Saved in:
Bibliographic Details
Main Authors: Thomas, Rahul, Zahran, Louai, Choi, Erica, Potti, Akilesh, Goldblum, Micah, Pal, Arka
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2505.18332
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909621951660032
author Thomas, Rahul
Zahran, Louai
Choi, Erica
Potti, Akilesh
Goldblum, Micah
Pal, Arka
author_facet Thomas, Rahul
Zahran, Louai
Choi, Erica
Potti, Akilesh
Goldblum, Micah
Pal, Arka
contents Recent advances in Large Language Models (LLMs) have led to the widespread adoption of third-party inference services, raising critical privacy concerns. Existing methods of performing private third-party inference, such as Secure Multiparty Computation (SMPC), often rely on cryptographic methods. However, these methods are thousands of times slower than standard unencrypted inference, and fail to scale to large modern LLMs. Therefore, recent lines of work have explored the replacement of expensive encrypted nonlinear computations in SMPC with statistical obfuscation methods - in particular, revealing permuted hidden states to the third parties, with accompanying strong claims of the difficulty of reversal into the unpermuted states. In this work, we begin by introducing a novel reconstruction technique that can recover original prompts from hidden states with nearly perfect accuracy across multiple state-of-the-art LLMs. We then show that extensions of our attack are nearly perfectly effective in reversing permuted hidden states of LLMs, demonstrating the insecurity of three recently proposed privacy schemes. We further dissect the shortcomings of prior theoretical `proofs' of permuation security which allow our attack to succeed. Our findings highlight the importance of rigorous security analysis in privacy-preserving LLM inference.
format Preprint
id arxiv_https___arxiv_org_abs_2505_18332
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle An Attack to Break Permutation-Based Private Third-Party Inference Schemes for LLMs
Thomas, Rahul
Zahran, Louai
Choi, Erica
Potti, Akilesh
Goldblum, Micah
Pal, Arka
Cryptography and Security
Machine Learning
Recent advances in Large Language Models (LLMs) have led to the widespread adoption of third-party inference services, raising critical privacy concerns. Existing methods of performing private third-party inference, such as Secure Multiparty Computation (SMPC), often rely on cryptographic methods. However, these methods are thousands of times slower than standard unencrypted inference, and fail to scale to large modern LLMs. Therefore, recent lines of work have explored the replacement of expensive encrypted nonlinear computations in SMPC with statistical obfuscation methods - in particular, revealing permuted hidden states to the third parties, with accompanying strong claims of the difficulty of reversal into the unpermuted states. In this work, we begin by introducing a novel reconstruction technique that can recover original prompts from hidden states with nearly perfect accuracy across multiple state-of-the-art LLMs. We then show that extensions of our attack are nearly perfectly effective in reversing permuted hidden states of LLMs, demonstrating the insecurity of three recently proposed privacy schemes. We further dissect the shortcomings of prior theoretical `proofs' of permuation security which allow our attack to succeed. Our findings highlight the importance of rigorous security analysis in privacy-preserving LLM inference.
title An Attack to Break Permutation-Based Private Third-Party Inference Schemes for LLMs
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2505.18332