A First Look At Efficient And Secure On-Device LLM Inference Against KV Leakage

TL;DR

This paper introduces KV-Shield, a novel method for secure on-device LLM inference that prevents KV pair leakage on GPUs by using permutation within TEE, balancing privacy and performance.

Contribution

KV-Shield is a new approach that permutes weight matrices and attention vectors within TEE to secure intermediate data during on-device LLM inference.

Findings

KV-Shield effectively prevents KV pair leakage.

The method maintains inference accuracy and efficiency.

Theoretical analysis confirms correctness and security benefits.

Abstract

Running LLMs on end devices has garnered significant attention recently due to their advantages in privacy preservation. With the advent of lightweight LLM models and specially designed GPUs, on-device LLM inference has achieved the necessary accuracy and performance metrics. However, we have identified that LLM inference on GPUs can leak privacy-sensitive intermediate information, specifically the KV pairs. An attacker could exploit these KV pairs to reconstruct the entire user conversation, leading to significant vulnerabilities. Existing solutions, such as Fully Homomorphic Encryption (FHE) and Trusted Execution Environments (TEE), are either too computation-intensive or resource-limited. To address these issues, we designed KV-Shield, which operates in two phases. In the initialization phase, it permutes the weight matrices so that all KV pairs are correspondingly permuted. During the runtime phase, the attention vector is inversely permuted to ensure the correctness of the layer output. All permutation-related operations are executed within the TEE, ensuring that insecure GPUs cannot access the original KV pairs, thus preventing conversation reconstruction. Finally, we theoretically analyze the correctness of KV-Shield, along with its advantages and overhead.