proof that a model was trained on a given dataset, when in fact, it was trained on another. These attacks work by forging (replacing) mini-batches with ones containing distinct training examples that produce nearly identical gradients. Data forging appears to break any potential avenues for data governance, as adversarial model owners may forge their training set from a dataset that is not compliant to one that is. Given these serious implications on data auditing and compliance, we critically analyse data forging from both a practical and theoretical point of view, finding that a key practical limitation of current attack methods makes them easily detectable by a verifier; namely that they cannot produce sufficiently identical gradients. Theoretically, we analyse the question of whether two distinct mini-batches can produce the same gradient. Generally, we find that while there may exist an infinite number of distinct mini-batches with real-valued training examples and labels that produce the same gradient, finding those that are within the allowed domain e.g. pixel values between 0-255 and one hot labels is a non trivial task. Our results call for the reevaluation of the strength of existing attacks, and for additional research into successful data forging, given the serious consequences it may have on machine learning and privacy.