Securing ChatGPT & LLMs with End-to-end Encryption

A booming area of technological advancement is Generative AI. OpenAI’s ChatGPT reached 100 million monthly active users only two months post-launch, making it the fastest-growing consumer app ever. Bloomberg finds that Generative AI could become a $1.3 trillion market by 2032, growing at a CAGR of 42% over the decade.

GenAI uses Large Language Models (LLMs) trained on public or custom data. While users of any AI application understand that data is the fuel for these solutions, privacy concerns such as the following loom large:

  • Users are denied knowledge about how their data is used, stored, and shared once it enters a GenAI chatbot.
  • GenAI applications generate content based on proprietary information, raising concerns about intellectual property theft. Three artists sued multiple GenAI platforms for AI using their original work without a license to train in their style and ultimately creating unauthorized derivative works.
  • In a lack of data privacy and governance, LLMs may inadvertently reveal Personally Identifiable Information.

On November 2, 2023, a Stanford University student, Kevin Liu, used a prompt injection attack on “New Bing”, Microsoft’s conversational bot powered by GenAI, launched a day ago. The attack revealed Bing Chat’s initial prompt fed by Microsoft to govern how the service would interact and behave with its users, which was intended to be kept private.

GenAI has a long way to go to quell these concerns. Let’s delve into the crucial aspect of end-to-end encryption for protecting LLMs data.

The Need for Encryption in LLMs

Encrypting LLMs is the answer if you want to use GenAI to:

1. Contextualize LLMs for enterprises

For internal GenAI use, enterprises would want to safeguard internal sensitive information while enabling GenAI to boost employee productivity. Customer-facing GenAI applications require custom data and robust privacy features on LLMs to safeguard proprietary data.

2. Navigate regulatory frameworks

Sharing private datasets with third parties (GenAI chatbots) can open a company to severe fines for non-compliance with regulations such as GDPR and CCPA. Countries such as Italy implemented a temporary ban on ChatGPT over data protection and privacy concerns. Several other European countries are assessing the tool’s compliance with the GDPR.

3. Fortify user interest

Cambridge Analytica comes to mind as one of the most controversial breaches of user privacy, where the political consulting company used the personal information of millions of Facebook (Meta) users for political advertising. Encrypting LLM data would be an ethical step in the general direction of ensuring data privacy.

4. Safeguard proprietary data

In an alarming incident, employees at Samsung Semiconductor used ChatGPT’s AI writer to resolve issues in their source code, feeding proprietary source code into a publicly available OpenAI, which would use the data to train itself. In two other instances at Samsung, proprietary information was provided to ChatGPT, raising IP and data privacy concerns and leading the company to ban the tool.

5. Unlock use cases

Most of all, it’s exciting to see encryption technologies coming to LLMs as they unlock potential use cases of GenAI. Developers get extremely restricted when privacy is insufficient or nearly impossible. Several use cases in industries such as finance, banking, law, and healthcare can’t come to fruition if data privacy remains a bottleneck.

Privacy concerns continue to abate innovation and commercialization of LLMs in enterprises for serious use cases particularly in sensitive industries, including finance and healthcare.

It’s not news that OpenAI’s ChatGPT refines its abilities using user data, and Google’s Bard has retention policies that contradict users’ data privacy expectations. This underscores a growing industry need for a user-centric approach to data privacy in GenAI implementation.

Various Encryption Solutions for LLMs

First, let’s consider encryption solutions that don’t work for modern technologies. Traditional encryption methods, such as AES and DES encryption, fall short in scenarios where data needs to be processed and safeguarded.

End-to-end encryption methods like those adopted by Web2 messaging services such as WhatsApp only protect data in transit. “It’s just a protection, a layer of encryption on top of the transmission”, says Pascal Paillier, CTO at Zama.

Why do these solutions fall short? If you want to process medical health data for predictive analysis, you’d want to preserve data privacy even during processing, which traditional encryption methods can’t achieve.

This is where Fully Homomorphic Encryption (FHE) comes in as a game-changer, allowing operations on data without ever exposing it.

Public LLMs are attack vectors unless you use FHE

FHE enables third parties to perform operations on underlying data without decrypting it. FHE is the third pillar of encryption. “We’ve had encryption in transit. We had encryption at rest. We never had encryption at use.”, says Paillier. FHE represents encryption at use.

This is what we are solving for at Fhenix, along with our partner, Zama. Our mission is to empower developers and data scientists to leverage FHE without having to learn cryptography to secure LLMs.

Here’s how FHE will end-to-end encrypt LLMs and ChatGPT:

  • Encrypt the query and contextual data using a secret key known only to the user
  • Send the encrypted prompt to the service provider running the LLM
  • Compute the LLM on encrypted data and produce an encrypted response
  • Send the encrypted response to the user, who then decrypts it using their key

This way, FHE would encrypt all communications between the user and the GenAI bot so that the application owners don’t retain and misuse users’ sensitive data. FHE would enable better use cases of GenAI by eliminating the privacy issue and permitting users to feed custom datasets to derive the most value from GenAI.

While FHE is the solution, the journey to implementing it isn’t without its hurdles. Let’s explore the challenges and how we’re tackling them.

Challenges and the Road Ahead

While FHE computation performance has improved by 20x in the last 3 years, we still have a ways to go before FHE encrypts LLMs. Estimates show that generating one encrypted LLM token would need up to 1 billion FHE operations, due to which FHE remains cost-prohibitive.

However, three significant trends are contributing to FHE readiness for LLMs:

  • Compression techniques are making LLMs faster, resulting in less data to compute homomorphically. This will likely bring a 2x performance improvement for FHE.
  • The cryptography behind FHE is improving, and we can realistically expect a 5x acceleration in the next five years.
  • Several companies, including Duality, Intel, and IBM, are currently developing custom ASICs and FPGAs optimized for bootstrapping and homomorphic operations. These companies are targeting a 1,000x speedup for their first generation (planned for 2025) and up to 10,000x for their second generation. Consequently, you’d only need about 5 FHE accelerators to run an encrypted LLM, on par with the number of GPUs you need today for non-encrypted LLMs.

Our focus at Fhenix so far has been to make FHE possible. Next, we aim to make it feasible.

Fhenix: Bringing FHE to LLMs

Despite the challenges ahead, the FHE landscape is evolving. Fhenix, partnered with Zama, is at the forefront of this transformation with the FHE-enabled EVM protocol that provides fully homomorphic encryption natively for Solidity developers.

Fhenix was founded by Guy Zyskind, the Founder of Secret and is led by Guy Itzhaki, a former Director at the Homomorphic Encryption & Blockchain Group at Intel.

Fhenix enhances the developer experience and empowers developers to use the same tools they already do but with added privacy using fhEVM. Read more about Fhenix, a pioneer in FHE, here. Stay tuned for more advancements and news!

Leave a Reply