Private PEFT

Differential Privacy (DP) is a mathematical framework that provides a rigorous, quantifiable guarantee of privacy. When applied to Private PEFT, noise is added to the gradients of the adapter parameters (e.g., LoRA matrices) during on-device training.

• Mechanism: A DP-SGD optimizer clips per-example gradients to bound their influence and adds calibrated noise (e.g., Gaussian) before the weight update.
• Privacy Budget: Tracked via the (ε, δ)-parameters, which quantify the maximum privacy loss. Training stops when the budget is exhausted.
• Key Benefit: Provides a strong guarantee that the presence or absence of any single individual's data in the training set cannot be inferred from the released adapter weights.

Federated Learning (FL) is a decentralized training paradigm where models are learned across multiple edge devices holding local data samples. Federated PEFT applies this specifically to adapter training.

• Process: Each device trains a local PEFT adapter (e.g., a LoRA module) on its private data. Only the small adapter updates (deltas), not the raw data, are sent to a central server for secure aggregation (e.g., via FedAvg).
• Communication Efficiency: Transmitting only adapter weights (millions of parameters) instead of a full model (billions) drastically reduces bandwidth, making FL feasible for edge networks.
• Privacy Foundation: While FL provides a structural privacy benefit by keeping data local, it is often combined with DP or SMPC to defend against inference attacks on the shared updates.

Secure Multi-Party Computation (SMPC) is a cryptographic protocol that enables multiple parties to jointly compute a function over their private inputs without revealing those inputs to each other. In Private PEFT, SMPC can secure the aggregation step in federated learning.

• Application: When aggregating locally trained PEFT adapters from multiple devices, SMPC protocols (like secret sharing) allow the server to compute the average update without ever seeing any individual device's adapter weights in plaintext.
• Guarantee: Provides cryptographic security against curious servers or other participants, assuming they do not collude.
• Trade-off: Introduces significant computational and communication overhead, making it suitable for scenarios requiring the highest security assurances beyond what DP alone provides.

A decentralized learning paradigm where edge devices collaboratively train PEFT adapters (e.g., LoRA matrices) on their local, private data. Only the small adapter updates—not the raw data—are shared with a central server for secure aggregation (e.g., via FedAvg). This drastically reduces communication costs compared to full-model federated learning while preserving data sovereignty. Key components include secure aggregation protocols and mechanisms to handle statistical heterogeneity (non-IID data) across devices.

A training methodology that provides rigorous privacy guarantees for on-device fine-tuning. It works by adding calibrated noise (typically Gaussian or Laplacian) to the gradients of the trainable PEFT parameters during local training. This process, governed by a privacy budget (epsilon, delta), offers a mathematical guarantee: the final adapter weights do not reveal whether any specific individual's data was used. Critical trade-off: Higher noise increases privacy but can reduce adapter utility. Techniques like DP-SGD are adapted for the low-parameter PEFT setting.

A cryptographic approach that enables multiple parties to jointly train a PEFT adapter on their combined private datasets without any party revealing its local data to the others. The computation on the private data is distributed using secret sharing or garbled circuits. In the context of Private PEFT, SMPC can be used to securely aggregate locally trained adapter updates from multiple devices or institutions, providing an alternative to Differential Privacy with a different trust model (protecting against curious servers or other participants). Trade-off: Higher computational overhead than DP.

An advanced cryptographic technique that allows computations to be performed directly on encrypted data. For Private PEFT, a device could encrypt its local data, send it to a server, and the server could perform the forward/backward passes for adapter training on the ciphertext. The encrypted gradient updates are then sent back to the device for decryption and application. This enables outsourcing of compute-intensive training while keeping data private from the server. Current limitation: High computational overhead, especially for non-linear operations like activations, making it more suited for limited, selective use in PEFT pipelines.

Hardware-based secure enclaves (e.g., Intel SGX, ARM TrustZone) that provide isolated, attested execution environments for sensitive code and data. In a Private PEFT workflow, the on-device training loop for the adapter can be executed inside a TEE. This protects the private training data and the intermediate model gradients from the host operating system, other applications, and even cloud providers. Key advantage: Offers strong confidentiality and integrity with lower performance overhead than pure cryptographic methods like HE, but relies on specific hardware support and secure provisioning.