Oblivionis: LLM Forgetting & Cryptographic Obliviousness
- Oblivionis is a concept defining controlled suppression of specific content, targeting verbatim memorization in LLMs and hiding access patterns in cryptographic protocols.
- In large language models, techniques like Obliviate fine-tune post-training to reduce exact sequence reproduction while maintaining semantic understanding.
- In cryptography, oblivionis underpins protocols such as ORAM and oblivious transfer, ensuring privacy by concealing memory access and transfer details.
to=arxiv_search.search ,超碰്യമീറ്റർ ฝ่ายขายข่าว नहीं exist code? to=arxiv_search.search 重庆时时彩彩്യം 天天中彩票网? to=arxiv_search.search ฝ่ายขายรายการjson {"query":"id:(Russinovich et al., 20 Feb 2025) OR id:(Stefanov et al., 2012) OR id:(Souto et al., 2014) OR id:(Barreto et al., 2017) OR id:(Fernàndez-València, 2019) OR id:(Kundu et al., 2020)","max_results":10} to=arxiv_search 大发快三是国家json {"query":"(Russinovich et al., 20 Feb 2025, Stefanov et al., 2012, Souto et al., 2014, Barreto et al., 2017, Fernàndez-València, 2019, Kundu et al., 2020)","max_results":10} to=tool.arxiv_search 彩票开号json {"query":"(Russinovich et al., 20 Feb 2025)","max_results":5} Oblivionis is not a single standardized technical term. In the cited literature, it denotes either the capability of oblivion or forgetting very specific text within a LLM, or the cryptographic notion of being oblivious in primitives such as Oblivious RAM and oblivious transfer. This suggests a shared high-level theme—controlled limitation of what can be reproduced, inferred, or linked—implemented through materially different mechanisms in post-training unmemorization, access-pattern hiding, and two-party cryptographic protocol design (Russinovich et al., 20 Feb 2025, Stefanov et al., 2012, Souto et al., 2014, Barreto et al., 2017, Fernàndez-València, 2019, Kundu et al., 2020).
1. Terminological scope and disciplinary usage
In the large-language-model setting, Oblivionis is explicitly associated with selective forgetting: the capability of oblivion or forgetting very specific text within a model. The motivating distinction is between semantic memorization, which lets models “know” what a work or topic is about, and verbatim memorization, in which the model can reproduce specific sequences nearly exactly when prompted with part of the text. The relevant objective is not total erasure of knowledge, but suppression of exact sequence reproduction while preserving semantic understanding and downstream task performance (Russinovich et al., 20 Feb 2025).
In cryptography, by contrast, the term is read as oblivious. In Oblivious RAM, the client uses remote storage while hiding its memory access pattern, so that the physical locations accessed and their order reveal no information about which logical data item is accessed, how recent it is, whether two accesses touch the same item, whether the pattern is sequential or random, or whether each operation is a read or a write (Stefanov et al., 2012). In oblivious transfer, the sender transfers information in such a way that the sender remains oblivious to whether, or what, the receiver has learned; the literature cited here covers Rabin-style quantum OT, adaptively secure UC OT in the ROM, genus-2 supersingular isogeny OT, and device-independent XOR OT (Souto et al., 2014, Barreto et al., 2017, Fernàndez-València, 2019, Kundu et al., 2020).
The term therefore has domain-specific semantics. In machine learning it targets controlled forgetting of surface form; in cryptography it targets controlled ignorance of access patterns, choices, or transfer outcomes.
2. Controlled forgetting in LLMs
The formulation in "Obliviate: Efficient Unmemorization for Protecting Intellectual Property in LLMs" centers on verbatim memorization. For a token sequence , the model is defined to be -memorized if some prefix of length allows the model to generate the rest with high probability:
Operationally, the paper works with greedy decoding and measures the longest exact continuation:
This formalization isolates the copyright-relevant regime in which a deployed LLM can reproduce long exact excerpts rather than merely retain concepts, facts, or styles (Russinovich et al., 20 Feb 2025).
Obliviate is a post-training unmemorization technique. It scans a memorized passage with a stride , marks every -th token as a target token, excludes special tokens such as “start of text” and “end of text,” and excludes tokens whose predicted probability is already 100%. For each target token, it operates on the top-10 logits and minimizes a KL divergence between the original next-token distribution and a modified distribution with the target token removed:
For non-target tokens it applies a maintain (consistency) loss, again using KL divergence, between the original model and the modified model. The combined objective is written as
with 0 weighting the forget loss on target tokens and 1 weighting the maintain loss on non-target tokens. Fine-tuning is done post-training, starting from a pretrained checkpoint, with top-k = 10 in most experiments and early stopping once target token probabilities have fallen sufficiently (Russinovich et al., 20 Feb 2025).
