Cape: Context-Aware Prompt Perturbation Mechanism with Differential Privacy
Haoqi Wu, Wei Dai, Li Wang, Qiang Yan
TL;DR
Cape tackles the privacy risk of sending prompts to cloud LLMs by introducing a context-aware prompt perturbation mechanism grounded in local differential privacy. It combines a hybrid utility function that leverages both contextual logits and token embedding distances with a bucketized exponential mechanism to efficiently sample replacement tokens over large vocabularies. The approach includes a non-sensitive token set to preserve readability and demonstrates superior privacy-utility trade-offs on text classification and open-ended generation tasks while maintaining practical on-device latency. This work advances privacy-preserving LLM inference with scalable, context-sensitive perturbation that can be deployed without modifying back-end models or requiring secure computation channels.
Abstract
Large Language Models (LLMs) have gained significant popularity due to their remarkable capabilities in text understanding and generation. However, despite their widespread deployment in inference services such as ChatGPT, concerns about the potential leakage of sensitive user data have arisen. Existing solutions primarily rely on privacy-enhancing technologies to mitigate such risks, facing the trade-off among efficiency, privacy, and utility. To narrow this gap, we propose Cape, a context-aware prompt perturbation mechanism based on differential privacy, to enable efficient inference with an improved privacy-utility trade-off. Concretely, we introduce a hybrid utility function that better captures the token similarity. Additionally, we propose a bucketized sampling mechanism to handle large sampling space, which might lead to long-tail phenomenons. Extensive experiments across multiple datasets, along with ablation studies, demonstrate that Cape achieves a better privacy-utility trade-off compared to prior state-of-the-art works.
