Until-Decode Privacy in Data Systems

• Until-decode privacy is a cryptographic paradigm that strictly limits data exposure until decoding, ensuring only essential information is revealed.
• It underpins protocols in index coding, coded caching, and language model decoding by controlling the amount of information each participant accesses.
• Practical implementations balance privacy and performance through mechanisms like k-limited-access transforms, differential noise injection, and adaptive trade-offs.

Until-decode privacy is a cryptographically inspired paradigm ensuring that, at inference or communication time, a participant or observer learns no more information than is strictly necessary to achieve its own decoding or prediction goal—nothing can be inferred about other participants, data, or system internals until the decode operation is accomplished. This notion underpins a family of protocols, algorithmic transforms, and statistical postprocessing mechanisms in distributed systems, machine learning, and network coding, providing strong privacy guarantees without requiring global retraining or system-level changes.

1. Conceptual Definition and Formal Models

The central principle of until-decode privacy is the guarantee that no entity, including potential adversaries or honest-but-curious participants, can infer information about any private variable—such as a user's requests, other clients' side information, or sensitive training records—until the information needed for their own decoding becomes available, and then only to the minimum extent necessary.

Index Coding and Demand Privacy

In coded multicast and index coding, "until-decode privacy" refers to the guarantee that a client cannot learn anything about other clients’ requests, side information, or coding coefficients, until it has observed exactly those broadcast components that enable it to reconstruct its own requested message. The formal definition, as in the "Privacy in Index Coding: $k$-Limited-Access Schemes" framework, states that each client $n$ should only see a $k \times m$ submatrix of the coding matrix sufficient to decode her own message, thereby hiding the remaining structure and associated information about others (Karmoose et al., 2018).

For coded caching, the analogous "demand-privacy" definition imposes, for any two users $i \neq j$ and any demand vector $D$, that

$I(D_j; D_i, Z_i, O(Z_i), X^D, O(X^D)) = 0,$

with $Z_i$ the cache contents for user~$i$, $O(Z_i)$ private metadata, $X^D$ the multicast, and $O(X^D)$ public headers (R et al., 2019). This demands independence of $D_j$ from all accessible data to user $i$ (except her own demand), strictly enforcing until-decode privacy.

LLM Decoding

In large-scale LLMs, the "until-decode" privacy goal stipulates that the output for any specific prompt or context does not reveal differential properties of the underlying private training or retrieval corpus until the moment a sample is decoded. Notably, "Differentially Private Decoding in LLMs" recasts DP at test time: for any two neighboring training datasets $S, S'$ and prediction procedure $D$,

$$\ln \Pr[D(x; S) \in O] - \ln \Pr[D(x; S') \in O] \leq \epsilon,$$

with $\delta=0$ (pure DP guarantee), for every measurable set of outputs $O$ and all prompts $x$ (Majmudar et al., 2022). In the RAG context, privacy-aware decoding applies $(\epsilon,\delta)$-DP per output by tracking cumulative RDP at each step (Wang et al., 5 Aug 2025).

2. Algorithmic Mechanisms for Until-Decode Privacy

Postprocessing and $k$-Limited-Access in Index Coding

In linear index coding, $k$-limited-access schemes transform any $T\times m$ coding matrix $A$ into $T_k \times m$ matrix $A_k$, ensuring that each client can reconstruct their desired vector via at most $k$ rows of $A_k$ and sees nothing else (Karmoose et al., 2018). This is realized by algebraic constructions (e.g., appending all-ones row, or block-diagonal embedding of patterns), which allow precise control over how much of the broadcast each participant can access pre-decode.

Differentially Private Decoding in LLMs

A model-agnostic method provides until-decode privacy by perturbing the decoding distribution at each step. For vocabulary $V$ of size $|V|$, and original $q_t$ (softmax over logits $h_t$), the mechanism outputs

$q_t' = \lambda q_t + (1-\lambda)u,$

where $u$ is uniform over $V$, $\lambda \in [0,1]$ trades privacy for utility, and sampling is from $q_t'$ (no Laplace or Gaussian noise; only uniform smoothing). This achieves a provable $\epsilon$-DP at decode time (Majmudar et al., 2022):

$$\epsilon = T \cdot \log \frac{1 + (|V| - 1)\lambda}{1 - \lambda}.$$

Related, PAD in RAG LLMs injects calibrated Gaussian noise into each logit, adaptively controlled by token risk via local sensitivity estimation and context-aware calibration, with privacy tracked per-response through Rényi DP composition and conversion:

$$\varepsilon^{\textrm{RDP}(\alpha)} = \frac{\alpha \Delta^2}{2 \sigma^2}, \qquad \varepsilon = \mathrm{RDP}_{\mathrm{total}}(\alpha) + \frac{\log(1/\delta)}{\alpha-1}.$$

A deterministic per-step accountant provides explicit $(\varepsilon,\delta)$ control (Wang et al., 5 Aug 2025).

Heuristic and Structure-Dependent Reductions

For small numbers of participants or limited localities, structure-dependent heuristics—successive circuit removal and branch-search—seek to minimize broadcast bandwidth or coding complexity under the privacy constraint, optimizing system-level overhead while maintaining until-decode privacy (Karmoose et al., 2018).

3. Quantitative Trade-Offs and Impossibility Results

The cost of enforcing until-decode privacy is characterized in terms of utility (decoding rate, model performance) and auxiliary system parameters (subpacketization, bandwidth, latency).

