Continual Pretraining on Encrypted Synthetic Data for Privacy-Preserving LLMs
Honghao Liu, Xuhui Jiang, Chengjin Xu, Cehao Yang, Yiran Cheng, Lionel Ni, Jian Guo
TL;DR
This work investigates privacy-preserving continual pretraining of large language models by training on encrypted synthetic data generated from a small, domain-specific corpus. It introduces an entity-based framework that uses a weighted entity graph to guide data synthesis and deterministically encrypts PII with AES before synthesis, enabling authorized decryption while preventing leakage. Empirical results show that models trained on encrypted synthetic data outperform baselines and are competitive with models trained on unencrypted synthetic data, with RAG further enhancing performance; encryption imposes a modest trade-off. The study also discusses limitations of deterministic encryption, potential privacy leakage risks, and avenues for scalability and robustness in privacy-preserving LLM adaptation.”
Abstract
Preserving privacy in sensitive data while pretraining large language models on small, domain-specific corpora presents a significant challenge. In this work, we take an exploratory step toward privacy-preserving continual pretraining by proposing an entity-based framework that synthesizes encrypted training data to protect personally identifiable information (PII). Our approach constructs a weighted entity graph to guide data synthesis and applies deterministic encryption to PII entities, enabling LLMs to encode new knowledge through continual pretraining while granting authorized access to sensitive data through decryption keys. Our results on limited-scale datasets demonstrate that our pretrained models outperform base models and ensure PII security, while exhibiting a modest performance gap compared to models trained on unencrypted synthetic data. We further show that increasing the number of entities and leveraging graph-based synthesis improves model performance, and that encrypted models retain instruction-following capabilities with long retrieved contexts. We discuss the security implications and limitations of deterministic encryption, positioning this work as an initial investigation into the design space of encrypted data pretraining for privacy-preserving LLMs. Our code is available at https://github.com/DataArcTech/SoE.
