Cross-attention has emerged as a cornerstone module in modern artificial intelligence, underpinning critical applications such as retrieval-augmented generation (RAG), system prompting, and guided stable diffusion. However, this is a rising concern about securing the privacy of cross-attention, as the underlying key and value matrices frequently encode sensitive data or private user information. In this work, we introduce a novel data structure designed to enforce differential privacy (DP) for cross-attention mechanisms, accompanied by provable theoretical guarantees. Specifically, letting $n$ denote the input sequence length, $d$ the feature dimension, $R$ the maximum magnitude of query and key matrices, $R_w$ the maximum magnitude of the value matrix, and $r, s, ε_s$ the parameters for polynomial kernel methods, our proposed structure achieves $\widetilde{O}(ndr^2)$ space and initialization complexity, with a query time of $\widetilde{O}(d r^2)$ per token. Moreover, we demonstrate that our mechanism satisfies $(ε, δ)$-DP, incurring an additive error of $\widetilde{O}((1-ε_s)^{-1} n^{-1} ε^{-1} R^{2s} R_w r^2)$ and a relative error of $2ε_s/(1-ε_s)$ with respect to the ground truth. Crucially, our framework maintains robustness against adaptive queries, ensuring security even in adversarial settings. To the best of our knowledge, this constitutes the first approach providing provable differential privacy for cross-attention, establishing a foundation for future privacy-preserving algorithms in large generative models (LGMs).

翻译：交叉注意力已成为现代人工智能的基石模块，支撑着检索增强生成（RAG）、系统提示和引导式稳定扩散等关键应用。然而，由于底层的键和值矩阵通常编码敏感数据或用户隐私信息，如何保障交叉注意力的隐私安全正日益受到关注。在本工作中，我们提出了一种新颖的数据结构，旨在为交叉注意力机制强制执行差分隐私（DP），并提供可证明的理论保证。具体而言，令$n$表示输入序列长度，$d$表示特征维度，$R$表示查询和键矩阵的最大幅值，$R_w$表示值矩阵的最大幅值，$r, s, ε_s$为多项式核方法的参数，我们所提出的结构实现了$\widetilde{O}(ndr^2)$的空间与初始化复杂度，且每个令牌的查询时间为$\widetilde{O}(d r^2)$。此外，我们证明了该机制满足$(ε, δ)$-DP，其相对于真实值的加性误差为$\widetilde{O}((1-ε_s)^{-1} n^{-1} ε^{-1} R^{2s} R_w r^2)$，相对误差为$2ε_s/(1-ε_s)$。至关重要的是，我们的框架保持了对抗自适应查询的鲁棒性，即使在对抗性环境中也能确保安全性。据我们所知，这是首个为交叉注意力提供可证明差分隐私的方法，为未来大型生成模型（LGMs）中的隐私保护算法奠定了基础。