Coding Length and Subpacketization

In index coding, to represent $n$ nonzero vectors by at most $k$-row combinations from $T_k$ rows, the requirement

$\sum_{i=1}^k \binom{T_k}{i} \geq n$

leads to

$$T_k \geq \max\left\{T,\, \min\left\{t : \sum_{i=1}^k \binom{t}{i} \ge n\right\}\right\}.$$

Construction regimes yield $T_k \leq \min\{n, T+1\}$ or $T_k \leq k 2^{\lceil T/k\rceil}$ depending on $k$. These bounds are provably order-optimal for large $n$ or $k$ (Karmoose et al., 2018).

For coded caching with demand privacy, the minimal subpacketization for $(2,2;M=1,R=2/3)$ is $f=3$, shown optimal among all linear and uncoded schemes (R et al., 2019). Schemes with $f<3$ are impossible under the privacy constraint, ruling out further rate or memory savings.

Privacy–Utility/Efficiency Trade-off in LLMs

As $\lambda$ decreases in the uniform mixing method, privacy ($\epsilon$) improves, but perplexity (PPL) sharply increases: e.g., at $\epsilon \approx 65$, PPL is close to baseline, at $\epsilon \approx 60$, PPL jumps $\sim40\%$, and for $\epsilon \lesssim 50$, utility collapses (PPL increases $\sim 350\%$), rendering the model practically unusable (Majmudar et al., 2022). PAD demonstrates similar tradeoffs: aggressive noise yields high DP but at the cost of infinite or unusably high PPL, with moderate noise providing a practical equilibrium (Wang et al., 5 Aug 2025).

Overhead in Bandwidth and Delay

Until-decode privacy often requires increased transmission length, subpacketization, or bandwidth (in coding) or larger per-step noise (in LMs) for non-negligible privacy guarantees. Table summaries in both index coding and LLM work illustrate exponential penalties for full privacy in certain regimes, with dramatic reductions achievable if partial (ambiguous) privacy is accepted.

4. Composability, Scalability, and Model-Agnosticism

Key until-decode privacy mechanisms are composable, easily integrated into existing systems, and model-agnostic. In DP decoding, all postprocessing occurs at inference with no retraining, enabling broad compatibility with any pretrained LLM or scoring framework (Majmudar et al., 2022, Wang et al., 5 Aug 2025).

Postprocessing (e.g., mixture over uniform or noise-injection) can be combined with alternative decoding strategies—top-$k$, nucleus, or context-filtered sampling—though privacy guarantees must then be recomputed for the new mechanism. Vocabulary size and sequence length directly affect $\epsilon$, motivating practical variants that restrict perturbation to top candidates or limit the number of protected steps.

In index coding, universal $k$-limited-access constructions are matrix-independent, not requiring customization to the underlying code, and heuristics enable practicality at small system scale.

5. Extensions: Partial Privacy, Adaptive Methods, and Practical Deployment

Partial until-decode privacy—requiring only $k$-file ambiguity rather than full indistinguishability—unlocks substantially better resource efficiency. By growing the underlying number of virtual users only to $kK$ instead of $NK$, subpacketization costs are reduced exponentially as $N \to \infty$ while still holding ambiguity over $k$ possible other users' demands (R et al., 2019).

Adaptive perturbation in PAD screens for high-risk tokens and calibrates noise by local sensitivity estimation and context, minimizing unnecessary privacy loss and maximizing utility (Wang et al., 5 Aug 2025). Mixture-based DP in LLM decoding admits further generalization to context-dependent or token-sensitive perturbations.

Table: Comparison of Until-Decode Privacy Mechanisms

System	Privacy Metric	Core Mechanism
Index coding	Entropy/MIL; $k$-row exposure	$k$-limited-access transform
Coded caching	Mutual information: $I(D_j; \cdot)=0$	Randomized placement, optimal splitting
LLM decoding	$(\epsilon,\delta)$-DP (per output)	Distribution mixing, logit noise
RAG LLM (PAD)	RDP composition, per-response $(\epsilon,\delta)$	Gaussian logit noise, adaptive screen

6. Attacks, Leakage, and Mitigation (Speculative and Adaptive Decoding)

Until-decode privacy is challenged by new classes of side-channel and fingerprinting attacks, particularly in modern speculative LLM decoders (Wei et al., 2024). Here, adversaries exploit output timing and packet size patterns induced by speculative iterations to infer input queries or leak design/data artifacts at high accuracy and rate.

Mitigations—packet padding, iteration aggregation, and rigorous avoidance of sensitive data in external stores—are shown to degrade attack efficacy (e.g., variable padding reducing REST trace accuracy from $100\%$ to $27\%$), at substantial bandwidth or latency overhead (Wei et al., 2024). The practical implication is that robust until-decode privacy in deployment necessitates additional system-level defenses beyond statistical perturbation.

7. Comparative Insights and Practical Impact

Until-decode privacy delineates a family of mechanisms with provable privacy properties that are operable at inference or transmission. The paradigm achieves—often with tight optimality—trade-offs between privacy risk and decode efficiency in distributed storage, message passing, and deep learning inference. While full privacy may require steep resource or performance penalties (e.g., exponential subpacketization or significant utility degradation), partial relaxation, local adaptivity, and model-agnostic postprocessing expand feasibility for real-world adoption.

In summary, until-decode privacy constitutes a powerful, generalizable toolkit in privacy-preserving data systems, supporting formal guarantees that are both theoretically sound and practically efficient under a range of adversary models and system constraints (Karmoose et al., 2018, R et al., 2019, Majmudar et al., 2022, Wang et al., 5 Aug 2025, Wei et al., 2024).