Navigating the Designs of Privacy-Preserving Fine-tuning for Large Language Models
Haonan Shi, Tu Ouyang, An Wang
TL;DR
The paper addresses privacy-preserving fine-tuning of large language models by balancing client data privacy, server IP protection, and tuning cost. It introduces GuardedTuning, a family of architectures (Online, Gradfree, Offline) that combine split/offsite training with a decorrelation-based privacy regularizer and quantization to mitigate data reconstruction attacks. Evaluations on four reasoning tasks with OPT-1.3B and OPT-6.7B demonstrate that DRAs attack effectiveness drops below 50% and communication costs decrease by up to 73.7%, while fine-tuning utility remains largely intact (less than 1.5% degradation in most cases). These designs provide practical trade-offs for real-world deployments and highlight the feasibility of privacy-preserving fine-tuning without substantial loss in performance, while also pointing to emulator-security considerations and hardware-assisted approaches for further strengthening protection.
Abstract
Instruction tuning has proven effective in enhancing Large Language Models' (LLMs) performance on downstream tasks. However, real-world fine-tuning faces inherent conflicts between model providers' intellectual property protection, clients' data privacy requirements, and tuning costs. While recent approaches like split learning and offsite tuning demonstrate promising architectures for privacy-preserving fine-tuning, there is a gap in systematically addressing the multidimensional trade-offs required for diverse real-world deployments. We propose several indicative evaluation metrics to guide design trade-offs for privacy-preserving fine-tuning and a series of example designs, collectively named GuardedTuning; they result from novel combinations of system architectures with adapted privacy-enhancement methods and emerging computation techniques. Each design represents distinct trade-offs across model utility, privacy guarantees, and costs. Experimental results demonstrate that these designs protect against data reconstruction attacks while maintaining competitive fine-tuning performance.