Large language models (LLMs), such as ChatGPT, have simplified text generation tasks, yet their inherent privacy risks are increasingly garnering attention. Existing solutions for privacy-preserving inference face significant challenges in practical deployment and implementation. In this paper, we propose PrivInfer, the first practical framework for privacy-preserving inference. It comprises two modules specifically designed for black-box LLMs in text generation. The perturbation module, employing differential privacy, generates perturbed prompts, thus enabling privacy-preserving inference with black-box LLMs. The restoration module extracts coherent and meaningful responses from obtained perturbed results, thus ensuring the accomplishment of the text generation tasks. Additionally, to enhance privacy and utility further, we develop RANTEXT, a novel differential privacy mechanism integrated into the perturbation module of PrivInfer. This mechanism is specifically tailored for LLMs and utilizes random adjacency in text perturbations. Experimental results indicate that PrivInfer is comparable to GPT-4 in text generation quality, and RANTEXT outperforms the current leading scheme in privacy protection, even under its adaptive attack, our proposed GPT inference attack.

翻译：大型语言模型（如ChatGPT）简化了文本生成任务，但其固有的隐私风险日益引发关注。现有的隐私保护推理解决方案在实际部署和实施中面临重大挑战。本文提出PrivInfer，首个实用的隐私保护推理框架。该框架包含两个专为文本生成任务中黑盒大语言模型设计的模块：采用差分隐私的扰动模块通过生成扰动提示，实现对黑盒大语言模型的隐私保护推理；恢复模块则从获得的扰动结果中提取连贯且有意义的响应，确保文本生成任务的完成。此外，为进一步提升隐私性与实用性，我们开发了RANTEXT——一种集成于PrivInfer扰动模块的新型差分隐私机制。该机制专为大语言模型设计，在文本扰动中利用随机邻接关系。实验结果表明，PrivInfer在文本生成质量上可与GPT-4媲美，而RANTEXT在隐私保护方面优于当前领先方案，即使面对其自适应攻击（即我们提出的GPT推理攻击）时依然表现卓越。