Tuning without Peeking: Provable Privacy and Generalization Bounds for LLM Post-Training

TL;DR

BBoxER addresses privacy and robustness in LLM post-training by leveraging comparison-based black-box optimization to learn small data-derived updates without gradients. It formalizes an information bottleneck through a compression of the optimization trace, and derives non-vacuous generalization bounds along with provable privacy and poisoning guarantees. Empirically, a few hundred BBoxER evaluations yield consistent improvements on reasoning benchmarks for billion-scale LLMs while resisting membership inference and data-extraction attacks. The approach serves as a safe, modular add-on atop gradient-based training, enabling private, scalable post-training in privacy-sensitive or restricted settings.

Abstract

Gradient-based optimization is the workhorse of deep learning, offering efficient and scalable training via backpropagation. However, exposing gradients during training can leak sensitive information about the underlying data, raising privacy and security concerns such as susceptibility to data poisoning attacks. In contrast, black box optimization methods, which treat the model as an opaque function, relying solely on function evaluations to guide optimization, offer a promising alternative in scenarios where data access is restricted, adversarial risks are high, or overfitting is a concern. This paper introduces BBoxER, an evolutionary black-box method for LLM post-training that induces an information bottleneck via implicit compression of the training data. Leveraging the tractability of information flow, we provide non-vacuous generalization bounds and strong theoretical guarantees for differential privacy, robustness to data poisoning attacks, and extraction attacks. In experiments with LLMs, we demonstrate empirically that black-box optimization methods-despite the scalability and computational challenges inherent to black-box approaches-are able to learn, showing how a few iterations of BBoxER improve performance, generalize well on a benchmark of reasoning datasets, and are robust to membership inference attacks. This positions BBoxER as an attractive add-on on top of gradient-based optimization, offering suitability for deployment in restricted or privacy-sensitive environments while also providing non-vacuous generalization guarantees.

Figures (6)

• Figure 1: Experiment 1 with Llama3.1-8B on GSM8K. Accuracy (exact match) on GSM8k-test as a function of budget. Left: Base. Right: Instruct Model. D-CMA improves from 54.4% to 60.0% on base and from 77.4% to 79.5% on instruct. Notably, it improves even for budgets above those computed from our theory ($b>150$).
• Figure 1: Experiment 2. Performance difference (after$-$before) BBoxER with Llama3.1-8B (Base) on GSM8k-train, evaluated on GSM8k-test (ID), (OOD) SVAMP and GSM+. Red: detrimental runs, $<-1\%$.Green: beneficial runs, $>1\%$.Blue rows are bet-and-run cases.
• Figure 2: Experiment 4 - BBoxER is robust to MIA. Comparison of BBoxER, SFT and DP-SFT in the setting of Experiment 3 with Llama3.1-8B-Instruct on GSM8K. Runs with comparable test accuracy are highlighted in the same color to compare robustness at similar accuracy. We see that both finetuning and DP-finetuning approaches lead to NLL metrics at least an order of magnitude larger than comparable BBoxER runs.
• Figure 2: Schematic view of BBoxER\ref{['alg:retro']}. Our approach compresses the data relative to the current model, leading to a list $c$ of $b$ bits (Eq. \ref{['eq:allinone']}, $b$ is the total budget). The final model depends only on those $b$ bits, giving perfect control over the number of bits transferred from the dataset to the model. In BBoxER, budgets $b$ are typically between 60 and 1500 bits, i.e., very small compared to the dataset size. The "Retrofitting compressor" refers to the part of \ref{['alg:retro']} which outputs the list $c$ of outputs of the $Compare(\dots)$ function: $c$ represents a compression of the dataset $D$ conditional on the initial model. "Retrofitting modifier" is the part of \ref{['alg:retro']} which outputs the final model, given the list $c$ and the initial model.
• Figure 3: (full update, normalization layers) Comparison of model performance of BBoxER run with D-CMA across various benchmarks, 1 seed. See \ref{['tab:various_gsm8k_math']}.

Theorems & Definitions (13)

• Corollary 1
• Theorem 2: Robustness of BBoxER under poisoning
• Definition 1: simple formalization of vulnerability to data extraction
• Corollary 2
• Theorem 1: Deterministic case
• proof
• Theorem 3: Stochastic case
• Theorem 4: Bet and Run has low overfitting risk
• proof
• Lemma 1: Privacy and robustness to poisoning -- single comparison