AttestLLM: On-Device LLM Attestation

• AttestLLM is an attestation framework that integrates algorithmic watermarking and hardware-assisted TEE verification to secure billion-parameter on-device LLMs.
• It embeds binary watermarks within transformer blocks using gradient-based and finite-difference optimization, ensuring precise, dynamic verification during inference.
• The framework maintains model fidelity and efficiency while enforcing hardware-level IP protection against unauthorized model execution.

AttestLLM is an attestation framework engineered to verify and protect the legitimacy of billion-parameter on-device LLMs, enforcing hardware-level intellectual property (IP) safeguards for device vendors by ensuring that only authorized models execute on a given platform (Zhang et al., 8 Sep 2025). It integrates algorithmic, software, and hardware layers to embed robust watermarking signatures into the internal activation distributions of LLM building blocks (specifically, transformer blocks) and leverages attestation protocols within a Trusted Execution Environment (TEE) for efficient, reliable runtime verification with minimal impact on inference throughput.

1. AttestLLM Framework Architecture

AttestLLM operates via two primary components:

• Offline LLM Watermarking: During pre-deployment, a device-specific binary watermark signature is embedded into each transformer block. This process uses an optimization algorithm to minimally alter model parameters such that, when activated by a secret trigger dataset, block activations project onto pre-defined signature sequences.
• Online Attestation in TEE: At runtime, the TEE periodically samples and verifies a dynamically selected subset of transformer blocks, extracting the embedded watermark signatures. Only if the extracted signatures match expectations is inference allowed to proceed; otherwise, model execution is aborted.

This paradigm differentiates AttestLLM from typical model fingerprinting or output-based authorship attribution approaches, as it operates directly on internal model activations, and combines dynamic sampling with verification in a hardware-secure enclave.

2. Algorithmic, Software, and Hardware Co-design

AttestLLM’s attestation operates as a tightly integrated workflow:

• Algorithmic Innovations:
  • Sensitivity Analysis: Transformer block informativeness (e.g., measured by peak activation magnitude) drives watermark bit allocation: critical blocks receive short, low-perturbation signatures, while less sensitive blocks tolerate longer watermarks.
  • Two-stage Watermark Insertion:
  • Stage 1: Gradient-based optimization is applied to the full precision model pre-quantization.
  • Stage 2: Zeroth-order (finite-difference) optimization targets quantized weights, accommodating INT4/INT8 deployment constraints.
  • Signature Allocation Formula:

  $$B_i = |B| \times \frac{1/\max|\mathcal{A}_i|}{\sum_{j=1}^{|M|} 1/\max|\mathcal{A}_j|}$$

  where $|B|$ is total watermark length, $\max|\mathcal{A}_i|$ is the block's peak activation, $|M|$ is total block count.

• Software Pipeline:

  • Embedding and extraction APIs for watermark insertion/verification.
  • Dynamic sampling—only a subset of blocks are verified at runtime, minimizing latency and memory footprint.
• Hardware Layer:
  • Utilizes virtualization-based secure enclaves (e.g., pKVM on ARM devices), overcoming limitations of classical TEEs (secure memory in the range of 10–32 MB, restricted instruction set).
  • The secure enclave holds the secret verification keys (projection matrices and trigger datasets), runs parallel to the rich execution environment (REE), and executes attestation independently.

3. Watermarking and Verification Protocols

Watermarking embeds a binary signature $B_i$ in each block $i$:

• Embedding via Activation Projection:

$$\min_{M_i,\,WM_i} \left| WM_i(M_i(\mathcal{A}_{i-1})) - B_i \right| + \alpha \| M_i' - M_i \|^2$$

where $WM_i$ is the secret projection matrix, $\mathcal{A}_{i-1}$ is the previous block's activation, and $\alpha$ is a fidelity penalty coefficient.

• Extraction and Verification:
  • At attestation, TEE extracts $B'_i$ and computes the Watermark Extraction Rate (WER):

  $\%WER = 100 \times \frac{|B'_i|}{|B_i|}$ - If $\%WER = 100\%$ for all sampled blocks, the model passes verification for that round.

• Sampling and Attestation Overhead:

  • Instead of verifying all blocks, AttestLLM samples $k$ out of $L$ blocks per round, pipelining secure memory copy, watermark extraction, and checking to minimize overhead.
  • An early-exit mechanism aborts inference instantly if a block verification fails.

4. Trusted Execution Environment (TEE) Optimization

AttestLLM's use of TEE includes:

• Secure Enclave Operations:
  • The TEE isolates watermark keys and blocks, controlling all access and verification procedures.
  • Hypervisor-enabled virtualization ensures only trusted code can transition into TEE.
• Efficient Attestation:
  • Memory-efficient dynamic sampling coupled with memory-layout randomization (MLR) thwarts brute-force attacks.
  • Control-flow attestation (CFA) enforces strict execution paths in the REE.
• Security Guarantees:
  • Probability of adversarial evasion (tampering $t$ out of $L$ blocks, $k$ sampled per round, $r$ rounds):

  $$P_{\text{evasion}} = \left( \frac{\binom{L-t}{k}}{\binom{L}{k}} \right)^{r}$$ - The probability decreases exponentially with $k$ and $r$, enabling statistical control over robustness.

5. Empirical Evaluation

AttestLLM was evaluated on INT4/INT8 quantized LLMs (Llama, Qwen, Phi):

• Watermark Extraction: Achieved 100% WER for authorized models.
• Model Fidelity: Perplexity (PPL) and zero-shot accuracy dropped by less than 1% relative to non-watermarked baselines; negligible effect on standard benchmarks.
• Operational Efficiency: Latency overhead reduced by at least 12.5×, energy overhead by at least 9.5×, relative to existing baseline attestation and inference shielding approaches.
• Resilience to Attack: AttestLLM effectively detected model replacement and forgery. Without knowledge of secret projection matrices and trigger data (TEE-secured), adversarial model replacement was infeasible.

6. Security and IP Protection Measures

• Model Legitimacy Enforcement: Only authorized, correctly watermarked LLMs are permitted by the TEE to execute.
• Resistance to Model Replacement and Forgery: The required signatures are tightly bound to each block’s parameters and secret validation assets; unauthorized models cannot forge correct watermarks.
• Memory- and Runtime-level Safeguards: Memory-layout randomization and control-flow attestation further harden against attacks. The protocol’s cumulative statistical safeguards ensure adversary detection with arbitrarily high probability set by system parameters.

7. Significance and Implications

AttestLLM addresses critical challenges in on-device LLM deployment:

• It provides a scalable, low-overhead, and robust solution for attestation across billion-scale models, maintaining model performance and responsiveness.
• The framework robustly enforces vendor IP protection in consumer devices, securing model execution at hardware granularity.
• These capabilities support the safe adoption of privacy-preserving, responsive, and locally-deployed LLM applications, as exemplified by Apple on-device Intelligence and similar initiatives.

In summary, AttestLLM integrates digital watermarking, dynamic attestation, and hardware-assisted security to efficiently and reliably enforce model legitimacy for on-device LLMs at billion-parameter scale. This approach advances the state-of-the-art for computational IP protection, secure deployment, and trustworthy AI governance on consumer devices.