Encrypt This, Encrypt That, or LLM Under Lock and Key

encryption models in the broadest sense. It is not so much about the mechanisms, algorithms, approaches and methods of encryption of what the user requests, but about working with data in general, including for training models. That is, about encryption both at the input and at the output – data from the user, from the model and training data.

We will talk about secure handling of commercial content, data encryption, models and approaches to secure handling and embedding of commercial data into the model. It will be interesting 😉

Why is this important? Today, the fourth generation of GPT systems is working, we are waiting for the fifth. There are many analogues of the “four” (Megatron‑LLM, LLAMA, Claude, PaLM, Mistral, BLOOM, Grok, Megatron‑Turing NLG, Chinchilla, OPT, GODEL, Jurassic-2), which are much superior to GPT-4 in a number of parameters. However, for high-quality “evolution» systems need to be “fed” the “correct” operational code, tested and fully covered by tests, which is created by large corporations, medium and small businesses. But there is a nuance: no one will give away such code just like that. Moreover, it is protected by copyright and has a number of imposed legal conditions of use.

Since none of the above-mentioned chatbots (generative models) are currently capable of producing anything at the level of an architect or serious production development, full integration among models may not be as fast. Yes, they are trying to get around this, as shown in this article. Moreover, it is impossible to include a large time layer of the entire project development in the model now, for example, for a year, unless, of course, this is an internal model of a large corporation. This was precisely one of the hidden factors when OpenAI announced the expansion of the sequence to 8192 tokens in 2023, and in 2025, an expansion of this sequence is expected. Because of this, the encryption problem is now very acute, as more and more attacks, methods for bypassing blocking and various ways to change the rules appear. For example, in the vastness of Git, you can find such “wonderful” things: once, two.

Another unpleasant factor is the borrowing of content. The number of lawsuits against companies such as OpenAI (ChatGPT), NVIDIA (Megatron), Microsoft (Bard), CompVIS (Stable Diffusion), because they are, according to many reports (once, two, three, four) simply “borrow” external content (audio, video, code, text, other technological and technical data), without observing any copyrights and commercial agreements. The last scandal with NVIDIA only confirmed these points. According to available information, the download was carried out not only from open sources (YouTube, NetFlix), but also from pirated resources.

There is a real race, if not a war, for content, and neither norms, nor laws, nor any other issues play a role for such large conglomerates. True, quite recently, during legal negotiations, Google paid large compensation to the media for using content. But the situation will not change globally, so it is worth thinking about.

At the same time, the demarcation in the use of content and approaches occurs not only in the software, but also in the hardware sphere. Thus, OpenAI is going to to produce their own GPU chips, thereby openly boycotting and “draining” NVIDIA’s hegemony with the support of no less significant players. At the same time, under noise and such “whales” as Blackrock, Neuberger Berman, Type One Ventures, Cisco, KDDI And Samsung Catalyst Fund are building their own small factory and have already received investments for this. Of course, there is no talk of absorbing companies, but the situation is very close to it. In addition, AGI and quantum encryption, which we will definitely touch on, are already actively “looming” on the threshold.

Encryption

Let's start with secure transmission of private data. this The study proposes to use a simple but effective mechanism EmojiCrypt to protect the privacy of users. It uses Emoji to encrypt user data before sending it to LLM. This makes it unintelligible to humans or LLM experts, but preserves the original meaning of the hint, ensuring that the model's performance is not affected.

The tests were conducted on three tasks: personalized recommendations, sentiment analysis, and table data analysis. The results of the experiments showed that EmojiCrypt can encrypt personal information in suggestions in a way that not only prevents sensitive data from being discovered by humans or the LLM itself, but also maintains or even improves accuracy without additional tuning, achieving comparable or even better accuracy compared to directly accessing the LLM without encrypting the suggestions (Figure 1).

It is also mentioned here that there is a “leak” problem (once, two, three) data, and it cannot be solved by simple solutions such as RSA encryption. Transferring data to cloud storage is not entirely secure, as the contents of a user's conversations with LLM can be studied in the model parameters, which can then be exposed by adversarial attacks (Jailbreak LLM).

In addition, in a number of works noticedwhich is now being actively used homomorphic encryption according to the BVF scheme (Brakerski‑Vaikuntanathan‑Fan‑Vercauteren) — one of the most famous complete homomorphic encryption schemes (Fully Homomorphic Encryption, FHEoptimization of this approach is FastQueryand you can read more here). It is based on the complexity of the computational task multidimensional linear equations and is a development of the Breakerski and Vaikuntanathan scheme, known as the BGV scheme. The main features of the BVF scheme are:

1. Efficiency. This scheme emphasizes computational efficiency and reducing noise (error) that typically occurs in homomorphic operations.

