Skip to main content

piefed - Link to source

I don't understand how Moxie Marlinspike's Confer "Private LLM" works
So I was reading this article about Signal-creator Moxie Marlinspike's new project, Confer , which claims to be a verifiably E2E encrypted LLM chat service. There are a couple of short blog articles that give the gist of it, and some github repos including this one that includes scripts for producing the VM that will run your particular LLM session. But if I'm following this all correctly, it implies that every chat session (or perhaps every logged-in user) would have their own VM running their own LLM to ensure that the chain of trust is complete. This seems impossible from a scalability perspective, as even small LLMs require huge quantities of RAM and compute. Did I miss something fundamental here?

Private inference

When you use an AI service, you’re handing over your thoughts in plaintext. The operator stores them, trains on them, and–inevitably–will monetize them. You get a response; they get everything.
Moxie Marlinspike (Confer Blog)
#ai #privacy #llm #confir #marlinspike #vllm #moxie
This entry was edited (4 weeks ago)
in reply to artifex

Dave
lemmy - Link to source
Dave

The blog article you link I think implies you do not have your own VM. LLMs are stateless, the previous conversation is fed in as part of the prompt.

You send your message, which is E2E encrypted. The LLM runs in an environment where it can decrypt your message and run in through the LLM, then send a response to you. Then it gets the next user's message and replies to them.

The key part is that the LLM is running inside an encrypted environment not accessible to the host system, so no one can watch as it decrypts your message.

That's what I get from reading your links.

in reply to Dave

artifex
piefed - Link to source
artifex
Ok, I interpreted it to mean that the VMs were being created as-needed and was keyed to your key specifically (which would be the most secure scenario, I think) and couldn't figure out what that could possibly work economically. But it makes more sense if just a separately encrypted host is decrypting your request and encrypting your reply along with everyone else's.
in reply to Dave

someacnt
lemmy - Link to source
someacnt
So it is a TEE(Trusted Execution Environment)? I wonder how we as end users know if it is safe.
This entry was edited (4 weeks ago)
in reply to artifex

Dessalines
lemmy - Link to source
Dessalines
So he switched from crypto to LLMs now?
in reply to Dessalines

we are all
lemmy - Link to source
we are all
He, more than others, has earned rights to move freely between technology industries without scrutiny.
in reply to MalReynolds

Lemmchen
lemmy - Link to source
Lemmchen
Like this time when they didn't release the Signal server code for more than a year only to suddenly include a cryptocurrency that basically had a non-existent userbase but that Moxie was a chairman(?) of and nobody really knew whether or rather how much he was financially invested in. Good times /s
This entry was edited (4 weeks ago)
in reply to artifex

Lemmchen
lemmy - Link to source
Lemmchen
in TEE environment


Moxie loves these closed-source hardware enclaves. Signal servers and MobileCoin rely on this too, if I'm not mistaken.
In my opinion this not the right way to go about these things, but then again I'm not a renowned cryptohead like Moxie.

This entry was edited (4 weeks ago)
in reply to Lemmchen

teolan
lemmy - Link to source
teolan

For both MobileCoin and Signal the TEE are not relied upon for the security of the general application but only for some convenience feature that are required for mass adoption but that you can go without using them.

Also, while TEE are not bulletproof, in such a server situation, it means that getting user data means much more invasive compromise than just querying the database. It's an imperfect solution, but an improvement nonetheless.

in reply to artifex

kumi
piefed - Link to source
kumi
This entry was edited (4 weeks ago)
in reply to kumi

artifex
piefed - Link to source
artifex
The articles are light on detail but the code’s all there. The approach makes sense if the VMs are not cryptographically signed with the user’s key, but are just signed against another key to verify authenticity. I read it as if each VM was created on the fly for a user and signed with that users’s key, but that seems unlikely after re reading it.
in reply to kumi

Pup Biru
lemmy - Link to source
Pup Biru

LLMs don’t have to be random AFAIK: if you turn down the temperature parameter and send the same seed every time you get the same result

dylancastillo.co/posts/seed-te…

for most people this isn’t exactly what you want because “temperature” is sometimes short-handed as “creativity”. it controls how out of left field the result can be

Controlling randomness in LLMs: Temperature and Seed – Dylan Castillo

What are temperature and seed, and how do they affect the output of an LLM?
Dylan Castillo
This entry was edited (4 weeks ago)
in reply to kumi

FauxLiving
lemmy - Link to source
FauxLiving
The random nature of LLM applications makes Verifiable Computing non-trivial and I’m not sure what the state-of-art is there.


