ConfusionPrompt: Practical Private Inference for Online Large Language Models

TL;DR

ConfusionPrompt is a privacy-preserving framework for online large language model inference that decomposes prompts and uses pseudo-prompts to protect user data while maintaining high utility.

Contribution

It introduces a novel prompt decomposition and pseudo-prompt generation method that enhances privacy and utility in LLM inference, compatible with black-box models.

Findings

Achieves higher utility than local inference and perturbation methods.

Reduces memory consumption compared to open-source LLMs.

Provides a formal privacy model and complexity analysis.

Abstract

State-of-the-art large language models (LLMs) are typically deployed as online services, requiring users to transmit detailed prompts to cloud servers. This raises significant privacy concerns. In response, we introduce ConfusionPrompt, a novel framework for private LLM inference that protects user privacy by: (i) decomposing the original prompt into smaller sub-prompts, and (ii) generating pseudo-prompts alongside the genuine sub-prompts, which are then sent to the LLM. The server responses are later recomposed by the user to reconstruct the final output. This approach offers key advantages over previous LLM privacy protection methods: (i) it integrates seamlessly with existing black-box LLMs, and (ii) it delivers a significantly improved privacy-utility trade-off compared to existing text perturbation methods. We also develop a $(\lambda, \mu, \rho)$-privacy model to formulate the requirements for a privacy-preserving group of prompts and provide a complexity analysis to justify the role of prompt decomposition. Our empirical evaluation shows that ConfusionPrompt achieves significantly higher utility than local inference methods using open-source models and perturbation-based techniques, while also reducing memory consumption compared to open-source LLMs.