Selective KV-Cache Sharing to Mitigate Timing Side-Channels in LLM Inference

TL;DR

SafeKV is a system that enables privacy-preserving shared KV-cache management in large language model inference, reducing timing side-channel risks while maintaining high performance.

Contribution

It introduces a novel co-designed system with detection, isolation, and safeguards to prevent sensitive data leakage in shared KV-cache environments.

Findings

Reduces TTFT overhead by up to 40.58% compared to full isolation.

Increases throughput by up to 2.66x while maintaining privacy.

Effectively mitigates timing side-channels in multi-tenant LLM inference.

Abstract

Global KV-cache sharing is an effective optimization for accelerating large language model (LLM) inference, yet it introduces an API-visible timing side channel that lets adversaries infer sensitive user inputs from shared entries, leading to cross-tenant privacy risks. To address this problem, we introduce SafeKV (Secure and Flexible KV-cache Sharing), a system-level co-design of privacy enforcement and KV-cache management. SafeKV integrates lightweight detection and isolation directly into the serving runtime to eliminate cross-tenant reuse of sensitive KV-cache blocks under our threat model, while recovering most of the performance benefits of global sharing. Our key contributions are: (1) a three-tier asynchronous detection pipeline that decouples privacy classification from inference and supports streaming workloads, (2) a unified radix-tree-based memory manager with path compression and sensitivity-aware eviction for scalable selective isolation, and (3) an RDR-guided (Reuse Diversity Ratio) runtime safeguard that detects and bounds residual leakage. On large LLM backends, SafeKV reduces the time-to-first-token (TTFT) overhead compared to full isolation by up to 40.58% and raises throughput by up to 2.66x. Overall, SafeKV restores the efficiency of KV reuse while enforcing strong, practical privacy for multi-tenant LLM inference.