PowerSoftmax: Towards secure LLM Inference Over Encrypted Data

Thank you for taking the time to provide such informative feedback.

Weaknesses:

W.1. The writing could be further improved. For example, ϵ′ in Eqn. (5) and ⊙ in Eqn. (9) are not defined (⊙ in Line 77 only defined for two ciphertext numbers, rather than matrices). Additionally, "x" in Line 258 should be written as "x". Moreover, Furthermore, Line 219 references Eqn. (6) without any prior description, making it challenging to follow the content.

We sincerely thank the reviewer for pointing out these issues and providing detailed feedback to improve the clarity of our paper. We have addressed the concerns in the revised version.

W.2. I am concerned about the novelty of this paper’s contributions..

We respectfully disagree with the reviewer that the novelty is limited. Please see our response in the shared response and let us know if you have further concerns.

W.3. The paper’s significance may be limited without a detailed latency comparison for HE-based inference. Although the authors claim to present the first private LLM with 1B parameters, the primary challenge for HE-based large-scale models lies in the high latency of HE operations (in other words, building large-scale models is trivial if latency is disregarded). The paper lacks inference accuracy and latency comparisons with prior studies. Including such comparisons would significantly enhance the evaluation of the proposed method's effectiveness.

Answer: Please see our global comment regarding the concerns about HE. Additionally, it may be the case that using a large enough approximation, any model could become a polynomial model. However, the practicality of this claim has never been tested or proven. On the contrary, training polynomial models is considered a difficult task (see references in the text). We demonstrate for the first time that it is possible, while also suggesting ways to improve the practicality of polynomial models under FHE.

---

Questions:

Q.1. What is the inference latency of the proposed method, and how does it compare with previous HE-based neural network methods?

Answer: Please see our global comment about HE concern.

Q.2. In line 218, it is stated that “it is clear that Eq. (2) and Eq. (6) can lead to training instability…”. Could the authors provide a more detailed explanation regarding this point?

Similar to Softmax, numerical issues can arise because exponential functions or polynomial functions like x^p amplify large inputs (greater than 1) while shrinking small inputs (less than 1). This creates a wide dynamic range where large values dominate, and small values contribute negligibly, leading to a potential loss of significance and resulting in numerical instability. Similar to the log-sum-exp trick, our stable variant mitigates this by dividing by the maximum absolute value, ensuring the values remain within a numerically stable range.

We thank the reviewer for their comments.

Weaknesses:

W.1. The novelty is limited.

We respectfully disagree with the reviewer that the novelty is limited. Please see our response in the shared response and let us know if you have further concerns.

W.2. The scalability is questionable… The proposed method requires training from scratch. Retraining the LLMs is often impractical.

We would like to clarify an important point: our approach does not require training LLMs from scratch. Instead, we employ continual pretraining (lines 325-332), where we start from a pretrained model, replace Softmax with our proposed PowerSoftmax-based attention, and fine-tune the model with the same hyperparameters as of the original model until convergence, as described in Algorithm 1. Since PowerSoftmax preserves the mechanism of the original Softmax, this replacement can be seamlessly integrated after pretraining, allowing us to retain the core functionality and knowledge encoded in the pretrained model.

This is in contrast to paper [1], which replaces Softmax with an elementwise attention mechanism, specifically ReLU. Such a replacement alters the fundamental behavior of the attention mechanism, requiring training from scratch and affecting model scalability.

By leveraging continual pretraining, our approach significantly reduces computational costs while ensuring scalability. As a result, our method is capable of effectively handling larger models, including those with more than 32 layers.

Moreover, continual pretraining facilitates incremental updates to existing models, making the integration of our method both feasible and practical for real-world applications.

[1] Zimerman et al. "Converting transformers to polynomial form for secure inference over homomorphic encryption", ICML 2024.

W.3. The threat model is not clear.

Answer. Please see our global answer for the security concern. We added the threat model description in Appendix H.

W.4. The HE experiments are not clear or comprehensive.

