Can AI Keep a Secret? Contextual Integrity Verification: A Provable Security Architecture for LLMs

TL;DR

This paper introduces Contextual Integrity Verification (CIV), a cryptographically secured architecture that enforces source trust in LLMs at inference time, effectively preventing prompt injection attacks without degrading model performance.

Contribution

CIV is a novel, lightweight security architecture that provides provable, per-token non-interference guarantees for frozen LLMs against prompt injection attacks.

Findings

CIV achieves 0% attack success rate on benchmark datasets.

CIV maintains 93.1% token-level similarity on benign tasks.

CIV introduces minimal latency overhead and requires no fine-tuning.

Abstract

Large language models (LLMs) remain acutely vulnerable to prompt injection and related jailbreak attacks; heuristic guardrails (rules, filters, LLM judges) are routinely bypassed. We present Contextual Integrity Verification (CIV), an inference-time security architecture that attaches cryptographically signed provenance labels to every token and enforces a source-trust lattice inside the transformer via a pre-softmax hard attention mask (with optional FFN/residual gating). CIV provides deterministic, per-token non-interference guarantees on frozen models: lower-trust tokens cannot influence higher-trust representations. On benchmarks derived from recent taxonomies of prompt-injection vectors (Elite-Attack + SoK-246), CIV attains 0% attack success rate under the stated threat model while preserving 93.1% token-level similarity and showing no degradation in model perplexity on benign tasks; we note a latency overhead attributable to a non-optimized data path. Because CIV is a lightweight patch -- no fine-tuning required -- we demonstrate drop-in protection for Llama-3-8B and Mistral-7B. We release a reference implementation, an automated certification harness, and the Elite-Attack corpus to support reproducible research.