Privacy-Preserving Mechanisms Enable Cheap Verifiable Inference of LLMs

As large language models (LLMs) continue to grow in size, fewer users are able to host and run models locally. This has led to increased use of third-party hosting services. However, in this setting, there is a lack of guarantees on the computation performed by the inference provider. For example, a dishonest provider may replace an expensive large model with a cheaper-to-run weaker model and return the results from the weaker model to the user. Existing tools to verify inference typically rely on methods from cryptography such as zero-knowledge proofs (ZKPs), but these add significant computational overhead, and remain infeasible for use for large models. In this work, we develop a new insight -- that given a method for performing private LLM inference, one can obtain forms of verified inference at marginal extra cost. Specifically, we propose two new protocols which leverage privacy-preserving LLM inference in order to provide guarantees over the inference that was carried out. Our approaches are cheap, requiring the addition of a few extra tokens of computation, and have little to no downstream impact. As the fastest privacy-preserving inference methods are typically faster than ZK methods, the proposed protocols also improve verification runtime. Our work provides novel insights into the connections between privacy and verifiability in LLM inference.

Key Contributions

• Novel insight that privacy-preserving inference mechanisms (SMPC, FHE) can be leveraged to provide verifiable inference guarantees at marginal extra cost
• Two concrete protocols: secret-key transcription and logit fingerprinting with noise, offering different levels of verification guarantees
• ~15x speedup over state-of-the-art ZK verification methods on Llama-2-7B with ~99% transcription rates and ~10^-15 guessing probability for secret keys

🛡️ Threat Analysis

Details

Similar Papers