Large Language Models (LLMs) like GPT-2 have proven invaluable for tasks such as programming, content creation, and text analysis. However, their use raises significant privacy concerns, as user queries are processed by the model owner's servers, risking exposure of sensitive information. In fields like healthcare, finance, and law, this privacy risk is a major barrier to adoption.
One potential solution is on-premise deployment, where the LLM runs on the client's machine. But this approach is costly—training GPT-3 cost an estimated $4.6 million—and risks leaking the model's intellectual property (IP). Zama, a cryptography company, proposes a different approach: Fully Homomorphic Encryption (FHE). FHE allows computations to be performed on encrypted data, enabling the model to process user inputs without ever seeing them in plaintext. This protects both user privacy and the model owner's IP.
Zama's implementation adapts the GPT-2 model from Hugging Face's transformers library, using their Concrete-Python framework to convert parts of the inference pipeline into FHE equivalents. The core idea is to split the model: a client performs local inference up to a certain layer, then encrypts intermediate results and sends them to a server. The server applies attention mechanisms on the encrypted data and returns the encrypted output, which the client decrypts and continues processing.
To make FHE practical, the model must be quantized—weights and activations are converted to integers. Zama found that 4-bit quantization retains 96% of the original model's accuracy, based on tests with around 80 sentences. The quantized attention head is then compiled into FHE using a technique called Programmable Bootstrapping (PBS), which supports non-linear functions on encrypted data.
While FHE introduces computational overhead—PBS operations are slower than linear operations—the hybrid approach limits encryption to only the attention mechanism, keeping the rest of the model on the client side. This balances security and performance, offering a practical path toward privacy-preserving LLMs without sacrificing model quality.