Paper 2025/167
Wiretapping LLMs: Network Side-Channel Attacks on Interactive LLM Services
Abstract
Recent server-side optimizations like speculative decoding significantly enhance the interactivity and resource efficiency of Large Language Model (LLM) services. However, we show that these optimizations inadvertently introduce new side-channel vulnerabilities through network packet timing and size variations that tend to be input-dependent. Network adversaries can leverage these side channels to learn sensitive information contained in \emph{encrypted} user prompts to and responses from public LLM services. This paper formalizes the security implications using a novel indistinguishability framework and introduces a novel attack that establishes the insecurity of real-world LLM services with streaming APIs under our security framework. Our proposed attack effectively deconstructs encrypted network packet traces to reveal the sizes of underlying LLM-generated tokens and whether the tokens were generated with or without certain server-side optimizations. Our attack can accurately predict private attributes in real-world privacy-sensitive LLM applications in medicine and finance with $71$--$92\%$ accuracy on an open-source vLLM service and $50$--$90\%$ accuracy on the commercial ChatGPT service. Finally, we show that solutions that hide these side channels to different degrees expose a tradeoff between security and performance --- specifically, interactivity and network bandwidth overheads.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- LLM privacyDeep learning privacyMachine learning privacySide channel attacksSpeculative decoding
- Contact author(s)
-
mahdi soleimani @ yale edu
grace jia @ yale edu
in gim @ yale edu
seung-seob lee @ yale edu
anurag khandelwal @ yale edu - History
- 2025-02-05: approved
- 2025-02-04: received
- See all versions
- Short URL
- https://ia.cr/2025/167
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2025/167, author = {Mahdi Soleimani and Grace Jia and In Gim and Seung-seob Lee and Anurag Khandelwal}, title = {Wiretapping {LLMs}: Network Side-Channel Attacks on Interactive {LLM} Services}, howpublished = {Cryptology {ePrint} Archive, Paper 2025/167}, year = {2025}, url = {https://eprint.iacr.org/2025/167} }