Recently, large language models (LLMs) have drawn extensive attention from academia and the public, due to the advent of the ChatGPT. While LLMs show their astonishing ability in text generation for various tasks, privacy concerns limit their usage in real-life businesses. More specifically, either the user's inputs (the user sends the query to the model-hosting server) or the model (the user downloads the complete model) itself will be revealed during the usage. Vertical federated learning (VFL) is a promising solution to this kind of problem. It protects both the user's input and the knowledge of the model by splitting the model into a bottom part and a top part, which is maintained by the user and the model provider, respectively. However, in this paper, we demonstrate that in LLMs, VFL fails to protect the user input since it is simple and cheap to reconstruct the input from the intermediate embeddings. Experiments show that even with a commercial GPU, the input sentence can be reconstructed in only one second. We also discuss several possible solutions to enhance the privacy of vertical federated LLMs.

翻译：近来，随着ChatGPT的出现，大语言模型引起了学术界和公众的广泛关注。尽管大语言模型在各种文本生成任务中展现出惊人的能力，但隐私问题限制了其在现实商业场景中的应用。具体而言，无论是用户的输入（用户向托管模型的服务器发送查询）还是模型本身（用户下载完整模型）在使用过程中都会暴露。纵向联邦学习是解决这类问题的可行方案。它通过将模型分为底部模块和顶部模块，分别由用户和模型提供方维护，从而保护用户输入和模型知识。然而，本文证明在大语言模型中，由于从中间嵌入层重构输入简单且计算成本低，纵向联邦学习无法有效保护用户输入。实验表明，即使使用商用GPU，仅需一秒即可重构输入语句。我们还探讨了增强纵向联邦大语言模型隐私保护的若干可行方案。