Answer: Figure 3 reports the contribution of every component to the latency when computing under FHE. Specifically, it shows that PowerSoftmax consumes only 6% out of the total run. Please see our global comment about HE concern regarding a comparison with other Softmax approximation techniques and the reason that we choose to present only this experiment. Note that until this paper, there were no benchmarks to compare with except for Nexus, where we explained in the paper why our PowerSoftmax approach is better.

W.5. There is some inconsistency in the presentation.

We thank the reviewer for catching this typo, which we have corrected in the revised manuscript. To improve clarity, we have also performed additional professional proofreading. The revised manuscript was uploaded.

---

Questions:

The breakdown in Figure 3 does not include the latency of the GELU function. Is the GELU function not used? Is SoftMax the main bottleneck during private inference?

This evaluation was performed with ReLU activations instead of GeLU activations. However, this choice is not critical, and the experiment can be easily reproduced with other activation functions if the reviewer considers it important.

As the number of tokens in a prompt increases, the size of the attention matrix grows quadratically, leading to a significantly higher computational cost for the softmax function compared to other operations that scale linearly. Consequently, improving the attention mechanism is a critical objective for polynomial transformers in secure inference, especially for efficiently handling long context.

If the model weights need to be encoded and encrypted, is this a one-time process that can be performed offline?

Answer: Yes and No—there is an interesting tradeoff here. Due to the number of parameters and the choice of FHE packing, the size of the encoded and encrypted model can be quite large, ranging from MB to TB. When the model size exceeds the capacity of the CPU/GPU cache, it is more efficient to encode and encrypt the model on the fly. The decision of whether to use a preprocessed input or to evaluate it dynamically is an interesting and orthogonal research topic to ours, and it should be addressed by the developers of FHE compilers like HElayers.

Thanks to the authors for their efforts and detailed response. I have the following comments.

The nolvety.

I acknowledge the authors' analysis on the properties of Softmax-based attention. However, the key properties of Softmax-based attention have been widely explored in related works such as [1] (see their second motivation).

The scalability.

I appreciate the authors explanations. The fine-tuning strategy makes sense to me. However, if the training-from-scratch (in Algorithm 1) is not actually used in this paper, it would be more clear the authors replace training-from-scratch (e.g., those in line 307) with fine-tuning. Additionally, how many epochs and time are needed to fine-tune the PowerSoftmax? These overheads should be taken into consideration when comparing with NEXUS, since NEXUS is a PTA method which does not need fine-tuning.

Specifically, in this paper, the reviewers can consider only the simple case where the model weights are generated by the server and thus are unencrypted (while the query is still encrypted by the data-owner).

Even if the proposed methods use the common threat models in prior-arts (e.g., those in the client-server and client-server-model provider settings), I do not think the threat model should be omitted. The current statement in Section 3 remains ambiguous. At least more clarification should be given in the Appendix.

Also, the authors suggest the reviewers to focus on the client-server setting where the weights are unencrypted. If this setting is the main focus of the paper, all experiments should be based on this setting. However, encoding the weights becomes the main bottleneck in Figure 3, which is confusing to me.

The model weights encryption in Q2 can also be clarified along with the threat model.

Presentation.

In addition to the unclear threat model, there are many other points I find unclear and confusing with respect to the presentation. Figure 2 (middle) shows subtraction invariance, which appears inconsistent with Equation 5. Additionally, in line 440, 'with' should be red instead of blue to align with Figure 6. I believe the manuscript can benefit from a careful proofreading and revision.

The GELU function

The authors explicitly mention GELU in line 309 in Algorithm 1 and in the Appendix D. It should be clarified for which experiments GELU are used and for which ReLU are used. Replacing GELU with ReLU without clarification is misleading. The only reference about ReLU I can find is the scaled-ReLU attention baseline.

HE experiments.

I understand the authors have used HElayers for the experiments. However, it remains unclear why not directly experiment on HE libraries like HEaaN. As mentioned by the authors, HElayers 'may decide not to use all 9 levels before performing bootstrapping'. This actually keeps the readers from learning the benefits from PowerSoftMax, i.e., the improved depth consumption and reduced number of bootstrapping.

