Table of Contents
Fetching ...

Continual Pretraining on Encrypted Synthetic Data for Privacy-Preserving LLMs

Honghao Liu, Xuhui Jiang, Chengjin Xu, Cehao Yang, Yiran Cheng, Lionel Ni, Jian Guo

TL;DR

This work investigates privacy-preserving continual pretraining of large language models by training on encrypted synthetic data generated from a small, domain-specific corpus. It introduces an entity-based framework that uses a weighted entity graph to guide data synthesis and deterministically encrypts PII with AES before synthesis, enabling authorized decryption while preventing leakage. Empirical results show that models trained on encrypted synthetic data outperform baselines and are competitive with models trained on unencrypted synthetic data, with RAG further enhancing performance; encryption imposes a modest trade-off. The study also discusses limitations of deterministic encryption, potential privacy leakage risks, and avenues for scalability and robustness in privacy-preserving LLM adaptation.”

Abstract

Preserving privacy in sensitive data while pretraining large language models on small, domain-specific corpora presents a significant challenge. In this work, we take an exploratory step toward privacy-preserving continual pretraining by proposing an entity-based framework that synthesizes encrypted training data to protect personally identifiable information (PII). Our approach constructs a weighted entity graph to guide data synthesis and applies deterministic encryption to PII entities, enabling LLMs to encode new knowledge through continual pretraining while granting authorized access to sensitive data through decryption keys. Our results on limited-scale datasets demonstrate that our pretrained models outperform base models and ensure PII security, while exhibiting a modest performance gap compared to models trained on unencrypted synthetic data. We further show that increasing the number of entities and leveraging graph-based synthesis improves model performance, and that encrypted models retain instruction-following capabilities with long retrieved contexts. We discuss the security implications and limitations of deterministic encryption, positioning this work as an initial investigation into the design space of encrypted data pretraining for privacy-preserving LLMs. Our code is available at https://github.com/DataArcTech/SoE.

Continual Pretraining on Encrypted Synthetic Data for Privacy-Preserving LLMs

TL;DR

This work investigates privacy-preserving continual pretraining of large language models by training on encrypted synthetic data generated from a small, domain-specific corpus. It introduces an entity-based framework that uses a weighted entity graph to guide data synthesis and deterministically encrypts PII with AES before synthesis, enabling authorized decryption while preventing leakage. Empirical results show that models trained on encrypted synthetic data outperform baselines and are competitive with models trained on unencrypted synthetic data, with RAG further enhancing performance; encryption imposes a modest trade-off. The study also discusses limitations of deterministic encryption, potential privacy leakage risks, and avenues for scalability and robustness in privacy-preserving LLM adaptation.”

Abstract

Preserving privacy in sensitive data while pretraining large language models on small, domain-specific corpora presents a significant challenge. In this work, we take an exploratory step toward privacy-preserving continual pretraining by proposing an entity-based framework that synthesizes encrypted training data to protect personally identifiable information (PII). Our approach constructs a weighted entity graph to guide data synthesis and applies deterministic encryption to PII entities, enabling LLMs to encode new knowledge through continual pretraining while granting authorized access to sensitive data through decryption keys. Our results on limited-scale datasets demonstrate that our pretrained models outperform base models and ensure PII security, while exhibiting a modest performance gap compared to models trained on unencrypted synthetic data. We further show that increasing the number of entities and leveraging graph-based synthesis improves model performance, and that encrypted models retain instruction-following capabilities with long retrieved contexts. We discuss the security implications and limitations of deterministic encryption, positioning this work as an initial investigation into the design space of encrypted data pretraining for privacy-preserving LLMs. Our code is available at https://github.com/DataArcTech/SoE.
Paper Structure (27 sections, 10 figures, 9 tables)

This paper contains 27 sections, 10 figures, 9 tables.

Figures (10)

  • Figure 1: The task for privacy-preserving LLMs.
  • Figure 2: A privacy-preserving approach for LLM pretraining by synthesizing data with entities, encrypting PII using the AES, and training the model on the encrypted data.
  • Figure 3: The effect on number of entities.
  • Figure 4: Performance comparison between base and crypto models.
  • Figure 5: Performance comparison among base, trained models and crypto models.
  • ...and 5 more figures