2. Modular reductions. Special reduction techniques are used to control the noise level during the calculation process.

3. Support for a wide range of operationsThe BVF scheme supports both addition and multiplication of encrypted data, making it suitable for complex computational tasks.

These schemes are not perfect, they can theoretically be hacked. But there are several important factors, one of which is the complexity of the problem. The security of BVF is based on the difficulty of solving the learning problem with errors (Learning With Errors (LWE)) and related problems on lattices (Lattice-based cryptography). They are considered extremely difficult to crack using modern algorithms and computing power, but one of the contenders for this role may be quantum algorithms (Shor's algorithm) or its modified version – Regev's algorithm. In this case, the approximate hacking path will be as follows:

1. Analysis of the structure of the learning with errors (LWE) problemThe BVF scheme is based on the Learning with Errors (LWE) problem, which consists of reconstructing the original data from linear equations with noisy coefficients. Without noise, the problem is simple, but adding an error makes it computationally difficult.

2. Transforming LWE into a Periodicity Problem. Shor's quantum algorithm works well with problems that can be reduced to finding periodicity of functions (for example, in the problem of factoring numbers by finding the order of an element in a group). This would require developing a quantum algorithm that would reduce the problem of learning with errors to the problem of finding periodicity.

3. Construction quantum oracle. Shor's algorithm uses a quantum oracle to calculate a superposition state, which is then passed through quantum Fourier transform to find periodicity. For the LWE problem, one needs to make a similar oracle that generates a superposition of all possible solutions to a system of linear equations with noise.

To solve the problem of noise elimination (compensation), it is necessary to analyze it. Thus, we obtain the structure of noise and the ability to suppress it. Since it has a probabilistic nature and, moreover, its composition is very heterogeneous, and the content is quite small (at the level of 1%), then to study the structure of noise, you can use libraries for generating synthetic data (Pandas-Faker, Mimesis, Synth), which take into account statistical distributions. In this way, the size of the noise training set can be increased to develop subsequent models and obtain the noise distribution. The following models can be taken: HMM, CRF, VAE.

Another paper (if the attacker for some reason found out that Emoji Encrypted encryption is used and wants to forge the request) considers an equally interesting approach from the Jailbreak perspective. The method is based on personalized encryption performed on CodeChameleon. It allows to hide unsafe intentions when issuing hints for LLM. Thus, the inverse problem should be solved: decrypt encrypted messages to identify “malicious messages” not in the model itself, but in a separately created “sandbox”. This will allow to increase the filter at the input of the model in addition to those already existing based on LLM-Stega And PermLLM, MPCFormer, Puma.

Thus, there is a rough concept of encryption and decryption. By combining these methods, it is possible to take into account the methodology of existing decryption and supplement encryption algorithms that have not yet been cracked, but have the potential to do so.

Toolkit

Here are some of the applied tools that are currently used to protect and encrypt models.

Let's start, perhaps, with encryption and the general security system of the models: LLM-Guard, cyber‑security‑llm‑agents, awesome‑llm‑security, PurpleLlama, agent_security, llm-security, rebuff, LLM Security 101, AutoAudit, llm‑security‑prompt‑injection.

Let's say a separate word about benchmarks. There are a lot of these tools now, but they are all very similar, and they can be divided into several categories:

• Technical (write code, check, convert, optimize): Yet Another Applied LLM Benchmark, Bench, evalplus, bigcode-evaluation-harness, evaluation, CodeXGLUE.

• Load (model quality assessment, lexeme generation speed, resource costs, performance): GPU-Benchmarks-on-LLM-Inference, Big-Bench, llmperf, llm-benchmarker-suite.

• Multimodal (text, video, code, images): 大模型评测数据集和工具大全 (Full Collection Test Pack for LLM).

• Agents (testing assistants, agents, general dialogue): FastChat, FLASK, llm-benchmarks.

• Attackers (hacking, rule circumvention, security testing, resilience): fiddler auditor, llm-attacks.

Encryption systems for LLM are multiplying and expanding, this trend will only intensify due to the fact that the problem of hallucinations has not yet been completely solved and the mechanisms for bypassing blockings using the same prompts are becoming more and more numerous.