When Speculation Spills Secrets: Side Channels via Speculative Decoding In LLMs
This exposes a security risk for deployed LLM services, potentially compromising user privacy and confidential data, and is incremental in identifying a new side-channel in existing techniques.
The paper tackles the problem of side-channel vulnerabilities in speculative decoding for large language models, revealing that input-dependent patterns can leak user queries with over 90% accuracy and confidential data at rates exceeding 25 tokens/sec. It demonstrates attacks across multiple schemes and proposes mitigations like packet padding.
Deployed large language models (LLMs) often rely on speculative decoding, a technique that generates and verifies multiple candidate tokens in parallel, to improve throughput and latency. In this work, we reveal a new side-channel whereby input-dependent patterns of correct and incorrect speculations can be inferred by monitoring per-iteration token counts or packet sizes.We demonstrate that an adversary observing these patterns can fingerprint user queries with >90% accuracy across four speculative-decoding schemes, REST (100\%), LADE (up to 92%), BiLD (up to 95%), and EAGLE (up to 77.6%) and leak confidential datastore contents used for prediction at rates exceeding 25 tokens/sec. We evaluate the side-channel attacks in both research prototypes as well as the production-grade vLLM serving framework. To defend against these, we propose and evaluate a suite of mitigations, including packet padding and iteration-wise token aggregation.