Skip to content

PRISM: Gauge-Invariant Tangent-Space Differentially Private LoRA

Conference: ICML2026
arXiv: 2606.00944
Code: https://github.com/osu-srml/PRISM-DP-LoRA
Area: AI Safety / Differential Privacy / LoRA Fine-tuning
Keywords: Differential Privacy, LoRA, gauge invariance, tangent space, DP-SGD

TL;DR

PRISM transfers DP-SGD from the LoRA \((A,B)\) factor space to the tangent space of the rank-\(r\) manifold to perform clipping, noise injection, and retraction. This results in a DP-LoRA mechanism that is gauge-invariant, free of bilinear second-order noise, and possesses a closed-form intrinsic noise energy of \(\sigma C/b \cdot \sqrt{r(m+n-r)}\).

Background & Motivation

Background: When performing PEFT on private data, the most natural approach is to directly apply DP-SGD to the low-rank factors \((A, B)\) of LoRA (Yu et al. 2022; Liu et al. 2025; Xu et al. 2025), where per-example clipping and Gaussian noise injection are applied to the concatenated gradients \(g_A, g_B\) at each step.

Limitations of Prior Work: The authors identify three intertwined issues. Issue I: LoRA decomposition is non-identifiable. For any \(R \in \mathrm{GL}(r)\), \((A, B)\) and \((AR, BR^{-\top})\) represent the same \(Z = AB^\top\), but the factor gradients transform as \(g_A R^{-\top}\) and \(g_B R\), causing the clipping norm to drift with the gauge; a simple scalar reparameterization \((A, B) \mapsto (cA, c^{-1}B)\) can cause \(\|g_A\|_F^2 + \|g_B\|_F^2\) to scale arbitrarily with \(c\). Issue II: Injecting noise into both sides introduces a bilinear second-order term \(\eta^2 \xi_A \xi_B^\top\) in the intrinsic update; even ignoring this, the first-order noise energy is \(\tau^2(m\|B\|_F^2 + n\|A\|_F^2)\), which remains unboundedly scaleable via gauge reparameterization (Cor. 2.3). Issue III: Adaptive optimizers (Adam/AdamW, LoRA-specific invariant optimizers) "learn the noise" from noisy moment estimates and trigger ill-conditioning on the \(r \times r\) matrices \(M = A^\top A\) and \(N = B^\top B\), which in turn amplifies DP noise.

Key Challenge: DP-SGD is a stochastic mechanism defined based on parameterization, whereas what truly determines model behavior in LoRA is the intrinsic update \(Z\). By performing clipping and noise injection on gauge-redundant factors, the stochastic distribution of the mechanism itself is not a function of \(Z\).

Goal: Design a DP-LoRA mechanism such that the released intrinsic updates satisfy (i) gauge invariance at the distributional level; (ii) additivity under intrinsic (tangent) representation without bilinear noise; and (iii) stability and compatibility with adaptive optimization and low-rank numerical workflows.

Key Insight: Treat \(Z \in \mathcal{M}_r\) as a point on a fixed-rank manifold and directly perform clipping and Gaussian noise injection within its tangent space \(T_Z \mathcal{M}_r\), followed by retraction back to the manifold. The inner product in the tangent space depends only on the orthogonal projections \(\Pi_A, \Pi_B\), making it naturally gauge-invariant.

Core Idea: Use a canonical horizontal lift to lift each per-example gradient to the tangent space representation \((\Delta A_i, \Delta B_i)\). After aggregating across all LoRA modules, perform global intrinsic norm clipping, inject isotropic Gaussian noise projected onto \(T_Z \mathcal{M}_r\) via a low-dim sampler, and finally return to the rank-\(r\) manifold using a truncated-SVD retraction.

Method

Overall Architecture

In each iteration, PRISM performs an update for all \(L\) LoRA modules \(\{(A_\ell, B_\ell)\}\). For each sample \(i\) and module \(\ell\), the per-example intrinsic gradient \(G_{i, \ell} = \nabla_{Z_\ell} \ell_i\) is first lifted to the tangent representation \((\Delta A_{i, \ell}, \Delta B_{i, \ell})\) according to Eq. (14). The intrinsic norm \(s_i = (\sum_\ell \|\Delta Z_{i, \ell}\|_F^2)^{1/2}\) is calculated via Eq. (15) to obtain the per-example coefficient \(\alpha_i = \min\{1, C/s_i\}\). Then, the clipped lifts \(\bar\Delta A_\ell, \bar\Delta B_\ell\) are aggregated per module, and tangent space isotropic Gaussian noise \((\Xi_{A, \ell}, \Xi_{B, \ell})\) generated by the low-dim sampler in Eq. (19) is added to form \((\Delta A_\ell^{\mathrm{dp}}, \Delta B_\ell^{\mathrm{dp}})\). Subsequently, a DP-aware gauge-invariant adaptive direction \((U_{A, \ell}, U_{B, \ell})\) is computed. Finally, \((A_\ell, B_\ell)\) are updated using the retraction \(\mathrm{Retr}_r\). Regarding privacy, the entire iteration corresponds to a single subsampled Gaussian mechanism, which is composed using the PRV accountant to achieve \((\varepsilon, \delta)\)-DP.

