Shadow in the Cache: Unveiling and Mitigating Privacy Risks of KV-cache in LLM Inference

TL;DR

This work exposes practical privacy risks from KV-cache in LLM inference, demonstrating that an adversary can reconstruct user inputs via three attack vectors. It introduces KV-Cloak, a lightweight, lossless defense based on reversible matrix obfuscation and operator fusion, designed to shield KV-cache without harming model fidelity or performance. Extensive experiments across diverse models and datasets show that KV-Cloak neutralizes all proposed attacks with minimal overhead, outperforming differential privacy in preserving utility. The study provides a concrete, engineering-friendly solution for secure, scalable LLM deployment in real-world, high-throughput settings.

Abstract

The Key-Value (KV) cache, which stores intermediate attention computations (Key and Value pairs) to avoid redundant calculations, is a fundamental mechanism for accelerating Large Language Model (LLM) inference. However, this efficiency optimization introduces significant yet underexplored privacy risks. This paper provides the first comprehensive analysis of these vulnerabilities, demonstrating that an attacker can reconstruct sensitive user inputs directly from the KV-cache. We design and implement three distinct attack vectors: a direct Inversion Attack, a more broadly applicable and potent Collision Attack, and a semantic-based Injection Attack. These methods demonstrate the practicality and severity of KV-cache privacy leakage issues. To mitigate this, we propose KV-Cloak, a novel, lightweight, and efficient defense mechanism. KV-Cloak uses a reversible matrix-based obfuscation scheme, combined with operator fusion, to secure the KV-cache. Our extensive experiments show that KV-Cloak effectively thwarts all proposed attacks, reducing reconstruction quality to random noise. Crucially, it achieves this robust security with virtually no degradation in model accuracy and minimal performance overhead, offering a practical solution for trustworthy LLM deployment.

Figures (9)

• Figure 1: Overview of the privacy-preserving LLM inference workflow and the associated KV-cache leakage threat model. While user-server communication is encrypted (black lines), the KV-cache is often transmitted and stored in plaintext (red dashed lines), creating a surface for privacy attacks.
• Figure 2: Workflow of the three proposed KV-cache input reconstruction attacks.
• Figure 3: Distance distributions of target tokens $d_{\text{target}}$ (orange) versus incorrect tokens $d_{\text{other}}$ (blue) in the Collision Attack. The input is an excerpt from "The Bitter Lesson"(see Appendix \ref{['app:bitter_lesson']}). The attack targets the last-layer KV-cache of LLaMA-3.1-8B (left) and LLaMA-3.1-8B-Distilled (right) using weights from the base model. Vertical lines indicate the heuristic threshold ($3\sigma_{\text{other}}$, green dotted) and the prior-knowledge enhanced threshold ($r=64$, red dashed).
• Figure 4: The effect of truncating the probability-sorted vocabulary on reconstruction fidelity and attack time. Experiments were run with a batch size of 256 and an outlier threshold of $3\sigma_{\text{other}}$.
• Figure 5: Collision Attack experiments on LLaMA-3.1-8B-Distilled using optimal thresholds derived for different assumed token ranks ($r$).