{"id":"https://openalex.org/W4388858191","doi":"https://doi.org/10.1145/3576915.3616652","title":"Stealing the Decoding Algorithms of Language Models","display_name":"Stealing the Decoding Algorithms of Language Models","publication_year":2023,"publication_date":"2023-11-15","ids":{"openalex":"https://openalex.org/W4388858191","doi":"https://doi.org/10.1145/3576915.3616652"},"language":"en","primary_location":{"id":"doi:10.1145/3576915.3616652","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3576915.3616652","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5056428623","display_name":"Ali Naseh","orcid":"https://orcid.org/0009-0009-7423-6538"},"institutions":[{"id":"https://openalex.org/I24603500","display_name":"University of Massachusetts Amherst","ror":"https://ror.org/0072zz521","country_code":"US","type":"education","lineage":["https://openalex.org/I24603500"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ali Naseh","raw_affiliation_strings":["University of Massachusetts Amherst, Amherst, MA, USA"],"raw_orcid":"https://orcid.org/0009-0009-7423-6538","affiliations":[{"raw_affiliation_string":"University of Massachusetts Amherst, Amherst, MA, USA","institution_ids":["https://openalex.org/I24603500"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5078893115","display_name":"Kalpesh Krishna","orcid":"https://orcid.org/0000-0001-6574-0817"},"institutions":[{"id":"https://openalex.org/I24603500","display_name":"University of Massachusetts Amherst","ror":"https://ror.org/0072zz521","country_code":"US","type":"education","lineage":["https://openalex.org/I24603500"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Kalpesh Krishna","raw_affiliation_strings":["University of Massachusetts Amherst, Amherst, MA, USA"],"raw_orcid":"https://orcid.org/0000-0001-6574-0817","affiliations":[{"raw_affiliation_string":"University of Massachusetts Amherst, Amherst, MA, USA","institution_ids":["https://openalex.org/I24603500"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5082767919","display_name":"Mohit Iyyer","orcid":"https://orcid.org/0000-0001-7340-0804"},"institutions":[{"id":"https://openalex.org/I24603500","display_name":"University of Massachusetts Amherst","ror":"https://ror.org/0072zz521","country_code":"US","type":"education","lineage":["https://openalex.org/I24603500"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Mohit Iyyer","raw_affiliation_strings":["University of Massachusetts Amherst, Amherst, MA, USA"],"raw_orcid":"https://orcid.org/0000-0001-7340-0804","affiliations":[{"raw_affiliation_string":"University of Massachusetts Amherst, Amherst, MA, USA","institution_ids":["https://openalex.org/I24603500"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5018588864","display_name":"Amir Houmansadr","orcid":"https://orcid.org/0000-0002-7553-6657"},"institutions":[{"id":"https://openalex.org/I24603500","display_name":"University of Massachusetts Amherst","ror":"https://ror.org/0072zz521","country_code":"US","type":"education","lineage":["https://openalex.org/I24603500"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Amir Houmansadr","raw_affiliation_strings":["University of Massachusetts Amherst, Amherst, MA, USA"],"raw_orcid":"https://orcid.org/0000-0002-7553-6657","affiliations":[{"raw_affiliation_string":"University of Massachusetts Amherst, Amherst, MA, USA","institution_ids":["https://openalex.org/I24603500"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":1,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I24603500"],"apc_list":null,"apc_paid":null,"fwci":2.4196,"has_fulltext":false,"cited_by_count":15,"citation_normalized_percentile":{"value":0.91197078,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1835","last_page":"1849"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9980999827384949,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9980999827384949,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10764","display_name":"Privacy-Preserving Technologies in Data","score":0.9975000023841858,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.9969000220298767,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/decoding-methods","display_name":"Decoding methods","score":0.8685637712478638},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7924319505691528},{"id":"https://openalex.org/keywords/algorithm","display_name":"Algorithm","score":0.6179326176643372},{"id":"https://openalex.org/keywords/hyperparameter","display_name":"Hyperparameter","score":0.575478732585907},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.5444108843803406},{"id":"https://openalex.org/keywords/computation","display_name":"Computation","score":0.5145780444145203},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.510534405708313},{"id":"https://openalex.org/keywords/list-decoding","display_name":"List decoding","score":0.5049474835395813},{"id":"https://openalex.org/keywords/adversary-model","display_name":"Adversary model","score":0.49823999404907227},{"id":"https://openalex.org/keywords/sequential-decoding","display_name":"Sequential decoding","score":0.49631649255752563},{"id":"https://openalex.org/keywords/language-model","display_name":"Language model","score":0.4678885042667389},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.4149986505508423},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.24821996688842773},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.10932239890098572},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.09221470355987549}],"concepts":[{"id":"https://openalex.org/C57273362","wikidata":"https://www.wikidata.org/wiki/Q576722","display_name":"Decoding