Key Designs

  1. Gauge-invariant tangent projection and horizontal lift:

    • Function: Transports per-example gradients from the factor space to the fixed-rank manifold tangent space, ensuring that subsequent clipping and noise injection depend only on \(Z_\ell\) rather than the specific choice of \((A_\ell, B_\ell)\).
    • Mechanism: Uses column-space orthogonal projections \(\Pi_{A_\ell} = A_\ell(A_\ell^\top A_\ell)^\dagger A_\ell^\top\) and \(\Pi_{B_\ell}\) to define the tangent space projection \(\mathcal{P}_{A,B}(G) = \Pi_A G + G\Pi_B - \Pi_A G\Pi_B\) (i.e., removing the normal component \((I-\Pi_A)G(I-\Pi_B)\)). The canonical horizontal lift \(\Delta A_i = g_{A,i}N^\dagger - \tfrac{1}{2}\Pi_A(g_{A,i}N^\dagger)\) and its corresponding \(\Delta B_i\) are then used to uniquely represent tangent matrices back in the factor space, guaranteeing \(\Delta A_i B^\top + A\Delta B_i^\top = \mathcal{P}_{A,B}(G_i)\).
    • Design Motivation: The projections depend only on \(\Pi_A, \Pi_B\), which are invariant under \((A, B) \mapsto (AR, BR^{-\top})\). Thus, the gradient lifting step itself eliminates clipping and noise drift described in Issue I. The \(-\tfrac{1}{2}\Pi_A(\cdot)\) term in the canonical lift removes redundant horizontal directions in the factor space, preventing the non-uniqueness of the lift from reintroducing gauge information into the mechanism.

  2. Global intrinsic clipping + isotropic tangent Gaussian with low-dim sampler:

    • Function: Controls per-example sensitivity under the intrinsic metric and injects closed-form isotropic DP noise in the tangent space, completely eliminating the bilinear \(\eta^2 \xi_A \xi_B^\top\) term and gauge-dependent noise amplification.
    • Mechanism: Computes the intrinsic norm using \(\|\Delta Z_{i, \ell}\|_F^2 = \operatorname{tr}(\Delta A_{i, \ell}^\top \Delta A_{i, \ell} N_\ell) + \operatorname{tr}(\Delta B_{i, \ell}^\top \Delta B_{i, \ell} M_\ell) + 2\operatorname{tr}((A_\ell^\top \Delta A_{i, \ell})(B_\ell^\top \Delta B_{i, \ell}))\), with a shared clipping coefficient \(\alpha_i = \min\{1, C/s_i\}\) across all modules. A low-dim sampler \(\Xi_A = (I-\Pi_A)\Omega_A N^{-1/2}\), \(\Xi_B = \Omega_B M^{-1/2}\) (where \(\Omega_A, \Omega_B \sim \mathcal{N}(0, I)\) with dimensions \(m \times r, n \times r\)) synthesizes tangent noise with the same distribution as \(\mathcal{P}_{A,B}(\Xi)\) (where \(\Xi\) is a \(m \times n\) standard Gaussian). Thm 3.1 proves this projection yields an isotropic Gaussian on the tangent space with closed-form energy \(\mathbb{E}\|\mathcal{P}_{A,B}(\Xi)\|_F^2 = r(m+n-r)\).
    • Design Motivation: Avoids drawing a full \(m \times n\) Gaussian, keeping computation/storage at LoRA scales. The closed-form \(\mathcal{E}_Z^{\text{PRISM}} = \sigma C/b \cdot \sqrt{r(m+n-r)}\) depends only on \((\sigma, C, b)\) and layer dimensions, decoupling it from \(\|A\|_F, \|B\|_F\), thus making the unbounded gauge amplification in Cor. 2.3 impossible. Prop. 3.2 guarantees that the retraction \(\mathrm{Retr}_r\) only introduces \(O(\eta^2)\) deterministic distortion without any stochastic second-order terms like \(\eta^2 \xi_A \xi_B^\top\).

