Table of Contents
Fetching ...

ReCIT: Reconstructing Full Private Data from Gradient in Parameter-Efficient Fine-Tuning of Large Language Models

Jin Xie, Ruishi He, Songze Li, Xiaojun Jia, Shouling Ji

TL;DR

ReCIT introduces a novel privacy attack for parameter-efficient fine-tuning of large language models that can reconstruct both the contextual prefix and personally identifiable information from shared gradients. By combining malicious memory strengthening via Personal Notes with a filter-based token extraction and token-pairing framework, it narrows the search space and links prefixes to PII even under large-batch PEFT regimes. Empirical results across multiple PEFT methods and model families show up to an order of magnitude improvement in PII recovery compared with state-of-the-art attacks, highlighting significant privacy vulnerabilities in decentralized or federated PEFT settings. These findings underscore the urgent need for robust privacy defenses in collaborative LLM training and fine-tuning pipelines.

Abstract

Parameter-efficient fine-tuning (PEFT) has emerged as a practical solution for adapting large language models (LLMs) to custom datasets with significantly reduced computational cost. When carrying out PEFT under collaborative learning scenarios (e.g., federated learning), it is often required to exchange model updates (or gradients) across parties. These gradients, even with limited dimensions, can cause severe breach of data privacy. Recent works have shown that both contextual prefixes and personally identifiable information (PII) can be exposed through gradients. However, \emph{simultaneously} and \emph{accurately} recovering both components from the same training instance remains infeasible due to the following challenges: 1) limited number of PEFT parameters; 2) high-dimensional token spaces; and 3) large batch sizes. We propose ReCIT, a novel privacy attack that addresses all challenges, and achieves recovery of \emph{full} private data from PEFT gradients with high fidelity. Specifically, ReCIT proposes to enhance the memorization capability of the pre-trained model through malicious fine-tuning with Personal Notes; ReCIT also proposes a novel filter-based token extraction technique and a token pairing mechanism, to accurately reconstruct tokens from the training sequences with large batch sizes. Extensive evaluations show that ReCIT consistently outperforms state-of-the-art gradient inversion and memorization-based attacks across different PEFT paradigms. It achieves up to 10$\times$ higher PII recovery rates and remains effective across varying batch sizes, especially in settings where prefix reconstruction is intractable for conventional approaches. These findings highlight an urgent need to reassess the privacy guarantees of PEFT, especially in decentralized or shared training environments.

ReCIT: Reconstructing Full Private Data from Gradient in Parameter-Efficient Fine-Tuning of Large Language Models

TL;DR

ReCIT introduces a novel privacy attack for parameter-efficient fine-tuning of large language models that can reconstruct both the contextual prefix and personally identifiable information from shared gradients. By combining malicious memory strengthening via Personal Notes with a filter-based token extraction and token-pairing framework, it narrows the search space and links prefixes to PII even under large-batch PEFT regimes. Empirical results across multiple PEFT methods and model families show up to an order of magnitude improvement in PII recovery compared with state-of-the-art attacks, highlighting significant privacy vulnerabilities in decentralized or federated PEFT settings. These findings underscore the urgent need for robust privacy defenses in collaborative LLM training and fine-tuning pipelines.

Abstract

Parameter-efficient fine-tuning (PEFT) has emerged as a practical solution for adapting large language models (LLMs) to custom datasets with significantly reduced computational cost. When carrying out PEFT under collaborative learning scenarios (e.g., federated learning), it is often required to exchange model updates (or gradients) across parties. These gradients, even with limited dimensions, can cause severe breach of data privacy. Recent works have shown that both contextual prefixes and personally identifiable information (PII) can be exposed through gradients. However, \emph{simultaneously} and \emph{accurately} recovering both components from the same training instance remains infeasible due to the following challenges: 1) limited number of PEFT parameters; 2) high-dimensional token spaces; and 3) large batch sizes. We propose ReCIT, a novel privacy attack that addresses all challenges, and achieves recovery of \emph{full} private data from PEFT gradients with high fidelity. Specifically, ReCIT proposes to enhance the memorization capability of the pre-trained model through malicious fine-tuning with Personal Notes; ReCIT also proposes a novel filter-based token extraction technique and a token pairing mechanism, to accurately reconstruct tokens from the training sequences with large batch sizes. Extensive evaluations show that ReCIT consistently outperforms state-of-the-art gradient inversion and memorization-based attacks across different PEFT paradigms. It achieves up to 10 higher PII recovery rates and remains effective across varying batch sizes, especially in settings where prefix reconstruction is intractable for conventional approaches. These findings highlight an urgent need to reassess the privacy guarantees of PEFT, especially in decentralized or shared training environments.
Paper Structure (28 sections, 2 theorems, 7 equations, 9 figures, 3 tables)

This paper contains 28 sections, 2 theorems, 7 equations, 9 figures, 3 tables.

Key Result

Theorem 1

The gradient of the loss $\mathcal{L}$ with respect to the weight matrix weight matrix $\bm{W}$ can be expressed as: For batch sizes $b\le n, m$, the rank of the gradient $\frac{\partial \mathcal{L}}{\partial \bm{W}} \in\mathbb{R} ^{n\times m}$ is at most $b$.

Figures (9)

  • Figure 1: Comparison of Data Reconstruction Attacks: Examples are reconstructed using the Personachat dataset with LLaMA-3.2-3B in LoRA fine-turning, employing a batch size of 4.
  • Figure 2: Overview of ReCIT. It mainly includes the following steps: 1) The adversary uses a generated dataset with PNotes to strengthen memorization and extraction of PII. 2) The client uses PEFT to fine-tune the model with its private dataset containing PII and shares the PEFT gradient with the adversary. 3) The adversary uses FTE (Filter-based Token Extraction) to recover the PII topic, Name, and Keyword tokens in prefix and pairing tokens from the same sequence. 4) The adversary uses GPT-4o to form the sequence based on filtered tokens. 5) The adversary queries the update model to obtain the PII.
  • Figure 3: Overview of constructing PNote dataset.
  • Figure 4: Comparison of Prefix reconstruction between ReCIT and other baselines
  • Figure 5: Comparison of PII reconstruction between ReCIT and other baselines
  • ...and 4 more figures

Theorems & Definitions (2)

  • Theorem 1
  • Theorem 2