Contrastive Private Data Synthesis via Weighted Multi-PLM Fusion

We appreciate our reviewer's insightful comments that help us improve our work.

Q: Complexity of combining multile PLMs and computational cost & complexity comparison.

First of all, as stated in Lines 105~107 on the left in our paper, no additional queries are made to PLMs under the same number of required synthetic samples $N$ in the WASP framework compared to baseline methods although samples are generated in a iterative manner. As shown in Table G in below, the computational cost of WASP is slightly higher than that of PE baselines, mainly due to increased in prompt length ($8$ in-context samples instead of $1$) and the "furthest histogram" calculation.

Second, the primary computational cost is driven by synthetic sample generation, which accounts for nearly 3000 times the runtime of other operations (including DP Top-$Q$ Voting and PLM Importance Weighting). While this process is unavoidable, users can mitigate the impact of computationally expensive PLMs by choosing faster alternatives. Also, like shown in Table G, for large-scale datasets, WASP's computational cost remains manageable.

Table G. Comparison of computational complexity and runtime (seconds) of WASP and PE series baselines within each iteration (averaged across iterations and also across different PLMs for PE series baselines). "Others" includes DP top-$Q$ voting and PLM importance weighting, i.e. line 7~10 in Alg. 1, with the latter beging a negligible time cost tensor normalization operation on the Nearest Histogram vector.

Q: Other data modality.

We believe that WASP framework can also be extended to other modalities. WASP's key components, including DP Top-$Q$ voting, PLM importance weighting, are general operations which can be directly applied to other data modalities. However, the process for synthetic data generation differs by modality. For example, for image generation [7,8], the applied models and APIs are different from text, with diffusion models and RANDOM_APIs oftenly used to modify existing samples with a hyper-parameter controling variation degree. Therefore, non-trivial adaptations should be made for the generation processure. Similarly, for tabular samples [9,10], non-trivial modifications are also required for crafting proper generation prompts and pipelines.

As a case in point, the original PE method [7] focuses exclusively on image data, and Aug-PE [11] makes non-trivial adaptations with carefully designed generation techniques to generalize it onto text data. Given the extensive work required, we think generalizing WASP to other modalities deserves a separate paper/papers.

Q: Further optimization on privacy budget allocation.

We thank our reviewer for pointing out an interesting future step for our work. Since our primary focus lies in the fusion of multiple PLMs for private synthetic data generation, we decide to leave this as a possible future advancement.

---

[7] Zinan Lin et. al., Differentially Private Synthetic Data via Foundation Model APIs 1: Images, ICLR2024.

[8] Kecen Li et. al., PrivImage: Differentially Private Synthetic Image Generation using Diffusion Models with Semantic-Aware Pretraining, USENIX Security2024.

[9] Mikel Hernandez et. al., Synthetic data generation for tabular health records: A systematic review, Neurocomputing2022.

[10] Eugenia Papadaki et. al., Exploring innovative approaches to synthetic tabular data generation, Electronics2024.

[11] Chulin Xie et. al., Differentially Private Synthetic Data via Foundation Model APIs 2: Text, ICML2024.

Thanks very much!

Q: Fair comparison with equal API budget.

We emphasis that, as stated in Lines 105~107 on the left in our paper, no extra query to the PLMs is incurred by WASP compared to single-PLM PE baselines, when they are compared under the same number of required synthetic samples $N$. So we are making fair comparison to Aug-PE with equal API budgets (number of queries) throughout our experiments.

Q: Validation on generation tasks.

We provide results on question answering task with SQuAD dataset in Table D. These results also testify the effectiveness of our proposed WASP for generation tasks and will be added to our final version.

Table D. Evaluation of STM performance (F1) on SQuAD dataset. The same setting is used as that in Table 1 in the paper.

Q: Ablation without both contrastive ICL and PLM importance weighting.

By removing both components, the final STM performance are $89.05$%,$58.72$%,$35.45$% for IMDb, Yelp-Rating and Openreview-Rating respectively. Comparing with results in Table 4, these results show that both components are vital in boosting the final performance of WASP. See full results in Table E1 in https://anonymous.4open.science/r/WASP/re.pdf .

Q: Comparison with DP-SGD.