  3. DP-aware gauge-invariant adaptive update (targeting Issue III):

    • Function: Sets a floor on the rank-\(r\) preconditioner to prevent adaptive methods like Adam/AdamW from de-normalizing "noise variance" in noisy moment estimates as true signals, and prevents numerical operations like \(M^{\dagger/2}\) from exploding when \(M, N\) approach singularity.
    • Mechanism: Before the update enters retraction, the DP noise variance is injected as a lower bound into the rank-space preconditioner (Algorithm 1 line 13 + invariant adaptive transform in Eqs. (24)–(26)), yielding a gauge-invariant direction \((U_{A, \ell}, U_{B, \ell})\). When the true gradient signal is submerged by DP noise, the floor prevents the ill-conditioned case where the preconditioner degrades toward \(\mathsf{P} \approx \Sigma_\xi\).
    • Design Motivation: The authors argue in §2 that in \(\theta^+ = \theta - \eta \mathsf{P}^{-1/2} \hat g\), a noisy \(\mathsf{P}\) causes update noise covariance to become \(\eta^2 I\) (whitening out the signal). Simultaneously, LoRA's \(r \times r\) Gram matrices are prone to near-singularity under DP noise and gauge drift, causing \(\|M^{\dagger/2}\|_2 = 1/\sqrt{\lambda_{\min}^+(M)}\) to explode. The DP-aware floor + invariant form addresses both issues.

Loss & Training

The objective remains the empirical risk under standard LoRA fine-tuning \(F(A, B) = \tfrac{1}{N} \sum_i \ell_i(W_0 + AB^\top)\). The privacy mechanism provides \((\varepsilon, \delta)\)-DP through the composition of Poisson subsampling (rate \(q=b/N\)), per-iteration subsampled Gaussian mechanism, and PRV accountant (Thm 3.4). Thm 3.3 shows that each step increment \(\widehat{\Delta Z}_\ell\) is identically distributed with respect to gauge \(R \in \mathrm{GL}(r)\); since retraction is deterministic post-processing, the entire trajectory is gauge-invariant.

Key Experimental Results

Main Results

Evaluated across 8 GLUE tasks and 4 Math-10K tasks (GSM8K / AQuA / MAWPS / SVAMP), totaling 12 tasks with \(\delta = 10^{-5}\). Mean accuracy is compared for FFA, Rite, AdamW, LoRA+, Lamb, and PRISM across Non-DP, \(\varepsilon = 6\), and \(\varepsilon = 3\) settings.

Setting Method Avg(12) GSM8K SVAMP QQP
Non-DP LoRA+ 0.769 0.592 0.712 0.807
Non-DP PRISM 0.737 0.552 0.693 0.797
\(\varepsilon=6\) LoRA+ 0.674 0.446 0.611 0.739
\(\varepsilon=6\) PRISM 0.690 0.469 0.626 0.770
\(\varepsilon=3\) AdamW 0.634 0.446 0.591 0.555
\(\varepsilon=3\) PRISM Best Avg Sig. Gain Sig. Gain Sig. Gain

Ablation Study

Scales of effective intrinsic noise \(\mathcal{E}_Z\) across three DP-LoRA designs.

Method Trainable Params \(\mathcal{E}_Z\) (a) Gauge-inv (b) No bilinear (c) LoRA-scale
DP-LoRA (Double-sided) \((m+n)r\) unbounded
One-side (Frozen A) \(nr\) \((\sigma C/b)\sqrt{n}\|A\|_F\)
PRISM \((m+n)r\) \((\sigma C/b)\sqrt{r(m+n-r)}\)

Key Findings

  • PRISM's advantage grows as privacy tightens (smaller \(\varepsilon\)): It consistently achieves the best average in the \(\varepsilon \le 6\) range and shows the largest gaps over baselines in multi-step reasoning tasks (GSM8K/MAWPS/SVAMP), suggesting that gauge-invariant intrinsic noise is crucial for private scenarios where the "signal is smaller than the noise."
  • PRISM is not the strongest in Non-DP settings (LoRA+ 0.769 vs. PRISM 0.737): This is reasonable as tangent projection and retraction introduce unnecessary geometric constraints in noise-free scenarios. This confirms PRISM's gains stem strictly from DP geometric alignment rather than a superior optimizer.
  • One-side (frozen \(A\)) eliminates bilinear terms but not gauge-dependence: As shown in Table 1, its \(\mathcal{E}_Z \propto \|A\|_F\) can still be arbitrarily scaled via reparameterization. Only moving the DP mechanism into the tangent space fully resolves this.
  • Low-dim sampler efficiency: Replacing full \(m \times n\) Gaussian with two \(\Omega\) blocks (\(m \times r\) and \(n \times r\)) keeps computation and memory at \(O((m+n)r^2)\), the same order as original LoRA.

