SLIP-SEC: Formalizing Secure Protocols for Model IP Protection
Racchit Jain, Satya Lokam, Yehonathan Refael, Adam Hakim, Lev Greenberg, Jay Tenenbaum
TL;DR
This work targets protecting proprietary large language model IP when inference is split between a trusted and an untrusted party. It formalizes model decomposition $\Theta = (\Theta_{\mathcal{C}}, \Theta_{\mathcal{D}})$ and a hybrid inference protocol that offloads most computation to the untrusted side while limiting IP leakage, using additive weight splits $W_i = W_i^{\mathcal{C}} + W_i^{\mathcal{D}}$. It proves information-theoretic security for the honest-but-curious setting and negligible soundness for malicious adversaries, employing masking, additive decompositions, and probabilistic verification (e.g., batched Freivalds' checks). This work establishes the first formal, provably secure hybrid inference framework for LLM IP protection, with empirical validation deferred to a companion paper and implications for cryptography-meets-ML system design.
Abstract
Large Language Models (LLMs) represent valuable intellectual property (IP), reflecting significant investments in training data, compute, and expertise. Deploying these models on partially trusted or insecure devices introduces substantial risk of model theft, making it essential to design inference protocols with provable security guarantees. We present the formal framework and security foundations of SLIP, a hybrid inference protocol that splits model computation between a trusted and an untrusted resource. We define and analyze the key notions of model decomposition and hybrid inference protocols, and introduce formal properties including safety, correctness, efficiency, and t-soundness. We construct secure inference protocols based on additive decompositions of weight matrices, combined with masking and probabilistic verification techniques. We prove that these protocols achieve information-theoretic security against honest-but-curious adversaries, and provide robustness against malicious adversaries with negligible soundness error. This paper focuses on the theoretical underpinnings of SLIP: precise definitions, formal protocols, and proofs of security. Empirical validation and decomposition heuristics appear in the companion SLIP paper. Together, the two works provide a complete account of securing LLM IP via hybrid inference, bridging both practice and theory.