Title: Privacy-Aware Decoding: Reducing Privacy Leakage in Retrieval-Augmented Generation for Large Language Models

Abstract:

Retrieval-Augmented Generation (RAG) improves the factual reliability of large language models (LLMs) by grounding their outputs in external knowledge bases. Nevertheless, when the retrieval process incorporates sensitive or confidential data, these RAG systems face vulnerabilities to extraction attacks, potentially resulting in the disclosure of private information within the generated text. To address this, we introduce Privacy-Aware Decoding (PAD), a lightweight defense mechanism applied at inference time. PAD works by dynamically injecting calibrated Gaussian noise into the token logits during the generation process. This approach combines confidence-based screening to target high-risk tokens, efficient sensitivity estimation to reduce superfluous noise, and context-aware noise calibration to maintain a balance between privacy protection and output quality. A rigorous Rényi Differential Privacy (RDP) accountant is employed to monitor cumulative privacy expenditure, thereby providing explicit per-response $(\varepsilon, \delta)$-DP guarantees for outputs involving sensitive data. In contrast to previous methods that necessitate model retraining or filtering of the entire corpus, PAD is model-agnostic and functions solely at the decoding stage with negligible computational cost. Evaluations across three real-world datasets show that PAD significantly curtails the leakage of private information while maintaining response utility, surpassing current defenses based on retrieval adjustments or post-processing. This study represents a crucial advancement in addressing privacy risks within RAG through decoding mechanisms, establishing a foundation for scalable and universal privacy protections in sensitive applications. The code for this work is accessible at: https://github.com/wang2226/PAD.

Source: arXiv Generated at: 2026-06-03 00:00:00 UTC