Your Inference Request Will Become a Black Box: Confidential Inference for Cloud-based Large Language Models

TL;DR

This paper introduces Talaria, a framework for confidential inference on cloud-based LLMs that protects client data and model privacy without sacrificing performance or efficiency.

Contribution

It proposes a novel partitioning and masking protocol, ReMO, enabling secure, lossless inference with strong privacy guarantees against inference attacks.

Findings

Reduces token inference attack accuracy from 97.5% to 1.34%.

Maintains identical output to original models.

Ensures privacy without significant efficiency loss.

Abstract

The increasing reliance on cloud-hosted Large Language Models (LLMs) exposes sensitive client data, such as prompts and responses, to potential privacy breaches by service providers. Existing approaches fail to ensure privacy, maintain model performance, and preserve computational efficiency simultaneously. To address this challenge, we propose Talaria, a confidential inference framework that partitions the LLM pipeline to protect client data without compromising the cloud's model intellectual property or inference quality. Talaria executes sensitive, weight-independent operations within a client-controlled Confidential Virtual Machine (CVM) while offloading weight-dependent computations to the cloud GPUs. The interaction between these environments is secured by our Reversible Masked Outsourcing (ReMO) protocol, which uses a hybrid masking technique to reversibly obscure intermediate data before outsourcing computations. Extensive evaluations show that Talaria can defend against state-of-the-art token inference attacks, reducing token reconstruction accuracy from over 97.5% to an average of 1.34%, all while being a lossless mechanism that guarantees output identical to the original model without significantly decreasing efficiency and scalability. To the best of our knowledge, this is the first work that ensures clients' prompts and responses remain inaccessible to the cloud, while also preserving model privacy, performance, and efficiency.