Good-Enough LLM Obfuscation (GELO)

TL;DR

GELO is a lightweight, privacy-preserving protocol for large language models that uses per-batch invertible mixing to limit information leakage from untrusted accelerators, effectively defending against statistical attacks with minimal latency overhead.

Contribution

The paper introduces GELO, a novel obfuscation method using invertible mixing for LLM inference that balances privacy and efficiency, outperforming static schemes and cryptographic methods.

Findings

GELO preserves output accuracy exactly on Llama-2 7B.

It introduces about 20-30% latency overhead.

Successfully defeats ICA/BSS and anchor-based attacks.

Abstract

Large Language Models (LLMs) are increasingly served on shared accelerators where an adversary with read access to device memory can observe KV caches and hidden states, threatening prompt privacy for open-source models. Cryptographic protections such as MPC and FHE offer strong guarantees but remain one to two orders of magnitude too slow for interactive inference, while static obfuscation schemes break under multi-run statistical attacks once the model is known. We present GELO (Good-Enough LLM Obfuscation), a lightweight protocol for privacy-preserving inference that limits information leakage from untrusted accelerator observations by hiding hidden states with fresh, per-batch invertible mixing. For each offloaded projection, the TEE samples a random matrix $A$, forms $U = AH$, offloads $U$ and weights W to the accelerator, and then applies $A^{-1}$ on return, so that $A^{-1}((AH)W ) = HW$ and outputs are unchanged. Because mixing is never reused across batches, the attacker faces only a single-batch blind source separation problem. We analyse information leakage and introduce two practical defences: (i) non-orthogonal mixing to mask Gram matrices, and (ii) orthogonal mixing augmented with a small fraction of high-energy "shield" vectors that pollute higher-order statistics. On Llama-2 7B, GELO preserves float32 outputs exactly, closely matches low-precision baselines, offloads the dominant matrix multiplications with about 20-30% latency overhead, and defeats a range of ICA/BSS and anchor-based attacks.