OSNIP: Breaking the Privacy-Utility-Efficiency Trilemma in LLM Inference via Obfuscated Semantic Null Space
Zhiyuan Cao, Zeyu Ma, Chenhao Yang, Han Zheng, Mingang Chen
TL;DR
The paper addresses privacy leakage in Model-as-a-Service (MaaS) LLM inference by proposing OSNIP, a lightweight client-side framework that perturbs input embeddings to reside in an Obfuscated Semantic Null Space. By formalizing $d_{\mathcal{X}}$-privacy and defining a semantic null space $\mathcal{S}^{\mathrm f}_{\delta}(\mathbf{h})$ together with a geometric obfuscation region $\mathcal{O}_{\epsilon}(\mathbf{h})$, the authors prove that high-dimensional embeddings almost surely contain perturbations that preserve semantic utility while hindering inversion attacks. OSNIP introduces a key-conditioned perturbation mechanism with a diversity regularizer and employs a utility-gated curriculum to balance utility, privacy, and personalization, all without post-processing. Empirical results across 12 benchmarks and multiple open-source LLMs demonstrate near-lossless utility, dramatically reduced attack success rates (KNN and vocabulary-matching), and low latency, indicating a scalable and practical privacy solution for real-time MaaS deployment. The work suggests that high dimensionality can be leveraged to expand the viable perturbation space, enabling robust privacy without sacrificing performance as models scale.
Abstract
We propose Obfuscated Semantic Null space Injection for Privacy (OSNIP), a lightweight client-side encryption framework for privacy-preserving LLM inference. Generalizing the geometric intuition of linear kernels to the high-dimensional latent space of LLMs, we formally define the ``Obfuscated Semantic Null Space'', a high-dimensional regime that preserves semantic fidelity while enforcing near-orthogonality to the original embedding. By injecting perturbations that project the original embedding into this space, OSNIP ensures privacy without any post-processing. Furthermore, OSNIP employs a key-dependent stochastic mapping that synthesizes individualized perturbation trajectories unique to each user. Evaluations on 12 generative and classification benchmarks show that OSNIP achieves state-of-the-art performance, sharply reducing attack success rates while maintaining strong model utility under strict security constraints.
