Gradient inversion attacks in federated graph learning pose severe graph structure privacy risks, yet existing defenses struggle to accommodate the sparsity and topological dependencies inherent in graph data. Method: This paper introduces FedGIG, the first gradient inversion attack framework specifically designed for graph-structured data. It comprises three key innovations: (1) an adjacency matrix constraint module explicitly enforcing binary-valued sparsity and symmetry; (2) a subgraph structural prior-guided reconstruction mechanism to recover missing shared substructures; and (3) a gradient-driven iterative graph generation and refinement strategy. Results: Evaluated on multiple molecular graph datasets, FedGIG significantly outperforms state-of-the-art gradient inversion methods, achieving up to a 37.2% improvement in graph structure reconstruction accuracy. The results expose previously underappreciated privacy vulnerabilities in federated graph learning and establish a critical benchmark and theoretical foundation for developing robust defense mechanisms.

Recent studies have shown that Federated learning (FL) is vulnerable to Gradient Inversion Attacks (GIA), which can recover private training data from shared gradients. However, existing methods are designed for dense, continuous data such as images or vectorized texts, and cannot be directly applied to sparse and discrete graph data. This paper first explores GIA's impact on Federated Graph Learning (FGL) and introduces Graph Inversion from Gradient in Federated Learning (FedGIG), a novel GIA method specifically designed for graph-structured data. FedGIG includes the adjacency matrix constraining module, which ensures the sparsity and discreteness of the reconstructed graph data, and the subgraph reconstruction module, which is designed to complete missing common subgraph structures. Extensive experiments on molecular datasets demonstrate FedGIG's superior accuracy over existing GIA techniques.