OSNIP: Breaking the Privacy-Utility-Efficiency Trilemma in LLM Inference via Obfuscated Semantic Null Space

We propose Obfuscated Semantic Null space Injection for Privacy (OSNIP), a lightweight client-side encryption framework for privacy-preserving LLM inference. Generalizing the geometric intuition of linear kernels to the high-dimensional latent space of LLMs, we formally define the ``Obfuscated Semantic Null Space’’, a high-dimensional regime that preserves semantic fidelity while enforcing near-orthogonality to the original embedding. By injecting perturbations that project the original embedding into this space, OSNIP ensures privacy without any post-processing. Furthermore, OSNIP employs a key-dependent stochastic mapping that synthesizes individualized perturbation trajectories unique to each user. Evaluations on 12 generative and classification benchmarks show that OSNIP achieves state-of-the-art performance, sharply reducing attack success rates while maintaining strong model utility under strict security constraints.

💡 Research Summary

The paper introduces OSNIP (Obfuscated Semantic Null Space Injection for Privacy), a client‑side encryption framework designed to protect user privacy during large language model (LLM) inference without sacrificing utility or efficiency. The authors start by observing that existing privacy‑preserving techniques for Model‑as‑a‑Service (MaaS)—homomorphic encryption (HE), differential privacy (DP), and multi‑party computation (MPC)—treat the high‑dimensional embedding space of LLMs as a curse, leading to prohibitive computational overhead and architectural changes. In contrast, OSNIP treats this high dimensionality as a blessing.

The core theoretical contribution is the definition of an “Obfuscated Semantic Null Space” (OSNS), which is the intersection of two sets: (1) a Semantic Null Space—directions in which perturbations cause negligible change in the model’s output distribution, and (2) a Geometric Obfuscation Region—directions that are nearly orthogonal to the original embedding, thus thwarting cosine‑based or K‑nearest‑neighbor attacks. The authors prove (Theorem 2.5) that, under mild conditions, the OSNS is non‑empty and occupies a non‑negligible fraction of the unit sphere when the embedding dimension d is large. Corollary 2.6 shows that the gap between the semantic‑preserving set and the OSNS shrinks exponentially with d, meaning that orthogonality becomes essentially free in high dimensions.

Building on this theory, OSNIP implements a lightweight encryption network Rϕ that maps a clean embedding h (produced by the client’s local tokenizer and embedding layer) and a secret user key k to a perturbed embedding z = Rϕ(h, k). The network is trained by minimizing a weighted sum of two losses: (i) a utility loss (KL divergence between the LLM’s output distributions for h and z) to preserve downstream performance, and (ii) a privacy loss (hinge on |cos(h, z)| − ε) to enforce near‑orthogonality. The key‑conditioned stochastic mapping ensures that the same prompt yields different encrypted embeddings for different users, limiting the attacker’s ability to learn a universal inversion function.

The threat model assumes a semi‑honest server that logs all received embeddings, has white‑box access to the LLM parameters, and can launch geometric attacks (KNN retrieval, vocabulary‑matching). However, the server does not possess the client’s secret key and cannot tamper with the communication channel. Experiments on twelve benchmarks spanning generation (e.g., LAMBADA) and classification (e.g., SST‑2, GLUE) demonstrate that OSNIP achieves state‑of‑the‑art trade‑offs: utility loss is typically under 2 % relative to the unprotected baseline, while attack success rates drop by 70–85 % compared to prior methods. Computationally, the client‑side encryption adds only 1–2 ms of latency and a few megabytes of memory, and the server incurs zero additional overhead because the LLM remains unchanged.

The paper acknowledges limitations: key management is external to the framework, extremely low orthogonality margins (very small ε) can hurt utility, and the current design protects only the embedding vector, not auxiliary metadata such as token length or timing side‑channels. Future work is suggested on hierarchical key schemes, adaptive ε selection, extending protection to token‑level metadata, and applying the OSNS concept to multimodal models.

In summary, OSNIP leverages the geometry of high‑dimensional LLM embeddings to simultaneously achieve privacy, utility, and efficiency, offering a practical, client‑only solution for privacy‑preserving inference in the rapidly growing MaaS ecosystem.