Highlights & Insights

  • Shifting the DP mechanism from "parameters" to "manifolds": DP-SGD has long been default-bound to parameterized coordinates. PRISM points out that the true object to be protected is the intrinsic \(Z\), moving all clipping and noise injection into \(T_Z \mathcal{M}_r\). This is a clear example of applying manifold optimization to DP, a mindset transferable to any parameterization with gauge redundancy (e.g., NTK reparam, tensor factorization, fine-tuning on Stiefel/Grassmann).
  • Closed-form effective intrinsic noise \(\sqrt{r(m+n-r)}\): It is rare for a mechanism's noise scaling to be analytical. This can be directly used to design the privacy-utility tradeoff for a given LoRA rank \(r\), effectively providing a formula for DP cost in the rank dimension.
  • The \(-\tfrac{1}{2}\Pi_A(\cdot)\) correction in horizontal lift: This utilizes a standard technique for choosing a horizontal section in a manifold quotient space. Its application in DP ensures both the lift and the mechanism are gauge-invariant, representing a key insight borrowed from the differential geometry toolbox.

Limitations & Future Work

  • Accuracy sacrifice under Non-DP baseline: PRISM lags behind LoRA+ by about 3 points in average accuracy in noise-free settings, meaning retraction and tangent projection are burdens when DP is unnecessary. The paper does not provide a toggle to "automatically degrade to standard LoRA."
  • Theorem 3.1 closed-form targets full column rank \(A, B\): During early training or rank collapse, \(M=A^\top A\) might be singular. The paper uses \(\dagger\) and a DP-aware floor for robustness, but this requires more empirical validation.
  • Validation limited to classification and arithmetic reasoning: Testing is absent for generative long-sequence tasks, multimodal applications, or RLHF. Furthermore, scale information is sparse; wall-clock and memory overhead on industrial 7B/70B models remain unclear.
  • Retraction via truncated SVD in Algorithm 1: Each update incurs an \(O((m+n)r^2)\) SVD cost. With many modules \(L\), the constant factor may be significant. Using polar-style or QR-based retractions to further reduce constants would be more practical.
  • vs. Naive DP-LoRA / DP-Adam-LoRA (Yu et al. 2022; Liu et al. 2025; Xu et al. 2025): They apply DP-SGD directly to \((A, B)\), which PRISM formally identifies as violating gauge symmetry and introducing bilinear and unbounded first-order noise. PRISM outperforms these in accuracy under equivalent privacy budgets.
  • vs. One-side DP-LoRA (Sun et al. 2024): One-side eliminates bilinear terms but remains sensitive to the norm of the frozen factor. PRISM satisfies all three desiderata via tangent space projection.
  • vs. Invariant LoRA Optimizer Rite (Yen et al. 2025): Rite is a deterministic invariant optimizer focusing on optimization trajectory invariance. PRISM emphasizes that the stochastic mechanism (clipping/noise) itself needs gauge invariance. The two are orthogonal; PRISM's DP-aware adaptive transform complements Rite's ideas.
  • vs. DP-aware Adam variants (Li et al. 2022/2023; Tang et al. 2024): That lineage focuses on bias correction for moment estimation under DP. PRISM handles similar issues for the low-rank \(r \times r\) Gram matrix structure, which is more suited to the numerical structure of LoRA.

Rating

  • Novelty: ⭐⭐⭐⭐⭐ First to fully implement a tangent-space DP mechanism for fixed-rank manifolds in LoRA, providing closed-form intrinsic noise and formalizing the three desiderata.
  • Experimental Thoroughness: ⭐⭐⭐⭐ Broad coverage across 12 tasks and 3 privacy levels, though lacks large-scale generative tasks and explanation for Non-DP degradation.
  • Writing Quality: ⭐⭐⭐⭐⭐ Problem statement (Issue I/II/III) is very clear; theoretical loop of theorems, corollaries, and propositions is rigorous; Table 1 effectively summarizes design goals.
  • Value: ⭐⭐⭐⭐⭐ Provides a correct geometric starting point for DP-PEFT. The closed-form \(\sqrt{r(m+n-r)}\) is directly applicable to privacy-utility budget allocation, serving as a baseline for future LoRA-style DP work.