The evaluation covers four open-source LLMs—LLaMA-3.1 8B, LLaMA-3.1-Instruct 8B, Qwen-2.5 7B, and Yi-1.5 6B—on a synthetic memorization benchmark and on organic copyrighted excerpts including Harry Potter and the Philosopher’s Stone, Moby Dick, Frankenstein, Adventures of Huckleberry Finn, Alice in Wonderland, Sherlock Holmes, A Tale of Two Cities, Treasure Island, Les Misérables, and Great Expectations. Memorization is measured with Longest Common Subsequence (LCS), Edit Distance (ED), and ROUGE-2 under varying prefix offsets, prefix lengths, greedy decoding, and sampling at temperature 0.6 (Russinovich et al., 20 Feb 2025).
The reported effect is highly localized suppression of verbatim recall. On synthetic articles, before Obliviate the “Memorized” models have LCS ~360+ words and ED ~5–6 words difference; after Obliviate with stride = 5, top-10 KL, early stopping, LCS drops to ~4–5 words and ED rises to >60 words. On organic copyrighted text, post-Obliviate LCS is reduced to ~2–5 words. Across all models and both synthetic and organic settings, downstream benchmark differences on HellaSwag, MMLU, TruthfulQA, and Winogrande are within ~1%, and some scores improve slightly. The scope, however, is explicit: Obliviate removes verbatim memorization, not semantic knowledge, and the threat model is non-adversarial rather than jailbreak-centric (Russinovich et al., 20 Feb 2025).
3. Oblivious access and Path ORAM
In "Path ORAM: An Extremely Simple Oblivious RAM Protocol," oblivionis refers to obliviousness of access patterns rather than forgetting. ORAM is a cryptographic primitive that lets a trusted client use untrusted remote storage while hiding the memory access pattern. The adopted security definition requires that for any two logical request sequences 2 and 3 of the same length, their physical access patterns 4 and 5 are computationally indistinguishable, and that the ORAM is correct with probability at least 6 (Stefanov et al., 2012).
Path ORAM is a tree-based ORAM in which every access is a read and write of a single root-to-leaf path in a complete binary tree stored on the server. Each node is a bucket of capacity 7, padded with dummy blocks when necessary; the client stores a position map and a stash. The main invariant is that each logical block is mapped to a uniformly random leaf, and any unstashed copy of the block must reside in a bucket along the path from the root to that mapped leaf. The access protocol remaps the addressed block to a fresh random leaf, reads the entire old path into the stash, updates the block, and greedily writes eligible blocks back down the path while padding with dummies and re-encrypting (Stefanov et al., 2012).
The asymptotic claim is that Path ORAM has 8 bandwidth cost for blocks of size 9 bits. In the non-recursive scheme each access reads and writes one path of 0 buckets, each of size 1, for total bandwidth 2 blocks per logical access. Recursion stores the position map itself in smaller ORAMs; with non-uniform block sizes the main result yields client storage 3 blocks, bandwidth 4 blocks per logical access, and failure probability 5 (Stefanov et al., 2012).
Correctness depends on bounding stash overflow. For bucket size 6, the paper proves
7
so overflow probability decays exponentially in the stash size 8. The construction is also statistically oblivious at the access-pattern level, modulo encryption, because each revealed leaf label is a fresh independent uniform element in 9 and every access has the same physical shape: a single encrypted path (Stefanov et al., 2012).
This use of oblivionis is structurally different from LLM unmemorization. The objective is not to alter stored semantic content, but to make observation of physical access sequences uninformative.
4. Oblivious transfer as controlled ignorance
In the OT literature cited here, oblivionis denotes the sender’s or receiver’s enforced ignorance under a prescribed transfer functionality. The variants include Rabin OT, 1-out-of-2 OT, 1-out-of-0 OT, and XOR oblivious transfer. The common property is that one party learns exactly what the functionality allows, and remains oblivious to everything else (Souto et al., 2014, Barreto et al., 2017, Kundu et al., 2020).
The quantum protocol in "Oblivious transfer based on quantum state computational distinguishability" implements Rabin-style OT of a single classical message. Alice encodes a classical message 1 into a tensor product of states 2 and 3 indexed by a secret permutation 4, sends the quantum state and a classical hash 5, and later participates in a randomized opening phase in which Bob reconstructs the correct trapdoor with probability 6 and a wrong one otherwise. The correctness theorem states: Bob cannot infer 7 before the opening phase except with negligible probability; Bob receives 8 with probability
9
where 0 is negligible; and Alice remains oblivious to the fact that Bob received the message. The security assumption is the quantum hardness of QSCD1, i.e. computational indistinguishability of 2 and 3 for any QPT adversary (Souto et al., 2014).
