AttestLLM: Efficient Attestation Framework for Billion-scale On-device LLMs

TL;DR

AttestLLM addresses the critical need to verify and protect hardware-level IP for billion-parameter on-device LLMs by coupling offline watermarking with online attestation inside a TEE. It introduces a co-design approach where watermark bits are adaptively allocated across Transformer layers based on activation saliency and embedded with quantization-aware optimization, followed by a scalable, efficient online attestation workflow that uses a virtualization-enabled TEE to verify layer-wise watermarks with sampled activations. Empirical results across Llama, Qwen, and Phi families show 100% watermark extraction and pass rates, minimal fidelity loss (PPL and Zero-shot Accuracy degradations under 1%), and substantial latency/energy reductions relative to prior TEEs-based IP protection methods. The framework demonstrates robustness against watermark forgery, partial/full model replacement, and TEE-system attacks, making it practical for deployment on billion-parameter LLMs in constrained edge environments.

Abstract

As on-device LLMs(e.g., Apple on-device Intelligence) are widely adopted to reduce network dependency, improve privacy, and enhance responsiveness, verifying the legitimacy of models running on local devices becomes critical. Existing attestation techniques are not suitable for billion-parameter Large Language Models (LLMs), struggling to remain both time- and memory-efficient while addressing emerging threats in the LLM era. In this paper, we present AttestLLM, the first-of-its-kind attestation framework to protect the hardware-level intellectual property (IP) of device vendors by ensuring that only authorized LLMs can execute on target platforms. AttestLLM leverages an algorithm/software/hardware co-design approach to embed robust watermarking signatures onto the activation distributions of LLM building blocks. It also optimizes the attestation protocol within the Trusted Execution Environment (TEE), providing efficient verification without compromising inference throughput. Extensive proof-of-concept evaluations on LLMs from Llama, Qwen, and Phi families for on-device use cases demonstrate AttestLLM's attestation reliability, fidelity, and efficiency. Furthermore, AttestLLM enforces model legitimacy and exhibits resilience against model replacement and forgery attacks.

Figures (4)

• Figure 1: Attestation overview: AttestLLM in the TEE periodically attests models in the REE, ensuring that only authenticated LLMs are executed while blocking unauthorized ones.
• Figure 2: AttestLLM pipeline. Offline watermarking performs (A) sensitivity analysis to adaptively allocate watermark across layers, and (B) optimization-based watermark insertion to embed device-specific signatures with fidelity and robustness; Online attestation attests watermarked LLM on edge devices by ➀ periodically requesting attestation, and ➁-➃ securely copying sampled LLM layers into the TEE for watermark verification. Only authorized LLM (WER=1) is allowed for normal inference.
• Figure 3: Attestation latency and energy overhead (%) of LLMs quantized into INT4 and INT8. Lower is better.
• Figure 4: Attestation overhead with different ($f$, $k$) choices.