When Speculation Spills Secrets: Side Channels via Speculative Decoding in LLMs

Jiankun Wei; Abdulrahman Abdulrazzag; Tianchen Zhang; Adel Müürsepp; Gururaj Saileshwar

When Speculation Spills Secrets: Side Channels via Speculative Decoding in LLMs

Jiankun Wei, Abdulrahman Abdulrazzag, Tianchen Zhang, Adel Müürsepp, Gururaj Saileshwar

18 Sept 2025 (modified: 11 Feb 2026)Submitted to ICLR 2026EveryoneRevisionsBibTeXCC BY 4.0

Keywords: Large Language Models, Speculative Decoding, Side Channel Attack, Privacy

TL;DR: We develop a side channel attack leaking private user inputs by exploiting speculative decoding optimizations in LLM inference.

Abstract: Deployed large language models (LLMs) often rely on speculative decoding, a technique that generates and verifies multiple candidate tokens in parallel, to improve throughput and latency. In this work, we reveal a new side-channel whereby input-dependent patterns of correct and incorrect speculations can be inferred by monitoring per-iteration token counts or packet sizes. We demonstrate that an adversary observing these patterns can fingerprint user queries with >90% accuracy across four speculative-decoding schemes, REST (∼100%), LADE (up to 92%), BiLD (up to 95%), and EAGLE (up to 77.6%) and leak confidential datastore contents used for prediction at rates exceeding 25 tokens/sec. We evaluate the side-channel attacks in both research prototypes as well as the production-grade vLLM serving framework. To defend against these, we propose and evaluate a suite of mitigations, including packet padding and iteration-wise token aggregation.

Supplementary Material: zip

Primary Area: infrastructure, software libraries, hardware, systems, etc.

Submission Number: 13973

Loading