LoopLLM: Transferable Energy-Latency Attacks in LLMs via Repetitive Generation

TL;DR

LoopLLM is a novel attack framework that exploits repetitive generation in large language models to induce high energy and latency costs, demonstrating high transferability and effectiveness across multiple models.

Contribution

It introduces a new attack method leveraging low-entropy decoding loops and gradient aggregation for improved transferability and effectiveness.

Findings

Achieves over 90% of maximum output length in attacks.

Outperforms existing methods by a significant margin.

Improves transferability to commercial LLMs by around 40%.

Abstract

As large language models (LLMs) scale, their inference incurs substantial computational resources, exposing them to energy-latency attacks, where crafted prompts induce high energy and latency cost. Existing attack methods aim to prolong output by delaying the generation of termination symbols. However, as the output grows longer, controlling the termination symbols through input becomes difficult, making these methods less effective. Therefore, we propose LoopLLM, an energy-latency attack framework based on the observation that repetitive generation can trigger low-entropy decoding loops, reliably compelling LLMs to generate until their output limits. LoopLLM introduces (1) a repetition-inducing prompt optimization that exploits autoregressive vulnerabilities to induce repetitive generation, and (2) a token-aligned ensemble optimization that aggregates gradients to improve cross-model transferability. Extensive experiments on 12 open-source and 2 commercial LLMs show that LoopLLM significantly outperforms existing methods, achieving over 90% of the maximum output length, compared to 20% for baselines, and improving transferability by around 40% to DeepSeek-V3 and Gemini 2.5 Flash.