Large language models (LLMs), like ChatGPT, have greatly simplified text generation tasks. However, they have also raised concerns about privacy risks such as data leakage and unauthorized data collection. Existing solutions for privacy-preserving inference face practical challenges related to computation time and communication costs. In this paper, we propose InferDPT, the first practical framework for the privacy-preserving Inference of black-box LLMs, implementing Differential Privacy in Text generation. InferDPT comprises two key modules: the "perturbation module" utilizes the exponential mechanism to generate a perturbed prompt, facilitating privacy-preserving inference with black-box LLMs, and the "extraction module", inspired by knowledge distillation and retrieval-augmented generation, extracts coherent and consistent text from the perturbed generation result, ensuring successful text generation completion. To address privacy concerns related to previous exponential mechanisms' susceptibility to embedding revision attacks, we introduce RANTEXT, a novel differential privacy mechanism integrated into the perturbation module of InferDPT, which introduces the concept of "RANdom adjacency" for TEXT perturbation within the prompt. Experimental results across three datasets demonstrate that the text generation quality of InferDPT is comparable to that of non-private GPT-4, and RANTEXT surpasses existing state-of-the-art mechanisms, namely, SANTEXT+ and CUSTEXT+ in the trade-off between privacy and utility. Even with an privacy parameter epsilon value of 6.0, RANTEXT achieves an average privacy protection rate exceeding 90% against embedding revision attacks, which is 0.58 times higher than that of SANTEXT+ and 3.35 times higher than that of CUSTEXT+.

翻译：大型语言模型（如ChatGPT）极大简化了文本生成任务，但其引发的数据泄露与未授权数据收集等隐私风险也备受关注。现有隐私保护推理方案在计算时间与通信开销方面面临实际挑战。本文提出InferDPT——首个面向黑盒LLM的实用化隐私保护推理框架，在文本生成中实现差分隐私。InferDPT包含两大核心模块："扰动模块"利用指数机制生成扰动提示，实现对黑盒LLM的隐私保护推理；"提取模块"受知识蒸馏与检索增强生成启发，从扰动生成结果中提取连贯一致的文本，确保文本生成任务的完整执行。针对此前指数机制易受嵌入修正攻击的隐私问题，我们提出新型差分隐私机制RANTEXT，并将其集成至InferDPT的扰动模块中。该机制在提示扰动中引入"随机邻接"（RANdom adjacency）概念。三个数据集上的实验结果表明，InferDPT的文本生成质量与无隐私保护的GPT-4相当，而RANTEXT在隐私-效用权衡上超越现有最先进机制SANTEXT+与CUSTEXT+。即使隐私参数ε取值为6.0，RANTEXT对抗嵌入修正攻击的平均隐私保护率仍超过90%，分别较SANTEXT+和CUSTEXT+提升0.58倍和3.35倍。