Additionally, directly comparing the runtime with NEXUS and [2] is not convincing. NEXUS is based on the SEAL library and [2] is based on the HEaaN library. Also, NEXUS and [2] do not need fine-tuning, while fine-tuning is indispensable for PowerSoftMax. More importantly, utility/efficiency trade-offs should be demonstrated instead of comparing the runtime only. I acknowledge the comparing with these works is not straightforward, and I do not mean the authors must show these comparison results now.

I do not see Appendix H and E in your revision. Please check if the submission has been correctly updated. I will maintain my rating at this point.

[1] Zeng et al., "Mpcvit: Searching for accurate and efficient mpc-friendly vision transformer with heterogeneous attention." ICCV 2023.

[2] Cho et al., "Fast and Accurate Homomorphic Softmax Evaluation." CCS 2024.

Thanks to the authors for their efforts and clarification. HElayers is a powerful tool that makes HE more accessible to more researchers and is widely employed in the community. I do not mean that the authors must avoid using HElayers or any other off-the-shelf SDKs. I believe one of the main benefits of PowerSoftmax is the improved depth consumption and reduced number of bootstrapping, which should be highlighted.

Following the example provided by the authors, one can use bootstrapping after every 12 multiplications. Consider bootstrapping restores the full multiplicative budget [2], 3 bootstrapping operations are needed for both PowerSoftmax and [2]. The number of multiplications are reduced from 35 in [2] to 27 in PowerSoftmax. When using HE libraries like HEaaN, the reduced number of multiplications clearly contributes to reduced depth consumption. Therefore, with such circuit-level optimization, it is possible to perform 9 additional multiplications before the next bootstrapping.

But when using HElayers, it is not clear to me whether the additional multiplications can be performed before the next bootstrapping, since HElayers 'may decide not to use all levels before performing bootstrapping'. That is, the actual depth consumption and number of bootstrapping are determined by the circuit-level optimization (e.g., PowerSoftmax) and the compiler-level optimization (e.g., HElayers).

It might be possible that the HElayers-based implementation can still effectively demonstrate the circuit-level optimizations in PowerSoftmax. But I believe more clarification and discussion are needed for this potential impact brought by the implementation choice, especially for readers not familiar with HElayers.

Thank you for your effort and for taking the time to help us improve our paper.

Weaknesses:

W.1. HE-based implementation was not conducted.

Answer: We partially disagree, Line 382 reports our HE-based experiments. More data is provided as an answer in the global comment to the HE concern.

W.2. Contribution seems limited.

Answer: We respectfully disagree with the reviewer that the contribution is limited. Please see our response in the shared response and let us know if you have further concerns.

W.3. There is a reliability concern with the results of the zero-shot and 5-shot experiments.

First, the main results of our work, as presented in Tables 1 and 2, are based on fully-trained models. These results closely align with the performance of the original Pythia models of the same size and are directly compared against the benchmarks reported in their paper (see Table 8 and 12).

Additionally, we agree that to demonstrate the comprehensive effectiveness of the PowerSoftmax variant, it is important to (i) provide results of fully-trained models and (ii) present training curves, as is standard practice in this domain. Our paper already addresses these points by including detailed evaluations across more than 10 datasets, multiple modalities, several training regimes (full training, fine-tuning, zero-shot), and various model sizes, as shown in Tables 1 and 2 and Figures 4 and 5.

Finally, to further address the reviewer’s concerns and enhance clarity, we have created a new table (Table 4, Appendix F) in the revised manuscript. This table summarizes the final performance of the fully trained models, derived from Figures 4 and 5, across six distinct datasets and several model sizes.

For all of these reasons, we kindly request that you reconsider this point.

We are grateful for your detailed review, which has guided us in improving our paper.

