DP-Fusion: Token-Level Differentially Private Inference for Large Language Models

AI-generated keywords: DP-Fusion

AI-generated Key Points

Researchers developed DP-Fusion as a token-level differentially private inference mechanism for large language models (LLMs) to address sensitive information leakage in text generation.
DP-Fusion offers fine-grained control over the trade-off between privacy and utility by partitioning sensitive tokens into privacy groups and blending output distributions.
The parameter ε determines the level of privacy protection, with DP-Fusion willing to incur higher computational costs for an improved privacy-utility balance.
The methodology of DP-Fusion can be extended to other data types such as images and audio, representing a step towards more robust differential privacy mechanisms against real-world threats like LOSS attacks in probabilistic models used for data privacy.

Also access our AI generated: Comprehensive summary, Lay summary, Blog-like article; or ask questions about this paper to our AI assistant.

Authors: Rushil Thareja, Preslav Nakov, Praneeth Vepakomma, Nils Lukas

arXiv: 2507.04531v1 - DOI (cs.CL)

Our code and data are publicly available here: https://github.com/MBZUAI-Trustworthy-ML/DP-Fusion-DPI

License: CC BY 4.0

Abstract: Large language models (LLMs) can leak sensitive information from their context through generated outputs, either accidentally or when prompted adversarially. Existing defenses that aim to preserve context privacy during inference either lack formal guarantees or suffer from a poor utility/privacy trade-off. We propose DP-Fusion, a token-level Differentially Private Inference (DPI) mechanism that provably bounds how much an LLM's outputs reveal about sensitive tokens in its context. We demonstrate DPI through the task of document privatization, where the goal is to paraphrase documents so that sensitive content (e.g., Personally Identifiable Information, PII) cannot be reliably inferred, while still preserving the overall utility of the text. This is controlled by a parameter $ε$: $ε=0$ hides PII entirely, while higher values trade off privacy for improved paraphrase quality. DP-Fusion works as follows: (i) partition sensitive tokens into disjoint privacy groups, (ii) run the LLM once per group, and (iii) blend the output distributions so that the final output remains within a fixed statistical distance of the baseline distribution produced when no privacy group is revealed. This approach allows fine-grained control over the privacy/utility trade-off but requires multiple LLM forward passes.

Submitted to arXiv on 06 Jul. 2025

Ask questions about this paper to our AI assistant

You can also chat with multiple papers at once here.

AI assistant instructions?

Results of the summarizing process for the arXiv paper: 2507.04531v1

Comprehensive Summary
Key points
Layman's Summary
Blog article

, , , , In their study "DP-Fusion: Token-Level Differentially Private Inference for Large Language Models," researchers Rushil Thareja, Preslav Nakov, Praneeth Vepakomma, and Nils Lukas address sensitive information leakage from large language models (LLMs) in text generation. They introduce DP-Fusion, a token-level DPI mechanism that balances privacy and utility. By partitioning sensitive tokens into privacy groups and blending output distributions, DP-Fusion offers fine-grained control over the trade-off between privacy and utility. The parameter ε determines the level of privacy protection. One key aspect that sets DP-Fusion apart is its willingness to incur higher computational costs for improved privacy-utility balance. The researchers envision extending this methodology to other data types such as images and audio. DP-Fusion represents a step towards more robust differential privacy mechanisms against real-world threats like LOSS attacks in probabilistic models used for data privacy. A token-level DPI mechanism for balancing privacy and utility in large language models. The issue addressed by researchers in their study on DP-Fusion. Techniques used to protect sensitive information in various data types. The goal of DP-Fusion, achieved through partitioning sensitive tokens into groups and blending output distributions. A method for protecting sensitive information while maintaining statistical accuracy in data analysis.

- Researchers developed DP-Fusion as a token-level differentially private inference mechanism for large language models (LLMs) to address sensitive information leakage in text generation.
- DP-Fusion offers fine-grained control over the trade-off between privacy and utility by partitioning sensitive tokens into privacy groups and blending output distributions.
- The parameter ε determines the level of privacy protection, with DP-Fusion willing to incur higher computational costs for an improved privacy-utility balance.
- The methodology of DP-Fusion can be extended to other data types such as images and audio, representing a step towards more robust differential privacy mechanisms against real-world threats like LOSS attacks in probabilistic models used for data privacy.

Summary- Researchers created DP-Fusion to keep secrets safe when computers write stories. - DP-Fusion helps decide how much privacy is needed while making sure the stories still make sense. - The number ε shows how much privacy is given, and DP-Fusion might need more time to work better. - DP-Fusion can also protect pictures and sounds from bad people trying to find out secrets. Definitions- Researchers: People who study things to learn new information. - Privacy: Keeping things secret so only certain people know about them. - Utility: How useful something is. - Computational costs: How much time and energy a computer needs to do its job. - Differential privacy: A way of keeping data safe by adding some randomness.

