Table of Contents
Fetching ...

OSNIP: Breaking the Privacy-Utility-Efficiency Trilemma in LLM Inference via Obfuscated Semantic Null Space

Zhiyuan Cao, Zeyu Ma, Chenhao Yang, Han Zheng, Mingang Chen

TL;DR

The paper addresses privacy leakage in Model-as-a-Service (MaaS) LLM inference by proposing OSNIP, a lightweight client-side framework that perturbs input embeddings to reside in an Obfuscated Semantic Null Space. By formalizing $d_{\mathcal{X}}$-privacy and defining a semantic null space $\mathcal{S}^{\mathrm f}_{\delta}(\mathbf{h})$ together with a geometric obfuscation region $\mathcal{O}_{\epsilon}(\mathbf{h})$, the authors prove that high-dimensional embeddings almost surely contain perturbations that preserve semantic utility while hindering inversion attacks. OSNIP introduces a key-conditioned perturbation mechanism with a diversity regularizer and employs a utility-gated curriculum to balance utility, privacy, and personalization, all without post-processing. Empirical results across 12 benchmarks and multiple open-source LLMs demonstrate near-lossless utility, dramatically reduced attack success rates (KNN and vocabulary-matching), and low latency, indicating a scalable and practical privacy solution for real-time MaaS deployment. The work suggests that high dimensionality can be leveraged to expand the viable perturbation space, enabling robust privacy without sacrificing performance as models scale.

Abstract

We propose Obfuscated Semantic Null space Injection for Privacy (OSNIP), a lightweight client-side encryption framework for privacy-preserving LLM inference. Generalizing the geometric intuition of linear kernels to the high-dimensional latent space of LLMs, we formally define the ``Obfuscated Semantic Null Space'', a high-dimensional regime that preserves semantic fidelity while enforcing near-orthogonality to the original embedding. By injecting perturbations that project the original embedding into this space, OSNIP ensures privacy without any post-processing. Furthermore, OSNIP employs a key-dependent stochastic mapping that synthesizes individualized perturbation trajectories unique to each user. Evaluations on 12 generative and classification benchmarks show that OSNIP achieves state-of-the-art performance, sharply reducing attack success rates while maintaining strong model utility under strict security constraints.

OSNIP: Breaking the Privacy-Utility-Efficiency Trilemma in LLM Inference via Obfuscated Semantic Null Space

TL;DR

The paper addresses privacy leakage in Model-as-a-Service (MaaS) LLM inference by proposing OSNIP, a lightweight client-side framework that perturbs input embeddings to reside in an Obfuscated Semantic Null Space. By formalizing -privacy and defining a semantic null space together with a geometric obfuscation region , the authors prove that high-dimensional embeddings almost surely contain perturbations that preserve semantic utility while hindering inversion attacks. OSNIP introduces a key-conditioned perturbation mechanism with a diversity regularizer and employs a utility-gated curriculum to balance utility, privacy, and personalization, all without post-processing. Empirical results across 12 benchmarks and multiple open-source LLMs demonstrate near-lossless utility, dramatically reduced attack success rates (KNN and vocabulary-matching), and low latency, indicating a scalable and practical privacy solution for real-time MaaS deployment. The work suggests that high dimensionality can be leveraged to expand the viable perturbation space, enabling robust privacy without sacrificing performance as models scale.

Abstract

We propose Obfuscated Semantic Null space Injection for Privacy (OSNIP), a lightweight client-side encryption framework for privacy-preserving LLM inference. Generalizing the geometric intuition of linear kernels to the high-dimensional latent space of LLMs, we formally define the ``Obfuscated Semantic Null Space'', a high-dimensional regime that preserves semantic fidelity while enforcing near-orthogonality to the original embedding. By injecting perturbations that project the original embedding into this space, OSNIP ensures privacy without any post-processing. Furthermore, OSNIP employs a key-dependent stochastic mapping that synthesizes individualized perturbation trajectories unique to each user. Evaluations on 12 generative and classification benchmarks show that OSNIP achieves state-of-the-art performance, sharply reducing attack success rates while maintaining strong model utility under strict security constraints.
Paper Structure (34 sections, 3 theorems, 43 equations, 8 figures, 8 tables)

This paper contains 34 sections, 3 theorems, 43 equations, 8 figures, 8 tables.

Key Result

Theorem 2.5

Suppose the semantic coverage rate satisfies the condition: Then $\mathcal{N}^{\mathrm{dir}}_{\delta,\epsilon}(\mathbf{h})\neq \varnothing$, hence $\mathcal{N}_{\delta,\epsilon}(\mathbf{h})\neq \varnothing$. Moreover,

Figures (8)

  • Figure 1: The OSNIP Architecture. Trusted Third Party trains an encryptor using corpora and randomized keys before deploying it client-side. Using their prompts and private keys, clients generate perturbed embeddings that resist privacy attacks by servers or interceptors, while still enabling standard server-side inference.
  • Figure 2: Optimization Dynamics of OSNIP on QWen3-32B.
  • Figure 3: Quantitative analysis of the “Perturbation-and-Recover” trajectory. From left to right, the panels show: (a) the layer-wise similarity, and (b) the token-wise similarity. Full heatmaps are detailed in Appendix \ref{['app:mechanistic_setup']}.
  • Figure 4: Privacy-Utility Pareto Frontiers. Visualization of the trade-off between Privacy and Utility. Scatter points represent distinct feasible solutions explored within the optimization landscape, while solid lines delineate the empirical Pareto frontiers.
  • Figure 5: Visualization of embedding distribution. The plot shows the spatial distribution of embeddings projected onto the first two principal components. The black star denotes the original input representation. The single red dot indicates the perturbed embedding generated without the Diversity Loss ($\mathcal{L}_\text{div}$). The green dots represent the distribution of perturbations generated by the full method across multiple random keys.
  • ...and 3 more figures

Theorems & Definitions (10)

  • Definition 2.1: $d_{\mathcal{X}}$-Privacy
  • Definition 2.2: Semantic Null Space
  • Definition 2.3: Geometric Obfuscation Region
  • Definition 2.4: Obfuscated Semantic Null Space
  • Theorem 2.5: Existence of Semantic Null Space
  • Corollary 2.6: Asymptotic Semantic Dominance
  • Lemma 2.1: Spherical orthogonal-band complement bound
  • proof
  • proof : Proof of Theorem 2.5
  • proof : Proof of Corollary 2.6