State-of-the-art large language models (LLMs) are typically deployed as online services, requiring users to transmit detailed prompts to cloud servers. This raises significant privacy concerns. In response, we introduce ConfusionPrompt, a novel framework for private LLM inference that protects user privacy by: (i) decomposing the original prompt into smaller sub-prompts, and (ii) generating pseudo-prompts alongside the genuine sub-prompts, which are then sent to the LLM. The server responses are later recomposed by the user to reconstruct the final output. This approach offers key advantages over previous LLM privacy protection methods: (i) it integrates seamlessly with existing black-box LLMs, and (ii) it delivers a significantly improved privacy-utility trade-off compared to existing text perturbation methods. We also develop a $(\lambda, \mu, \rho)$-privacy model to formulate the requirements for a privacy-preserving group of prompts and provide a complexity analysis to justify the role of prompt decomposition. Our empirical evaluation shows that ConfusionPrompt achieves significantly higher utility than local inference methods using open-source models and perturbation-based techniques, while also reducing memory consumption compared to open-source LLMs.

翻译：当前最先进的大型语言模型（LLMs）通常作为在线服务部署，需要用户将详细的提示词传输至云端服务器。这引发了重大的隐私担忧。为此，我们提出了ConfusionPrompt，一种新颖的隐私LLM推理框架，通过以下方式保护用户隐私：（i）将原始提示词分解为更小的子提示词，以及（ii）在生成真实子提示词的同时生成伪提示词，然后将它们一并发送给LLM。服务器返回的响应随后由用户重新组合，以重构最终输出。与以往的LLM隐私保护方法相比，该方法具有关键优势：（i）它能与现有的黑盒LLM无缝集成，以及（ii）与现有的文本扰动方法相比，它在隐私与效用权衡方面实现了显著改进。我们还建立了一个$(\lambda, \mu, \rho)$-隐私模型，用以形式化一个隐私保护提示词组所需满足的要求，并通过复杂度分析论证了提示词分解的作用。我们的实证评估表明，与使用开源模型和基于扰动技术的本地推理方法相比，ConfusionPrompt实现了显著更高的效用，同时与开源LLMs相比也降低了内存消耗。