State-of-the-art large language models (LLMs) are commonly deployed as online services, necessitating users to transmit informative prompts to cloud servers, thus engendering substantial privacy concerns. In response, we present ConfusionPrompt, a novel private LLM inference framework designed to obfuscate the server by: (i) decomposing the prompt into sub-prompts, and (ii) generating pseudo prompts along with the genuine sub-prompts as input to the online LLM. Eventually, the returned responses can be recomposed by the user to obtain the final whole response. Such designs endows our framework with advantages over previous protocols that (i) it can be seamlessly integrated with existing black-box LLMs, and (ii) it achieves significantly better privacy-utility trade-off than existing text perturbation-based methods. We develop a $(\lambda, \mu, \rho)$-privacy model to formulate the requirement for a privacy-preserving group of prompts, and provide a complexity analysis, affirming ConfusionPrompt's efficiency. Our empirical evaluation reveals that our method offers significantly higher utility compared to local inference methods using open-source models and perturbation-based techniques, while also requiring much less memory than open-source LLMs.

翻译：当前最先进的大语言模型（LLMs）通常以在线服务形式部署，这要求用户将信息丰富的提示词传输至云端服务器，从而引发严重的隐私担忧。为此，我们提出ConfusionPrompt，一种新颖的隐私保护LLM推理框架，旨在通过以下方式混淆服务器：（i）将原始提示分解为子提示；（ii）生成伪提示并与真实的子提示一同作为在线LLM的输入。最终，用户可对返回的响应进行重组以获得完整的最终响应。该设计使我们的框架相较于先前方案具有以下优势：（i）能够与现有黑盒LLMs无缝集成；（ii）相比基于文本扰动的现有方法，实现了显著更优的隐私-效用权衡。我们建立了$(\lambda, \mu, \rho)$-隐私模型来形式化隐私保护提示组的要求，并通过复杂度分析验证了ConfusionPrompt的高效性。实验评估表明，相较于使用开源模型的本地推理方法及基于扰动的技术，本方法能提供显著更高的效用，同时所需内存远少于开源LLMs。