SecPE: Secure Prompt Ensembling for Private and Robust Large Language Models

TL;DR

SecPE introduces a novel approach that combines private inference and prompt ensembling using homomorphic encryption to achieve robust, privacy-preserving large language model inference with minimal efficiency loss.

Contribution

It is the first to integrate private inference with prompt ensembling for LLMs, designing efficient FHE-based algorithms to enhance robustness and privacy simultaneously.

Findings

SecPE maintains high accuracy with only 2.5% efficiency overhead.

SecPE significantly improves robustness over baseline methods.

SecPE's encrypted Argmax is 35.4x faster than existing solutions.

Abstract

With the growing popularity of LLMs among the general public users, privacy-preserving and adversarial robustness have become two pressing demands for LLM-based services, which have largely been pursued separately but rarely jointly. In this paper, to the best of our knowledge, we are among the first attempts towards robust and private LLM inference by tightly integrating two disconnected fields: private inference and prompt ensembling. The former protects users' privacy by encrypting inference data transmitted and processed by LLMs, while the latter enhances adversarial robustness by yielding an aggregated output from multiple prompted LLM responses. Although widely recognized as effective individually, private inference for prompt ensembling together entails new challenges that render the naive combination of existing techniques inefficient. To overcome the hurdles, we propose SecPE, which designs efficient fully homomorphic encryption (FHE) counterparts for the core algorithmic building blocks of prompt ensembling. We conduct extensive experiments on 8 tasks to evaluate the accuracy, robustness, and efficiency of SecPE. The results show that SecPE maintains high clean accuracy and offers better robustness at the expense of merely $2.5\%$ efficiency overhead compared to baseline private inference methods, indicating a satisfactory ``accuracy-robustness-efficiency'' tradeoff. For the efficiency of the encrypted Argmax operation that incurs major slowdown for prompt ensembling, SecPE is 35.4x faster than the state-of-the-art peers, which can be of independent interest beyond this work.