Secure Multiparty Generative AI

TL;DR

Addresses privacy leakage in generative AI prompts and model IP exposure by proposing a Secure Multi-Party Computation (SMPC) framework. The method shards a transformer across $k$ splits on decentralized servers while the client enclave handles embeddings and the first/last attention layers, with security guaranteed if at least one honest node exists and a majority of verifiers are honest ($n>2$). A verification scheme based on local-sensitive hashing (LSH) and majority or super-majority consensus ensures correctness even under nondeterministic computations, demonstrated with accuracies exceeding 99% across image and text tasks. The work suggests a practical path to privacy-preserving, decentralized generative AI deployments, trading some speed for robust privacy and IP protection.

Abstract

As usage of generative AI tools skyrockets, the amount of sensitive information being exposed to these models and centralized model providers is alarming. For example, confidential source code from Samsung suffered a data leak as the text prompt to ChatGPT encountered data leakage. An increasing number of companies are restricting the use of LLMs (Apple, Verizon, JPMorgan Chase, etc.) due to data leakage or confidentiality issues. Also, an increasing number of centralized generative model providers are restricting, filtering, aligning, or censoring what can be used. Midjourney and RunwayML, two of the major image generation platforms, restrict the prompts to their system via prompt filtering. Certain political figures are restricted from image generation, as well as words associated with women's health care, rights, and abortion. In our research, we present a secure and private methodology for generative artificial intelligence that does not expose sensitive data or models to third-party AI providers. Our work modifies the key building block of modern generative AI algorithms, e.g. the transformer, and introduces confidential and verifiable multiparty computations in a decentralized network to maintain the 1) privacy of the user input and obfuscation to the output of the model, and 2) introduce privacy to the model itself. Additionally, the sharding process reduces the computational burden on any one node, enabling the distribution of resources of large generative AI processes across multiple, smaller nodes. We show that as long as there exists one honest node in the decentralized computation, security is maintained. We also show that the inference process will still succeed if only a majority of the nodes in the computation are successful. Thus, our method offers both secure and verifiable computation in a decentralized network.

Figures (4)

• Figure 1: Illustration of the Secure Multi-Party Computation (SMPC) architecture for a transformer-based generative AI model. Embedding model along with first, and last attention layers of transformer is securely hosted within the client enclave. Remaining layers are divided into k 'splits'. Each of the k splits is distributed across decentralized servers, where one or more servers may host the same split.
• Figure 2: Illustration of SMPC architecture flow with number of splits $k=2$ and redundant nodes $n=3$.
• Figure 3: Graph showing the probabilities of independent verifiers detecting incorrect or fraudulent behavior under different likelihoods of deterministic generation. In the simple majority case, the majority of nodes are assumed honest, while in the super-majority case, over two-thirds of the nodes are assumed honest.
• Figure 4: Visualizing the hidden states received by the client, we observe mostly noise initially, with patterns emerging in later, though still obfuscated, steps.