Stealing User Prompts from Mixture-of-Experts Models

Thank you very much for the feedback on the paper.

As acknowledged in the submission, the setting is unrealistic. The adversary needs to (1) control the placement of target inputs in the batch, (2) repeatedly submit different orderings of the same batch to the model, and (3) observe its internal routing choices. Man-in-the-middle (mention in 3.1) might be able to do (1) -- although not entirely clear how -- but not (2) or (3). I cannot think of any setting where (2) and (3) are available to the adversary, yet the adversary is unable to directly observe inputs into the model.

We view our paper is an important proof-of-concept that model architectural decisions can have privacy impact on user submitted data. We argue in Section 6 that not only do we expect the attack to get better, but we also suspect that other flavours of MoE routing strategies can be exploitable.

Evaluation is rudimentary, just a single Mixtral model. I understand this is a proof-of-concept, but seems a little skimpy for a conference submission.

Since our current attack algorithm is general (has precise complexity bound) and exploits specifics of the routing algorithm, we are not sure if further models would change the paper narrative at all. Importantly, complexity grows with the number of layers due to the logit matching phase of the attack and less with the choice of specific experts. We evaluated the attack with randomly initialised experts and saw no major change in hardness of blocking the experts.

Just a single routing strategy is investigated. I do believe that other routing strategies may be similarly vulnerable, but again, seems skimpy for a conference submission.

We disagree with the reviewer on this point. Getting the a general attack algorithm to work and identifying the exact threat model to make it feasible was not at all a trivial effort that took many months of hacking and exploration. We also want to note that to make the attack work not only did we have to model the routing algorithm itself, but we also needed to debug deep specifics of how tie handling operates on accelerators in practice. We would expect that exploiting other strategies and optimising the one presented in our manuscript would take months if not years of effort; while at the same time the simple fact uncovered by our attack will remain -- MoE with ECR is vulnerable and leaks user data bit by bit.

Defences are not really explored in any depth. Randomizing top-k and/or token dropping (or other aspects) should mitigate the attack, but would it have a noticeable impact on performance / quality of the results?

We want to note that adding random noise of magnitudes considered here will not disrupt the model performance almost at all, since at present the attack requires extreme precision to exploit the tie handling.

Thank you very much for the feedback on the paper.

The authors acknowledge upfront that their threat model is unrealistic (line 135). I will add some additional reasons why the threat model is unrealistic; ...

Thank you very much for all of the above points, they are extremely useful for setting the scene on deployment practices. We agree fully that at present the attack is unrealistic and we emphasize this in the paper. We will add a section to the appendix to expand on the above points and also add a note to the existing Section 6 with additional requirements for the future attacks to become realistic. We once again thank the reviewer for this.

The authors do not spend enough time proposing defenses; the paragraph starting on (line 484) should be expanded into a subsection. The authors had some ~30 lines remaining so it's not a matter of space constraints.

Many thanks for this. We will add more to the defenses section. Currently to defend one really needs to add minor amount of noise, since the current attack requires extreme precision to work and errors compound making extraction of later letters harder.

The main text of the paper is pretty much incomplete. There are too many places where the reader is forced to scroll to the Appendix and read a chunk of text in order to follow the paper. This is unfortunately becoming a common practice, but I dislike it nonetheless.

We agree with the reviewer, but we could not find another way to overcome it, since there is quite a bit of complexity to describe how and why the attack works. We will iterate over the manuscript to improve its readability.

The confidence intervals seem way too large in Figure 4. It looks like all these attacks could just have 0 success rate. And this is even in the super unrealistic setting where the canaries are taking on a few values, the vocab is <10k (Gemma has vocab 256k), the model is artificially altered to make the attack work at all.

Indeed. That was due to the quirks of the hyperparameters chosen for this particular evaluation run. After a minor change to the evaluation parameters we reduced the variance in performance and now the attack works in almost 100% of cases.

The attack is pretty unsophisticated.

