Towards Privacy-Preserving Large Language Model: Text-free Inference Through Alignment and Adaptation

TL;DR

This paper introduces PPFT, a privacy-preserving training pipeline for large language models that avoids transmitting raw text prompts, balancing privacy with model utility through a novel two-stage approach.

Contribution

The paper proposes a new training method, PPFT, that enables privacy-preserving inference by using prompt embeddings, reducing privacy risks without significant performance loss.

Findings

PPFT maintains competitive performance with minimal degradation.

It effectively balances privacy preservation and model utility.

Experiments show strong results on domain-specific and general benchmarks.

Abstract

Current LLM-based services typically require users to submit raw text regardless of its sensitivity. While intuitive, such practice introduces substantial privacy risks, as unauthorized access may expose personal, medical, or legal information. Although prior defenses strived to mitigate these risks, they often incur substantial computational overhead and degrade model performance. To overcome this privacy-efficiency trade-off, we introduce Privacy-Preserving Fine-Tuning (PPFT), a novel training pipeline that eliminates the need for transmitting raw prompt text while maintaining a favorable balance between privacy preservation and model utility for both clients and service providers. Our approach operates in two stages: first, we train a client-side encoder together with a server-side projection module and LLM, enabling the server to condition on k-pooled prompt embeddings instead of raw text; second, we fine-tune the projection module and LLM on private, domain-specific data using noise-injected embeddings, allowing effective adaptation without exposing plain text prompts and requiring access to the decoder's internal parameters. Extensive experiments on domain-specific and general benchmarks demonstrate that PPFT achieves a striking balance between privacy and utility, maintaining competitive performance with minimal degradation compared to noise-free upper bounds.