Differential Privacy in LLMs

Introduction

DP adds calibrated noise to training, preventing memorization of individual data points.

Key Concepts

• DP Definition: Output distributions similar whether any single record is included/excluded.
• DP-SGD: Clip gradients, add Gaussian noise.
• Privacy Budget: Epsilon measures leakage (lower = stronger privacy).

Implementation Steps

1. Setup Opacus (PyTorch DP lib):

   from opacus import PrivacyEngine
   privacy_engine = PrivacyEngine()
   model, optimizer, dataloader = privacy_engine.make_private(
       module=model, optimizer=optimizer, data_loader=dataloader,
       noise_multiplier=1.1, max_grad_norm=1.0
   )
   

2. Train with DP:
   • Standard loop with privacy engine.
3. Tune Hyperparams:
   • Balance epsilon (e.g., 1-10) with accuracy.
4. Inference: No changes; privacy in training.

Example

Train GPT-2 variant on sensitive text: DP reduces exact memorization by 90%.

Evaluation

• Metrics: Epsilon via accountants; utility via downstream tasks.
• Trade-offs: Noise degrades performance; scale data to mitigate.

Conclusion

DP-LLMs enable privacy-preserving AI; combine with federated learning for stronger guarantees.