ML Security PapersDifferentially Private Retrieval-Augmented Generation
Tingting Tang , James Flemings , Yongqin Wang , Murali Annavaram
Published on arXiv
2602.14374
Sensitive Information Disclosure
OWASP LLM Top 10 — LLM06
Key Finding
DP-KSA achieves a strong privacy-utility tradeoff on QA tasks, outperforming naive DP-RAG baselines that suffer significant utility degradation from direct context perturbation.
DP-KSA
Novel technique introduced
Retrieval-augmented generation (RAG) is a widely used framework for reducing hallucinations in large language models (LLMs) on domain-specific tasks by retrieving relevant documents from a database to support accurate responses. However, when the database contains sensitive corpora, such as medical records or legal documents, RAG poses serious privacy risks by potentially exposing private information through its outputs. Prior work has demonstrated that one can practically craft adversarial prompts that force an LLM to regurgitate the augmented contexts. A promising direction is to integrate differential privacy (DP), a privacy notion that offers strong formal guarantees, into RAG systems. However, naively applying DP mechanisms into existing systems often leads to significant utility degradation. Particularly for RAG systems, DP can reduce the usefulness of the augmented contexts leading to increase risk of hallucination from the LLMs. Motivated by these challenges, we present DP-KSA, a novel privacy-preserving RAG algorithm that integrates DP using the propose-test-release paradigm. DP-KSA follows from a key observation that most question-answering (QA) queries can be sufficiently answered with a few keywords. Hence, DP-KSA first obtains an ensemble of relevant contexts, each of which will be used to generate a response from an LLM. We utilize these responses to obtain the most frequent keywords in a differentially private manner. Lastly, the keywords are augmented into the prompt for the final output. This approach effectively compresses the semantic space while preserving both utility and privacy. We formally show that DP-KSA provides formal DP guarantees on the generated output with respect to the RAG database. We evaluate DP-KSA on two QA benchmarks using three instruction-tuned LLMs, and our empirical results demonstrate that DP-KSA achieves a strong privacy-utility tradeoff.
Key Contributions
- DP-KSA: a novel differentially private RAG algorithm using the propose-test-release paradigm that extracts frequent keywords from an ensemble of LLM responses in a DP manner rather than passing raw context
- Formal differential privacy guarantees on generated outputs with respect to the RAG database, bounding leakage of private document contents
- Empirical evaluation on two QA benchmarks with three instruction-tuned LLMs showing strong privacy-utility tradeoff compared to naive DP baselines