Running inference is only pseudorandom, the output is then treated as a distribution and a pseudorandom selection is made according to the distribution. The heavy compute parts are all deterministic, the bit at the end that adds chatbot flavor is only pseudorandom.

As long as they share entropy sources, given the same seed they will always produce the same output. This is a trick that's exploited in image generation applications, using cached execution keyed on the seed means that alterations only need to be calculated at the part of the pipeline that needs to be changed (saving all of the previous steps).

in reply to kumi

someacnt
lemmy - Link to source
someacnt
I wonder if we can really trust the TEEs. Isn't it their hardware where they are quite free to do what they want? Also it looks very vulnerable to the side-channel attacks.
in reply to artifex

Autonomous User
lemmy - Link to source
Autonomous User
They think they can get security by using a proprietary chip to hide from the rest of the computer. This is a blantant lie.
This entry was edited (4 weeks ago)
in reply to Autonomous User

Lemmchen
lemmy - Link to source
Lemmchen
Not really a lie, it just highly relies on the guarantees these chips can provide. In the past there have been multiple issues with the design or implementation of these things: sgx.fail/ tee.fail/

TEE.fail: Breaking Trusted Execution Environments via DDR5 Memory Bus Interposition

Breaking Trusted Execution Environments via DDR5 Memory Bus Interposition
tee.fail
This entry was edited (4 weeks ago)
in reply to Lemmchen

Autonomous User
lemmy - Link to source
Autonomous User
The only guarantee: backdoored by design, proprietary.
This entry was edited (4 weeks ago)
in reply to artifex

Matt
lemmy - Link to source
Matt
Just use Ollama if you have enough power to run a model.
in reply to artifex

glitching
lemmy - Link to source
glitching
off topic, but of all the fix-worthy things, that's what needed his attention?
in reply to glitching

Lemmchen
lemmy - Link to source
Lemmchen
What other cryptographic practical applications are more worthy of his attention right now?
in reply to Lemmchen

glitching
lemmy - Link to source
glitching

you should let go of the imprinted idea that in order to criticise something you hafta offer a better, fully fleshed out alternative; you are allowed to say X is shitty on its own.

coming from the guy who improved and converted the utterly cumbersome PGP stack to a usable thing with TextSecure/RedPhone (those got later merged into Signal), yeah, this shit is underwhelming, to say the least.

I'm gonna go out on a limb and state that securing the pipe between you and the word-guessing program isn't currently high on anyone's list.

in reply to glitching

grey_maniac
lemmy - Link to source
grey_maniac
offer a better, fully fleshed out alternative


is a bit of straw man. Offering a rough list of alternatives for discussion would be sufficient response to the question.

you are allowed to say X is shitty on its own


while true, this ignores that your original statement was challenging this choice over other possibilities. So yes, you can just say it's a shitty choice, but you (colloquially, at least) implied there exist better choices in your opinion. So it is reasonable to ask what those might be.

This entry was edited (4 weeks ago)
in reply to grey_maniac

glitching
lemmy - Link to source
glitching

I ain't gotta offer nothing, my take is that securing the pipe to the stochastic parrot is a shit waste of time and effort, especially when it's coming from techno jesus.

if he's bored, there's list of shit to implement in signal longer than m- err, it's long. and what ain't on it is more AI and/or crypto wallets. fuckin GRR Martin clone over here...

in reply to artifex

mymisc
lemmy - Link to source
mymisc
On the topic of private LLM chat bots, what is your opinion on Lumo?
lumo.proton.me/about

About Lumo, the privacy-first AI assistant

Lumo helps you stay productive and private. As a privacy-first AI assistant, Lumo protects you with Proton's no-logs policy and zero-access encryption.
Proton
in reply to mymisc

artifex
piefed - Link to source
artifex
I think it's a pragmatic approach to a difficult problem. You're still trusting that Proton is doing what they claim to be doing by not logging any of the data, and it lacks the verifiable trust chain of the VM that this Conifer system has (which theoretically would let you audit the code to confirm that there is no logging going on, and then check the crypto hash of the VM running your LLM conversation to confirm that it is in fact running that code), but if you trust Proton this step isn't as important. Otherwise the approaches look fairly the same.Proton is using PGP for the inflight encryption to the LLM while Conifer is using... maybe PGP too, I'm not sure, but a similar approach. And as others have said here, LLMs are stateless so if you can trust that the platform isn't logging the requests, there should be no record of your discussions.