AlienLM: Alienization of Language for API-Boundary Privacy in Black-Box LLMs
Jaehee Kim, Pilsung Kang
TL;DR
This work tackles plaintext exposure at the API boundary in black-box LLM deployments by introducing AlienLM, a privacy layer that translates text into an Alien Language using a vocabulary-level bijection and recovers plaintext on the client side. It enables API-only adaptation through Alien Adaptation Training (AAT), maintaining strong task performance across multiple backbones while significantly limiting recovery of plaintext by adversaries. The approach relies on proxy embeddings to optimize the bijection under black-box constraints and introduces an adjustable alienization ratio $\rho$ to balance opacity and utility. Extensive experiments across seven benchmarks and multiple models demonstrate robust performance retention ($>81\%$ of Oracle) and strong resistance to recovery under three observer scenarios, with domain adaptation and multi-tenant considerations discussed for deployment. While not offering formal cryptographic guarantees, AlienLM provides a practical, deployable solution for privacy-preserving LLM use in API-only environments, alongside clear directions for safety, alignment, and scalable key management.
Abstract
Modern LLMs are increasingly accessed via black-box APIs, requiring users to transmit sensitive prompts, outputs, and fine-tuning data to external providers, creating a critical privacy risk at the API boundary. We introduce AlienLM, a deployable API-only privacy layer that protects text by translating it into an Alien Language via a vocabulary-scale bijection, enabling lossless recovery on the client side. Using only standard fine-tuning APIs, Alien Adaptation Training (AAT) adapts target models to operate directly on alienized inputs. Across four LLM backbones and seven benchmarks, AlienLM retains over 81\% of plaintext-oracle performance on average, substantially outperforming random-bijection and character-level baselines. Under adversaries with access to model weights, corpus statistics, and learning-based inverse translation, recovery attacks reconstruct fewer than 0.22\% of alienized tokens. Our results demonstrate a practical pathway for privacy-preserving LLM deployment under API-only access, substantially reducing plaintext exposure while maintaining task performance.
