LLA: Enhancing Security and Privacy for Generative Models with Logic-Locked Accelerators
You Li, Guannan Zhao, Yuhao Ju, Yunqi He, Jie Gu, Hai Zhou
TL;DR
The paper tackles IP protection for large generative models deployed in supply chains, where model theft, corruption, or leakage threaten IP owners. It introduces LLA, a hybrid software-hardware locking framework that embeds key bits into protected FFN neurons and couples this with a hardware-locked systolic accelerator, making the model functional only with the correct key. The approach combines outlier-based protection, orthogonal obfuscation, and group-wise permutation to degrade incorrect-key performance while maintaining low overhead, and demonstrates robustness against oracle-guided attacks. The proposed method enables license-based access to GenAI services with minimal computational cost and broad hardware compatibility, addressing practical security needs for IaaS and self-hosted deployments.
Abstract
We introduce LLA, an effective intellectual property (IP) protection scheme for generative AI models. LLA leverages the synergy between hardware and software to defend against various supply chain threats, including model theft, model corruption, and information leakage. On the software side, it embeds key bits into neurons that can trigger outliers to degrade performance and applies invariance transformations to obscure the key values. On the hardware side, it integrates a lightweight locking module into the AI accelerator while maintaining compatibility with various dataflow patterns and toolchains. An accelerator with a pre-stored secret key acts as a license to access the model services provided by the IP owner. The evaluation results show that LLA can withstand a broad range of oracle-guided key optimization attacks, while incurring a minimal computational overhead of less than 0.1% for 7,168 key bits.
