Paper 2025/167

Wiretapping LLMs: Network Side-Channel Attacks on Interactive LLM Services

Mahdi Soleimani, Yale University
Grace Jia, Yale University
In Gim, Yale University
Seung-seob Lee, Yale University
Anurag Khandelwal, Yale University
Abstract

Recent server-side optimizations like speculative decoding significantly enhance the interactivity and resource efficiency of Large Language Model (LLM) services. However, we show that these optimizations inadvertently introduce new side-channel vulnerabilities through network packet timing and size variations that tend to be input-dependent. Network adversaries can leverage these side channels to learn sensitive information contained in \emph{encrypted} user prompts to and responses from public LLM services. This paper formalizes the security implications using a novel indistinguishability framework and introduces a novel attack that establishes the insecurity of real-world LLM services with streaming APIs under our security framework. Our proposed attack effectively deconstructs encrypted network packet traces to reveal the sizes of underlying LLM-generated tokens and whether the tokens were generated with or without certain server-side optimizations. Our attack can accurately predict private attributes in real-world privacy-sensitive LLM applications in medicine and finance with $71$--$92\%$ accuracy on an open-source vLLM service and $50$--$90\%$ accuracy on the commercial ChatGPT service. Finally, we show that solutions that hide these side channels to different degrees expose a tradeoff between security and performance --- specifically, interactivity and network bandwidth overheads.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
LLM privacyDeep learning privacyMachine learning privacySide channel attacksSpeculative decoding
Contact author(s)
mahdi soleimani @ yale edu
grace jia @ yale edu
in gim @ yale edu
seung-seob lee @ yale edu
anurag khandelwal @ yale edu
History
2025-02-05: approved
2025-02-04: received
See all versions
Short URL
https://ia.cr/2025/167
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/167,
      author = {Mahdi Soleimani and Grace Jia and In Gim and Seung-seob Lee and Anurag Khandelwal},
      title = {Wiretapping {LLMs}: Network Side-Channel Attacks on Interactive {LLM} Services},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/167},
      year = {2025},
      url = {https://eprint.iacr.org/2025/167}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.