We provide experimental results for first fine-tuning a single PLM with $M=100$ private samples under the same setting of Table 1 in our paper with DP-SGD and then use the fine-tuned PLM for generation ("DP-SGD+Gen") in Table F (see Table F1 in https://anonymous.4open.science/r/WASP/re.pdf for more results). Results demonstrate the superiousness of WASP compared to DP-SGD method. We will add these into our final version.

Table F. STM performance of WASP and "DP-SGD+Gen" with $N=6000,M=100,L=1$.

Q: Time cost comparison.

We compare the runtime of WASP and PE methods in Table G in response for Reviewer ngfH in below due to response limitation. Results show that, the additional time overhead for WASP per iteration is minor compared to PE methods. Since WASP makes no extra PLM queries compared to PE methods, its runtime increase comes from longer prompts (8 v.s. 1 in PE methods) for generation, and from the additional calculation of the "furthest histogram" for other operations during in-context learning sample selection.

Q: Efficiency of contrastive in-context learning.

Results in Table G in response for Reviewer ngfH in below show that increasing the total number of private samples $M$ or task complexity has little impact on WASP' runtime, confirming its efficiency.

Q: Optimization for user-level DP when data parties contribute more samples.

First, for fair comparison in federated setting, we strictly follow Pre-Text [4], assuming each data party controls no more than 8 samples samples to fit on-device setting. If users contribute more, optimizations like norm clipping [5,6], an off-the-shelf and widely applied technique, can keep noise levels practical by capping the norm of voting vectors $H^n_l,H^f_l$ given by data party $l$ at a preset bound $\zeta$, preventing user sensitivity $\Delta$ from scaling linearly with user private dataset size. Under the same $\zeta$, using more private samples (e.g. 100/user) will not degrade performance compared to using fewer (e.g. 8/user).

Moreover, if a single party controls a large number of samples (e.g. 100), like shown in Table 1 in our paper, the party alone can achieve good performance using sample-level DP whithout the need of collaborating with others.

Q: More different architecture PLM results with $K=2$ for testifying PLM-agnostic.

Table H shows results for $5$ open-source PLMs. These results show that pair-wise performance exceeds individual participating single-PLM alone, supporting our PLM-agnostic claim.

Table H. STM performance of $K=1$ (diagnose) and $K=2$ (others) of WASP with $N=6000,M=100$.

---

[4] Charlie Hou et. al., PrE-Text: training language models on private federated data in the age of LLMs, ICML2024.

[5] Anda Cheng et. al., Differentially private federated learning with local regularization and sparsification, CVPR2022.

[6] Fumiyuki Kato et. al., Uldp-FL: Federated Learning with Across-Silo User-Level Differential Privacy, VLDB2024.

Q: Lemma issue and results.

Thank you for pointing this out. Lemma D.3 should be added with "with $\delta_{total}$ increased to larger than $T\times\delta$".

Denote the $\delta_{total},\delta_{iter}$ as the final $\delta$ and $\delta$ for each iteration respectively. Therefore, as we perform 5 iterations to collect the total synthetic dataset with 4 iterations related to DP (the first iteration performs zero-shot generation without real sample guidance), the final $\delta_{total}>4\cdot\delta_{iter}$. Therefore, as we applied $\delta_{iter}=1\times10^{-5}$ in our experiments, the final $\delta_{total}>4\times10^{-5}$ for all PE series baselines and WASP. Moreover, following Theorem 4.3 in [3], using $\delta_{iter}=1\times10^{-23}$ instead will guarantee overall $(4.0,1\times10^{-5})$-DP, which results in a noise scale roughly $2.14$ times as large as the original one used in our original experiments in the paper.

Experimental comparison using the original and new $\delta_{iter}$ are included in Table C with other setting maintained the same as that for Table 1 in our paper. These results demonstrate that, under tighter privacy guarantee ($\delta_{iter}=1\times10^{-23}$), the performance decrease is just minor, indicating the robustness of WASP and PE baselines.

Table C. Comparison of using $\delta_{iter}=1\times10^{-5}$ (original experimental results) and $\delta_{iter}=1\times10^{-23}$ (satisfies $\delta=1\times10^{-5}$) with $4$ iteration steps related to DP. $\epsilon=4.0$ is fixed as the final combined DP budget. Experiments are performed using $6$ open-source PLMs with $L=1,M=100$.