methods","level":2,"score":0.8685637712478638},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7924319505691528},{"id":"https://openalex.org/C11413529","wikidata":"https://www.wikidata.org/wiki/Q8366","display_name":"Algorithm","level":1,"score":0.6179326176643372},{"id":"https://openalex.org/C8642999","wikidata":"https://www.wikidata.org/wiki/Q4171168","display_name":"Hyperparameter","level":2,"score":0.575478732585907},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.5444108843803406},{"id":"https://openalex.org/C45374587","wikidata":"https://www.wikidata.org/wiki/Q12525525","display_name":"Computation","level":2,"score":0.5145780444145203},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.510534405708313},{"id":"https://openalex.org/C204397858","wikidata":"https://www.wikidata.org/wiki/Q4437907","display_name":"List decoding","level":5,"score":0.5049474835395813},{"id":"https://openalex.org/C7606001","wikidata":"https://www.wikidata.org/wiki/Q4686702","display_name":"Adversary model","level":3,"score":0.49823999404907227},{"id":"https://openalex.org/C193969084","wikidata":"https://www.wikidata.org/wiki/Q7452500","display_name":"Sequential decoding","level":4,"score":0.49631649255752563},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.4678885042667389},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.4149986505508423},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.24821996688842773},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.10932239890098572},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.09221470355987549},{"id":"https://openalex.org/C78944582","wikidata":"https://www.wikidata.org/wiki/Q5158264","display_name":"Concatenated error correction code","level":4,"score":0.0},{"id":"https://openalex.org/C157125643","wikidata":"https://www.wikidata.org/wiki/Q884707","display_name":"Block code","level":3,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3576915.3616652","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3576915.3616652","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1802365980","display_name":"Collaborative Research: SaTC: CORE: Medium: Towards Secure Federated Learning","funder_award_id":"2131910","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":30,"referenced_works":["https://openalex.org/W1965555277","https://openalex.org/W2051267297","https://openalex.org/W2535690855","https://openalex.org/W2734443755","https://openalex.org/W2747329762","https://openalex.org/W2803267010","https://openalex.org/W2962788902","https://openalex.org/W2963283805","https://openalex.org/W2963303354","https://openalex.org/W2963466651","https://openalex.org/W2963560987","https://openalex.org/W2963844355","https://openalex.org/W2963929190","https://openalex.org/W2981852735","https://openalex.org/W3035050380","https://openalex.org/W3099729825","https://openalex.org/W3196832521","https://openalex.org/W3206880386","https://openalex.org/W3210951978","https://openalex.org/W3212136196","https://openalex.org/W3212496002","https://openalex.org/W3213508244","https://openalex.org/W4255375128","https://openalex.org/W4255825300","https://openalex.org/W4287332927","https://openalex.org/W4288076474","https://openalex.org/W4288089799","https://openalex.org/W4378908626","https://openalex.org/W4385572722","https://openalex.org/W4388858191"],"related_works":["https://openalex.org/W1599365967","https://openalex.org/W4205451769","https://openalex.org/W4391272432","https://openalex.org/W2052976169","https://openalex.org/W3102491039","https://openalex.org/W2028976748","https://openalex.org/W3017203753","https://openalex.org/W2089275957","https://openalex.org/W2348545647","https://openalex.org/W2385322349"],"abstract_inverted_index":{"A":[0],"key":[1],"component":[2],"of":[3,16,37,65,103,133,152],"generating":[4],"text":[5,25,121],"from":[6,26],"modern":[7],"language":[8],"models":[9],"(LM)":[10],"is":[11,114],"the":[12,27,33,61,84,99,131,149],"selection":[13],"and":[14,42,51,53,63,101,127,146],"tuning":[15,43],"decoding":[17,40,67,105],"algorithms.":[18],"These":[19],"algorithms":[20,68,106],"determine":[21],"how":[22],"to":[23,71,75,94],"generate":[24],"internal":[28],"probability":[29],"distribution":[30],"generated":[31],"by":[32],"LM.":[34],"The":[35],"process":[36],"choosing":[38],"a":[39,139],"algorithm":[41],"its":[44,104],"hyperparameters":[45,64,102],"takes":[46],"significant":[47],"time,":[48,86],"manual":[49],"effort,":[50],"computation,":[52],"it":[54],"also":[55],"requires":[56],"extensive":[57],"human":[58],"evaluation.":[59],"Therefore,":[60],"identity":[62],"such":[66,135],"are":[69],"considered":[70],"be":[72],"extremely":[73],"valuable":[74],"their":[76],"owners.":[77],"In":[78],"this":[79],"work,":[80],"we":[81],"show,":[82],"for":[83,148],"first":[85],"that":[87],"an":[88,95],"adversary":[89],"with":[90,137],"typical":[91],"API":[92],"access":[93],"LM":[96],"can":[97],"steal":[98],"type":[100],"at":[107],"very":[108],"low":[109],"monetary":[110],"costs.":[111],"Our":[112],"attack":[113],"effective":[115],"against":[116],"popular":[117],"LMs":[118],"used":[119],"in":[120],"generation":[122],"APIs,":[123],"including":[124],"GPT-2,":[125],"GPT-3":[126],"GPT-Neo.":[128],"We":[129],"demonstrate":[130],"feasibility":[132],"stealing":[134],"information":[136],"only":[138],"few":[140],"dollars,":[141],"e.g.,":[142],"0.8,":[143],"1,":[144],"4,":[145],"40":[147],"four":[150],"versions":[151],"GPT-3.":[153]},"counts_by_year":[{"year":2026,"cited_by_count":4},{"year":2025,"cited_by_count":4},{"year":2024,"cited_by_count":6},{"year":2023,"cited_by_count":1}],"updated_date":"2026-06-26T08:34:08.712188","created_date":"2025-10-10T00:00:00"}