Auditing Prompt Caching in Language Model APIs

TL;DR

This paper investigates prompt caching in large language model APIs, revealing privacy risks from timing side-channel attacks and uncovering proprietary model architecture details through statistical audits.

Contribution

It introduces methods to detect prompt caching in real-world APIs and uncovers privacy and security implications of shared cache and timing variations.

Findings

Detected global cache sharing in seven API providers, including OpenAI.

Identified timing-based privacy leakage about user prompts.

Revealed that OpenAI's embedding model is a decoder-only Transformer.

Abstract

Prompt caching in large language models (LLMs) results in data-dependent timing variations: cached prompts are processed faster than non-cached prompts. These timing differences introduce the risk of side-channel timing attacks. For example, if the cache is shared across users, an attacker could identify cached prompts from fast API response times to learn information about other users' prompts. Because prompt caching may cause privacy leakage, transparency around the caching policies of API providers is important. To this end, we develop and conduct statistical audits to detect prompt caching in real-world LLM API providers. We detect global cache sharing across users in seven API providers, including OpenAI, resulting in potential privacy leakage about users' prompts. Timing variations due to prompt caching can also result in leakage of information about model architecture. Namely, we find evidence that OpenAI's embedding model is a decoder-only Transformer, which was previously not publicly known.