Privacy-Preserving Retrieval-Augmented Generation with Differential Privacy

TL;DR

This paper introduces a differentially private retrieval-augmented generation method that balances privacy and accuracy by selectively allocating privacy budget, enabling safe use of sensitive external data with large language models.

Contribution

It proposes a novel algorithm that efficiently manages privacy budget in RAG, improving accuracy under differential privacy constraints.

Findings

Outperforms non-RAG baseline under privacy budget of ε≈10

Effective privacy-preserving retrieval for large language models

Maintains high accuracy with moderate privacy guarantees

Abstract

With the recent remarkable advancement of large language models (LLMs), there has been a growing interest in utilizing them in the domains with highly sensitive data that lies outside their training data. For this purpose, retrieval-augmented generation (RAG) is particularly effective -- it assists LLMs by directly providing relevant information from the external knowledge sources. However, without extra privacy safeguards, RAG outputs risk leaking sensitive information from the external data source. In this work, we explore RAG under differential privacy (DP), a formal guarantee of data privacy. The main challenge with differentially private RAG is how to generate long accurate answers within a moderate privacy budget. We address this by proposing an algorithm that smartly spends privacy budget only for the tokens that require the sensitive information and uses the non-private LLM for other tokens. Our extensive empirical evaluations reveal that our algorithm outperforms the non-RAG baseline under a reasonable privacy budget of $\epsilon\approx 10$ across different models and datasets.