Although we agree with the reviewer that the final attack algorithm is unsophisticated, we want to stress that making it work was not at all easy. Getting the general attack algorithm to work and identifying the exact threat model to make it feasible was not at all a trivial effort that took many months of hacking and exploration. We also want to note that to make the attack work not only did we have to model the routing algorithm itself, but we also needed to debug deep specifics of how tie handling operates on accelerators in practice.

What can the community learn from the development from this attack? It has no practical implications, so there should be something about the design that is clever or inspires new ideas.

We view our paper is an important proof-of-concept that model architectural decisions can have privacy impact on user submitted data. We argue in Section 6 that not only do we expect the attack to get better, but we also suspect that other flavours of MoE routing strategies can be exploitable. Our work is an example to a simple fact -- MoE with ECR is vulnerable and leaks user data bit by bit.

Note that you could make the same comments about Spectre or Meltdown attacks (ie simple, unsophisticated, leaks a single bit), yet it had a major impact in how speculation is performed on our everyday computers; and it was in fact used to perform real-world impacting attacks. Our work shows a novel kind of vulnerability; stronger attacks will follow.

There are some minor typos (line 496) (line 837) (line 342) (line 819) (line 820) Thank you very much for this. All fixed now.

Thank you very much for the feedback on the paper.

Could you please further discuss about how man-in-the-middle attacks can help to inject the proposed attack in LLM server?

Thank you for raising this point. We agree that discussing the feasibility of the attack in real-world scenarios is important. In MITM scenarios an attacker can have more control of the user interaction with a server [1], even though the communication is encrypted and thus not visible to the attacker. In such settings one can carry our attack more realistically, as the requirement of controlling the positions in batch or forcing the user to send the same secret message repeatedly. We will add a section to illustrate that.

Could you discuss what will happen if there are two tokens sharing the same routing path.

Thank you for this insightful question. Our exploit is designed to handle cases where two tokens share the same routing path. We ensure a unique signal is generated only when our guesses for both the token's identity and its position within the target expert buffer are correct. This allows us to differentiate between tokens even if they follow identical routing paths. We will clarify this mechanism further in the revised version.

The threat model assumes an attacker with significant control over the LLM server, which may not be practical in real-world settings. Additionally, token-dropping techniques are not widely used in recent LLM inference architectures, limiting the relevance of the attack to current models.

We appreciate your feedback on the threat model. You're right that the current attack assumes a strong attacker, and token-dropping may not be prevalent in current LLMs. However, we believe it's crucial to proactively identify and address potential vulnerabilities, even if they are not immediately exploitable. Our work aims to raise awareness about the risks associated with certain design choices in LLMs and encourage the development of secure and robust architectures. This is particularly relevant for future LLMs and evolving inference techniques, where token-dropping or similar mechanisms might be employed. By highlighting these vulnerabilities, we hope to inform the design and implementation of secure LLMs, even if the specific attack demonstrated here has limitations in current real-world settings.

The attack is computationally intensive, requiring up to 1,000 tokens for each token being extracted, which may restrict its feasibility in large-scale applications.

We acknowledge the computational limitations of the current attack. As you pointed out, the attack's complexity could hinder its feasibility in large-scale applications. However, we believe the core findings of our research remain valuable. Our work highlights a previously unknown vulnerability that could have significant implications for the security and privacy of LLMs. This information is crucial for LLM architects and developers, particularly those working with Trusted Execution Environments, as it underscores the need for robust security measures to protect user data, even within batched processing environments. We hope our findings will stimulate further research into more efficient attack strategies and mitigation techniques.

The explanation of the proposed method for Recovering Target Token Routing Path lacks clarity. It is unclear how the method handles cases where two tokens share the same routing path. If two tokens follow identical paths, this could complicate the attack, as distinguishing between them based on routing alone may not be difficult.

Thank you for your feedback on the clarity of our method. We will revise the explanation of the 'Recovering Target Token Routing Path' method in the paper to provide a more comprehensive and clear description. As mentioned earlier, our attack can successfully distinguish between tokens sharing the same routing path by relying on the unique signal generated only when both the token's identity and position are correctly guessed. We will ensure this aspect is clearly conveyed in the revised manuscript.

[1] https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit#slide=id.g1d134dff_1_222