Weaknesses:

W.1. The authors should provide critical information on latency and resource utilization, which is essential for assessing the feasibility of applying homomorphic encryption (HE) to transformers. Specifically, there is insufficient detail regarding the HE settings and parameters used, making it unclear what type of simulation was conducted. Additionally, there is no information on the security model under which the HE simulations were performed. The description of the homomorphic implementation of matrix operations, including ciphertext-ciphertext multiplication beyond Softmax, needs to be included.

Answer: Please see our global comment about HE concern.

---

Questions:

Q.1. The authors claim that their method is more efficient than existing approaches, even though no information is provided on latency. On what basis is this claimed efficiency over previous methods established?

Answer: From the text: "When operating over encrypted data, our model is significantly more efficient than both of these methods. Specifically, Nexus incorporates three high-degree polynomial approximations at each attention layer for the exponential, division, and maximum functions, whereas our approach requires only a single non-polynomial division." Please see a comparison of PowerSoftmax in the global comments.

Q.2. Additionally, what homomorphic encryption parameters were used in the simulations?

Answer: Please see our global comment about HE concern.

Our paper is the first to report polynomial LLMs with 1.4B parameters for tasks relevant to LLMs, as depicted in Table 1, addressing a key obstacle to making FHE-encrypted LLM solutions feasible. We acknowledge that challenges remain in making FHE practical, particularly due to performance and memory gaps between inference over encrypted data and plaintext. However, Rome wasn’t built in a day. While FHE has shown approximately 2x annual speedup through software improvements alone, it will take time before it becomes practical for complex tasks such as LLMs. In our view, this should not impede AI research. On the contrary, we hope to close the FHE gap from above, while FHE software and hardware accelerations will narrow the gap from below.

Focusing on AI advancements, our paper introduces a new primitive called PowerSoftmax, and our HE measurements support the need to optimize this primitive. To avoid burdening readers, we opted for simplicity by using an off-the-shelf library (HElayers) and running our model as-is. Therefore, our paper does not delve into complex or unrelated design decisions, such as packing strategies or matrix multiplication algorithms. First, these decisions are abstracted away by the HElayers compiler, and second, this approach allows the reader to focus on the core AI contribution. In a similar way, we do not report the algorithms used by PyTorch, by GCC, or Clang, we trust the compilers. Further, note that our approach is orthogonal to the implementation of models over FHE and will improve the latency of any implementation simply by replacing Softmax with PowerSoftmax in the compiler. This is why we prefer to compare only the Softmax latency, rather than the overall latency, as the latter could mislead the readers.

With that said, we will add to the paper that the latency reported by HElayers on one A100 80GB GPU for our PowerSoftmax over 32 layers of 128x128 took only 16 seconds. In contrast, prior SOTA -- NEXUS reported that Softmax using 4 (instead of 1) A100 GPUs over 128x128 blocks for 12 (instead of 32) layers took 1.15 seconds * 32 (batch size) = 36.8 seconds, x2.3 slower. Moreover, following the submission of this paper, another study addressing Softmax was published [a]. This paper introduces a new Softmax approximation. Compared to [a], our method reduces multiplication depth by at least 23% when replacing Softmax with our PowerSoftmax in fine-tuned models, where the latency reported by [a] on an NVIDIA RTX-6000 for 128x128 * 32(layers) + 1x32768 inputs was 90 seconds. again, much slower.

As stated in the paper, all our experiments used HElayers 1.5.4 (Aharoni et al. (2023)), configured for CKKS with 128-bit security and polynomial degree of 2^16. We also note that the underlying CKKS library was HEaaN, using its FGb parameter set with the following specific values: log(QP) = 1555, N = 2^16, L = 9, h = 192, \lambda = 128. Additional details can be found in the HEaaN documentation.

Finally, it is important to emphasize that our paper reports actual measurements over FHE-encrypted data, rather than simulations, establishing the feasibility of our solution under FHE.

[a] Wonhee Cho, Guillaume Hanrot, Taeseong Kim, Minje Park, and Damien Stehlé. 2024. Fast and Accurate Homomorphic Softmax Evaluation. arXiv preprint arXiv:2410.11184 (2024). https://arxiv.org/abs/2410.11184