Introduction

In today's digital age, large language models (LLMs) have become increasingly popular for text generation tasks. These models are trained on vast amounts of data and can produce human-like text with impressive accuracy. However, this comes at a cost - the potential leakage of sensitive information. Sensitive information such as personal details or confidential data can be inferred from the generated text by LLMs. This poses a significant threat to privacy, especially in fields like healthcare and finance where confidentiality is crucial. To address this issue, researchers Rushil Thareja, Preslav Nakov, Praneeth Vepakomma, and Nils Lukas have developed DP-Fusion - a token-level differentially private inference mechanism for LLMs.

The Issue Addressed

The main focus of the research paper is to address the problem of sensitive information leakage from LLMs during text generation. The authors highlight that traditional differential privacy mechanisms do not provide adequate protection against real-world threats like LOSS attacks in probabilistic models used for data privacy. They argue that existing methods either sacrifice too much utility or offer insufficient privacy guarantees when applied to LLMs. Therefore, there is a need for a more robust approach that balances both privacy and utility effectively.

Techniques Used

To protect sensitive information in various data types such as images and audio, researchers have proposed several techniques over the years. One commonly used method is differential privacy (DP), which adds random noise to query results to prevent individual identification while maintaining statistical accuracy in data analysis. However, applying DP directly to LLMs leads to poor performance due to their high dimensionality and complex structure. Therefore, the authors introduce DP-Fusion - a novel token-level DPI mechanism specifically designed for LLMs.

Partitioning Sensitive Tokens into Groups

The first step in DP-Fusion is to partition sensitive tokens into privacy groups. This allows for fine-grained control over the trade-off between privacy and utility. The authors propose a novel grouping strategy that considers both token frequency and sensitivity. Tokens with high frequency are grouped together, while those with low frequency are assigned to separate groups. This ensures that common words do not receive excessive noise, which can significantly impact the utility of the model.

Blending Output Distributions

The second step involves blending output distributions from different models trained on different partitions of sensitive tokens. This approach helps to reduce the overall noise added to the output while still providing strong privacy guarantees. The blending process is controlled by a parameter ε, which determines the level of privacy protection. A higher value of ε results in more noise being added, thus increasing privacy but decreasing utility. On the other hand, a lower value of ε strikes a better balance between privacy and utility.

The Goal of DP-Fusion

The primary goal of DP-Fusion is to provide robust protection against sensitive information leakage from LLMs while maintaining statistical accuracy in text generation tasks. By incorporating token-level DPI mechanisms, DP-Fusion offers fine-grained control over the trade-off between privacy and utility. Moreover, unlike traditional differential privacy methods that sacrifice too much utility for improved privacy guarantees, DP-Fusion is willing to incur higher computational costs for better performance.

Conclusion

In conclusion, "DP-Fusion: Token-Level Differentially Private Inference for Large Language Models" introduces an innovative approach towards protecting sensitive information in LLMs during text generation tasks. By partitioning sensitive tokens into groups and blending output distributions based on a parameter ε, this method effectively balances both privacy and utility. Furthermore, this research opens up possibilities for extending this methodology to other data types such as images and audio - making it applicable in various fields where data privacy is crucial. DP-Fusion represents a significant step towards more robust differential privacy mechanisms against real-world threats, making it a valuable contribution to the field of data privacy and protection.

Created on 15 Dec. 2025

Assess the quality of the AI-generated content by voting

Score: 0

Similar papers summarized with our AI tools

61.5%

Security and Privacy Challenges of Large Language Models: A Survey

cs.CL

60.5%

DP-NMT: Scalable Differentially-Private Machine Translation

cs.CL

59.9%

Privacy-Preserving Prompt Tuning for Large Language Model Services

cs.CL

56.8%

TrustLLM: Trustworthiness in Large Language Models

cs.CL

56.2%

Use of LLMs for Illicit Purposes: Threats, Prevention Measures, and Vulnerabi…

cs.CL

55.7%

D4: Improving LLM Pretraining via Document De-Duplication and Diversification

cs.CL

Navigate through even more similar papers through a

tree representation

Look for similar papers (in beta version)

By clicking on the button above, our algorithm will scan all papers in our database to find the closest based on the contents of the full papers and not just on metadata. Please note that it only works for papers that we have generated summaries for and you can rerun it from time to time to get a more accurate result while our database grows.

Disclaimer: The AI-based summarization tool and virtual assistant provided on this website may not always provide accurate and complete summaries or responses. We encourage you to carefully review and evaluate the generated content to ensure its quality and relevance to your needs.