---

[3] Peter Kairouz et. al., The Composition Theorem for Differential Privacy, ICML2015.

We appreciate these insightful comments from our reviewer which help us improve our work.

Q: Different noise scale for different function sensitivity considering contrastive prompting.

You are absolutely right, and we indeed have applied different noise scales according to different sentitivity values of different methods in our abalation study. Specifically, while the noise applied in WASP using a sensitivity of 4 (see Theorem D.2), the noise scale was halved (from 9.690 to 4.845) for "w/o comtrastive prompting" ablation, as the sensitivity was halved, to assure a fair comparison. Thus, histogram sensitivity changes have been accounted for in the ablation. We will clarify this in the final version.

Q: Good performance of FuseGen and performance origination of WASP.

The success of FuseGen relies on the fusion of several PLMs which provides a broader and more diverse knowledge base for training a STM that can generalize better on the real dataset compared to using a single PLM. As shown in Table A below and in [2], FuseGen boosts the performance of the trained STM compared to the best performing single-PLM of the task (Flan-T5 for both tasks in Table A), with larger extent for more common task like IMDb resulting in superior performance.

Therefore, fusing the knowledge from multiple PLMs is the first origination of the performance improvement of WASP.

What's more, the addition of private samples also contributes to the final performance of WASP. Previous work ZeroGen [1] explores the performance of STM trained on the synthetic dataset given by a single PLM without the help of private data, which reveals the base level of knowledge "memorized" in a single PLM. Like shown in Table A, using Flan-T5, ZeroGen achieves a performance around $2.5$% less than Aug-PE for both datasets with private data completely exposed ($\epsilon=\infty$). Similar patterns can be witnessed for multi-PLM setting by comparing FuseGen and WASP with $\epsilon=\infty$. Therefore, although different PLMs may have different levels of knowledge about each dataset (as shown by ZeroGen results here and in [2]), the involvement of even a small amount of private samples consistently help in further boosting the STM performance.

Moreover, the "insensitivity to privacy budget" of our WASP (and Aug-PE) in Table 6 demonstrates the robustness of our proposed method.

Table A. Comparison of STM performance of different methods. Flan-T5 is used for ZeroGen and Aug-PE as they are single-PLM methods, while $K=6$ is used for FuseGen and WASP.

Q: Meaning of x-axis in Figure 1.b.

Sorry, the x-axis of Figure 1.b should be the task performance (accuracy) of the STM trained on the synthetic dataset. We will add this into our final version.

Q: Lines in Figure 6.

As stated in the caption of Figure. 6, top-Q voting ($Q=8$) is used for "w/o Con" whereas $Q=1$ for "Aug-PE". Note, to guarantee the same privacy budget, noise scale also increases (to twice its original value) as $Q$ increases from $1$ to $8$. The difference between "w/o Con" and "Aug-PE" demonstrate the effectivenss of applying top-$Q$ voting with $Q>1$.

Q: Trade-off between performance and cost.

Yes, WASP can be modified to take into account the API costs by adjusting the importance weighting function of each LLM with their associate API cost. For example, assuming each PLM $k$ costs $v_k$ per query on average, a trade-off function $w_k =U(w_k,v_k)$ can be applied to balance cost and performance and get the final PLM weight $w_k$. To keep $w_k,v_k$ at the same level, we can first normalize $v_k$ to make each $v_k$ range from $0.0$ to $1.0$. $U$ can be selected according to users' needs, e.g. $U(w_k,v_k)=\lambda w_k + (1-\lambda) v_k$ with a tunable parameter $\lambda$. Finally, all the $w_k$ after adjustments need to be normalized as $w_k=w_k/\sum_{k'=1}^K w_{k'}$.

Experimental Designs Or Analyses: Other dataset results with close-source PLMs in Table 3.

We show results for IMDb on closed-source PLMs in Table B, which also shows the superiority of WASP compared to baseline methods.

Table B. STM performance using $M=100$ with $3$ closed-source PLMs ($K=3$ for WASP) under the same DP setting used in Table 3.

---

[1] Jiacheng Ye et. al., ZeroGen: Efficient Zero-shot Learning via Dataset Generation, EMNLP2022.

[2] Tianyuan Zou et. al., FuseGen: PLM Fusion for Data-generation based Zero-shot Learning., EMNLP2024.