Abstract
Large language models (LLMs) are excellent in-context learners. However, the sensitivity of data contained in prompts raises privacy concerns. Our work first shows that these concerns are valid: we instantiate a simple but highly effective membership inference attack against the data used to prompt LLMs. To address this vulnerability, one could forego prompting and resort to fine-tuning LLMs with known algorithms for private gradient descent. However, this comes at the expense of the practicality and efficiency offered by prompting. Therefore, we propose to privately learn to prompt. We first show that soft prompts can be obtained privately through gradient descent on downstream data. However, this is not the case for discrete prompts. Thus, we orchestrate a noisy vote among an ensemble of LLMs presented with different prompts, i.e., a flock of stochastic parrots. The vote privately transfers the flock's knowledge into a single public prompt. We show that LLMs prompted with our private algorithms closely match the non-private baselines. For example, using GPT3 as the base model, we achieve a downstream accuracy of 92.7% on the sst2 dataset with ($\epsilon=0.147, \delta=10^{-6}$)-differential privacy vs. 95.2% for the non-private baseline. Through our experiments, we also show that our prompt-based approach is easily deployed with existing commercial APIs.
Abstract (translated)
大型语言模型(LLM)是优秀的上下文学习工具。然而,包含prompt的数据敏感性引起了隐私担忧。我们的工作首先表明这些担忧是有效的:我们实例化了一个简单但非常有效的成员推断攻击,针对用于引导LLM的数据。为了解决这个问题,你可以放弃prompt,转而使用已知的算法对LLM进行私人梯度下降微调。但是,这要以牺牲prompt提供的实际功能和效率为代价。因此,我们建议私人学习如何引导prompt。我们首先表明,softprompt可以通过私人梯度下降在后续数据上实现。但是,Discreteprompt不是这种情况。因此,我们指挥一个由不同prompt引导的LLM群,即一群随机鹦鹉,进行有噪声的投票。投票私下将群的知识转换为一个公共prompt。我们表明,使用我们的私人算法引导的LLM与非私人基准模型非常接近。例如,使用GPT3作为基模型,我们在sst2数据集上实现92.7%的后续准确率,并具有($\epsilon=0.147, \delta=10^{-6}$) differential隐私,而非私人基准模型的准确率为95.2%。通过我们的实验,我们还表明,我们的prompt-based方法可以轻松地与现有的商业API集成。
URL
https://arxiv.org/abs/2305.15594