A different line appears in "A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM." That work constructs a round-optimal (2 rounds) universally composable (UC) protocol secure against active adaptive adversaries in the Random Oracle Model. The protocol is built generically from a public-key encryption scheme satisfying OW-CPA security, Property 2.2 and Property 2.3. Operationally it requires only the generation of a public/secret-key pair, two encryption operations and one decryption operation, plus a few random oracle calls; communication requires one public-key, two ciphertexts, and three binary strings of roughly the same size as the message. The framework is instantiated under low noise LPN, McEliece, QC-MDPC, LWE, and CDH assumptions, and the main theorems state UC realization of 4 against static and adaptive adversaries in the 5-hybrid model (Barreto et al., 2017).
These OT constructions make the cryptographic meaning of oblivionis precise: it is not forgetting, but a provable asymmetry of knowledge enforced by hardness assumptions, simulation arguments, and, in the quantum case, trapdoor-only distinguishability.
5. Specialized OT realizations: isogenies and device independence
"Genus 2 Supersingular Isogeny Oblivious Transfer" extends supersingular elliptic-curve isogeny OT to principally polarized supersingular abelian surfaces. The protocol, denoted 2-SIOT, is a two-message (two rounds) 1-out-of-2 OT in which Alice holds 6 and Bob holds a choice bit 7. The setup fixes a prime
8
a supersingular genus-2 curve obtained from 9, bases for 0 and 1, and SIDH-like isogenies 2 and 3. Bob encodes his choice via hidden shifts 4 in
5
Alice computes two candidate shared secrets 6 and 7 from two candidate kernels, encrypts 8 and 9 under those secrets, and Bob can decrypt only 0. The security discussion relies on CSSI, SSCDH, and a decisional Diffie–Hellman type hardness in Weil pairings on torsion subgroups. The paper is explicit that the protocol is implementable, but too slow to be practical, and that the analysis of the situation preventing possible decryptions from a malicious receiver remains open (Fernàndez-València, 2019).
"A device-independent protocol for XOR oblivious transfer" treats oblivionis as device-independent oblivious transfer. In XOR oblivious transfer (XOT), Alice outputs two uniformly random bits 1, Bob outputs a uniformly random trit 2 and a bit 3, where 4. The protocol is built from the Mermin–Peres magic square game and uses test branches plus classical fallback subprotocols. In the fully device-independent protocol, if either party calls a test and the test passes, the continuation is a classical XOT subroutine; if no test is called, the parties run a magic-square-based XOT subprotocol. For parameters 5, the numerical bounds are
6
and analytically, for any 7, there exists some 8 such that
9
The proof uses rigidity of near-optimal magic square strategies under local isometries and SDP relaxations based on the NPA hierarchy (Kundu et al., 2020).
These specialized realizations show that the cryptographic meaning of oblivionis is not tied to one algebraic substrate. It appears in symmetric-group trapdoor states, public-key frameworks in the ROM, supersingular genus-2 Jacobians, and black-box nonlocal quantum devices.
6. Common structure, distinctions, and limitations
A common misconception would be to collapse these usages into a single mechanism. The cited works do not do so. In the LLM setting, the goal is fine-grained control over exact sequence reproduction while preserving semantic understanding and downstream utility; the method is explicitly weaker than full unlearning and is designed for verbatim memorization, not semantic removal (Russinovich et al., 20 Feb 2025). In ORAM, the goal is indistinguishability of physical access patterns for logical request sequences of the same length; timing channels are not considered in the main security definition (Stefanov et al., 2012). In OT, the goal is knowledge asymmetry: sender privacy, receiver privacy, probabilistic transfer, adaptive composability, or device-independent soundness, depending on the model (Souto et al., 2014, Barreto et al., 2017, Kundu et al., 2020).
The limitations are likewise domain-specific. Obliviate does not prevent semantic extraction, and the threat model is non-adversarial; carefully constructed prompts may still elicit paraphrases or partial sequences, and scaling to thousands or millions of sequences may raise computational cost and interaction effects (Russinovich et al., 20 Feb 2025). Path ORAM achieves strong asymptotics and practical simplicity, but the optimal bandwidth with small client storage requires block size 0 bits, recursive position maps increase latency, and side channels beyond access patterns require additional mechanisms (Stefanov et al., 2012). Quantum OT remains computational rather than unconditional because fully secure quantum OT is impossible; the cited protocol relies on the presumed hardness of QSCD1 (Souto et al., 2014). The UC OT framework is in the ROM, not the standard model (Barreto et al., 2017). The genus-2 isogeny OT is currently too slow to be practical and leaves part of the malicious-receiver analysis open (Fernàndez-València, 2019). Device-independent XOT proves non-trivial security, but the paper works with operational cheating probabilities rather than full composable security (Kundu et al., 2020).
Taken together, these works suggest that Oblivionis is best understood as a family resemblance rather than a single object. In one branch it is selective induced oblivion of exact text inside LLMs; in the other it is obliviousness as a cryptographic design principle, ensuring that memory traces, access trajectories, receiver choices, or transfer outcomes remain hidden except where disclosure is explicitly authorized by the functionality.