SVIP: Towards Verifiable Inference of Open-source Large Language Models
Yifan Sun, Yuhang Li, Yue Zhang, Yuchen Jin, Huan Zhang
TL;DR
SVIP is a novel protocol enabling users to verify the honesty of decentralized LLM inference providers by using secret-based verification of model representations, ensuring trustworthiness without heavy cryptographic assumptions.
Contribution
We propose SVIP, a computationally efficient, secret-based verification protocol for open-source LLM inference that does not rely on cryptographic assumptions and effectively detects dishonest providers.
Findings
SVIP achieves false negative rates below 5%.
SVIP has false positive rates below 3%.
Verification takes less than 0.01 seconds per prompt.
Abstract
The ever-increasing size of open-source Large Language Models (LLMs) renders local deployment impractical for individual users. Decentralized computing has emerged as a cost-effective solution, allowing individuals and small companies to perform LLM inference for users using surplus computational power. However, a computing provider may stealthily substitute the requested LLM with a smaller, less capable model without consent from users, thereby benefiting from cost savings. We introduce SVIP, a secret-based verifiable LLM inference protocol. Unlike existing solutions based on cryptographic or game-theoretic techniques, our method is computationally effective and does not rest on strong assumptions. Our protocol requires the computing provider to return both the generated text and processed hidden representations from LLMs. We then train a proxy task on these representations,…
Peer Reviews
Decision·Submitted to ICLR 2025
- I find the topic of the paper interesting and important.
- The verification proposed in the paper is not useful in any reasonable scenario. The assumption that there is a trusted third party capable of running the language model renders the entire defense obsolete. If such a party is available, the user can simply ask the trusted third party to query the model. - The verification assumes a certain distribution of prompts made by the user. Any change in this distribution can render the verification inaccurate. - The verification is allowed to have a 5%
- There are many models (llms) tested. - The protocol is shown to be effective at distinguishing between two models. - Some adaptive attacks are considered and the modified protocol is robust to these. - The protocol is highly efficient, both in terms of compute and communication overhead.
- Lacking motivation, see questions 1-3. It is unclear to me the impact of this problem setting/solution. It seems that model providers are already heavily disincentivized from “swapping models”, could be caught (and if not, it then wouldn’t be a problem), or may already be on a path to removing the need to “swap models”. I welcome a response to these questions. - The protocol is unclear. For example, how are the inputs to the proxy task generated? Does the choice in the labeling function matte
The paper has significant strengths: - The paper addresses a highly relevant and novel problem of verifying the authenticity of the model behind an API, which is essential for trust in model-based services and has broad implications for the field. - Reducing the size of intermediate representations to minimize communication overhead is a practical and effective approach, improving the feasibility of real-time verification in resource-constrained environments. - The paper’s thorough consideration
While I really enjoyed reading the paper and found it exciting to see this first step forward towards a new threat vector, I currently see significant weaknesses. If these can be resolved / clarified during the rebuttal process, and if the paper can be updated accordingly, I am willing to raise my score to an accept. **There is not sufficient protocol setup description** Even after multiple reads of the paper, I still struggle to see some details of the actual deployment protocol for the metho
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNatural Language Processing Techniques · Topic Modeling