DistilLock: Secure Edge Distillation

• DistilLock is a TEE-assisted framework enabling privacy-preserving knowledge distillation on edge devices, protecting sensitive data and proprietary model details.
• It employs secure enclaves, model obfuscation via permutation matrices, and controlled output mechanisms to mitigate IP leakage and unauthorized extraction.
• The framework achieves efficient on-device fine-tuning with minimal TEE overhead while ensuring robust security for both user privacy and model integrity.

DistilLock is a Trusted Execution Environment (TEE)-assisted framework designed to enable privacy-preserving knowledge distillation for LLMs on edge devices, targeting the dual challenges of safeguarding sensitive user data and protecting proprietary model intellectual property (IP) during on-device fine-tuning. This framework leverages secure enclaves and model obfuscation techniques to ensure that model internals remain inaccessible while allowing efficient, authorized distillation, thereby mitigating model-stealing and unauthorized distillation attacks while maintaining high computational throughput (Mohanty et al., 19 Oct 2025).

1. Privacy and IP Concerns in Edge-based Distillation

DistilLock addresses a fundamental tension in modern edge-based fine-tuning: the requirement for local model adaptation using private data versus the risk of exposing proprietary foundation models to untrusted environments. Conventional cloud-centric fine-tuning workflows force data owners to upload sensitive datasets to external infrastructure, leading to privacy risks. Conversely, edge-based distillation demands that the model owner transfers (and executes) their valuable models on third-party hardware, which drastically increases the potential for IP leakage, reverse engineering, and unauthorized knowledge extraction.

DistilLock is engineered to resolve this dilemma by securely executing the teacher model in a hardware-protected TEE enclave on the data owner’s device. The model becomes a “black-box teacher,” never revealing internal weights or architecture details outside the enclave, while the student model learns from its outputs in a controlled, auditable manner.

2. TEE-based Secure Technical Architecture

The backbone of DistilLock is a TEE enclave, concretely instantiated using platforms such as Intel SGX. The teacher LLM is loaded exclusively inside the enclave, where all inference operations and input/output management are guarded and verified. Key architectural elements include:

• Input Transformation: User inputs are encrypted using a combination of one-time pads and permutation matrices before entering the enclave, enforcing that only legitimate queries yield proper responses.
• Obfuscated Computation Offloading: For computational efficiency, most heavy-lifting (e.g., matrix multiplications) is performed on untrusted accelerators (GPUs), but only over obfuscated model weights. The original weights remain concealed except within the enclave.
• Controlled Output Access: All teacher logits exposed for student distillation are generated inside the TEE, with strict validation protocols. Unauthorized queries or attempts to extract non-permitted outputs result in random or unusable responses.

This architecture ensures that the proprietary teacher model’s internals can neither be inspected nor reverse-engineered from the outside, while legitimate, authorized distillation maintains full fidelity and utility.

3. Knowledge Distillation under Security Constraints

DistilLock implements standard knowledge distillation, training a student model to imitate the soft (temperature-scaled) output distributions of the teacher model within the enclave. The distillation objective is: $$\mathcal{L}_{\mathrm{KD}} = \alpha \cdot \mathcal{L}_{\mathrm{CE}}(y, q_S) + \beta \cdot \mathcal{L}_{\mathrm{KL}}(q_T^{(\tau)}, q_S^{(\tau)})$$ where $y$ denotes ground-truth labels, $q_S$ and $q_T$ are logits from student and teacher, $\tau$ is the temperature, $\mathcal{L}_{\mathrm{CE}}$ is cross-entropy, and $\mathcal{L}_{\mathrm{KL}}$ the Kullback–Leibler divergence.

The key innovation is that the teacher model’s softened outputs $q_T^{(\tau)}$ are only accessible via authorized TEE-mediated requests, and are computed on obfuscated weights, preventing any introspection into the teacher model’s implementation or parameters. Unauthorized (outside-TEE) distillation simply fails: the teacher returns randomized logits, rendering the distillation process ineffective.

4. Model Obfuscation via Permutation Matrices

DistilLock employs a systematic obfuscation strategy for model parameters before offloading them to accelerators:

• Permutation of Weight Matrices: Each major matrix (e.g., $W_{emb}$ for embeddings, $W_q$, $W_k$, $W_v$, $W_o$ for transformer layers) is transformed using a random permutation matrix $\pi$:
  • $W_{emb}' = \pi_{emb}^T W_{emb}$
  • $W_q' = \pi^T W_q$
  • And analogous forms for other layers.
• Obfuscation Security: This obfuscation ensures that even if an adversary accesses the offloaded weights, they must guess the correct permutation (probability $1/d!$ for $d$-dimensional weights), making brute-force recovery computationally infeasible.
• TEE Decoding: Authorized TEE computations internally decode and operate on permuted weights using the known permutation, restoring correct semantics only for legitimate requests.

This mechanism robustly defends against white-box model-stealing and IP leakage, with negligible computational overhead.

5. Integrated Security Measures and Attack Mitigation

DistilLock incorporates multiple layers of security:

• TEE Authorization Enforcement: Only authenticated, permutation-aligned queries are serviced by the teacher model in the enclave, blocking unauthorized access.
• Model Output Randomization: Unauthorized attempts to extract teacher outputs result in random logits, making surrogate distillation infeasible.
• Obfuscated Weight Exposure: Offloaded weights (for performance) provide no usable signal to attackers due to permutation scrambling.
• Security Evaluation: Empirical tests show that surrogate attackers, even with access to offloaded weights, fail to recover effective student models; attack accuracy is consistently lower than alternative protections (e.g., ShadowNet, DarkneTZ).

The system effectively downgrades adversaries from white-box to black-box threat models and offers strong guarantees against unauthorized model extraction.

6. Efficiency and Performance Evaluation

DistilLock achieves its security objectives with minimal computational burden:

• Low TEE Overhead: Less than 1.2% of total model FLOPs must be executed inside the TEE; the majority of computation is safely offloaded.
• Distillation Utility: Student models fine-tuned via authorized DistilLock distillation consistently improve on benchmark tasks (e.g., HellaSwag, CommonsenseQA) when distilled from models like LLaMA3.1-8B or Qwen2-1.5B.
• Resistance to Unauthorized Distillation: When attackers attempt knowledge distillation outside authorization, student performance collapses due to randomized outputs.

This efficiency supports practical deployment for edge-based LLM personalization in resource-constrained environments.

7. Limitations and Future Research Directions

DistilLock currently depends on specific TEE implementations (demonstrated with Intel SGX), which may restrict portability to other TEE technologies such as ARM TrustZone or nascent GPU-based TEEs. Further, while permutation-based obfuscation provides strong security under present threat models, adversaries employing advanced side-channel analysis or novel surrogate training may challenge its guarantees. This suggests that future research may need to explore enhanced obfuscation, broader hardware compatibility, and defenses against new attack vectors. Extending the paradigm to more aggressive or complex distillation protocols is also a possible line of inquiry.

DistilLock establishes a principled and effective solution for privacy-preserving, secure on-device knowledge distillation, balancing high efficiency with robust protections for both user privacy and proprietary model IP in edge-based LLM fine-tuning.