To address the challenge of intellectual property (IP) protection for large language models (LLMs)—specifically, the lack of efficient, robust, and model-access-free ownership verification mechanisms—this paper proposes a black-box fingerprinting technique. Unlike prior approaches, our method requires neither training nor fine-tuning; instead, it is the first to empirically uncover and formally model the model-specific vector space structure intrinsically spanned by LLM outputs. We design a dual-path framework: (i) a fast infringement detection module leveraging subspace alignment and PCA, and (ii) a robust scheme against parameter-efficient fine-tuning (PEFT) attacks—e.g., LoRA—by jointly embedding output distributions and reconstructing the latent space. Evaluated across multiple mainstream LLMs, our method achieves high-accuracy ownership authentication, exhibits strong robustness against PEFT-based tampering, and maintains computational efficiency, cross-model generalizability, and practical feasibility in black-box deployment scenarios.

Recent advances show that scaling a pre-trained language model could achieve state-of-the-art performance on many downstream tasks, prompting large language models (LLMs) to become a hot research topic in the field of artificial intelligence. However, due to the resource-intensive nature of training LLMs from scratch, it is urgent and crucial to protect the intellectual property of LLMs against infringement. This has motivated the authors in this paper to propose a novel black-box fingerprinting technique for LLMs, which requires neither model training nor model fine-tuning. We first demonstrate that the outputs of LLMs span a unique vector space associated with each model. We model the problem of ownership authentication as the task of evaluating the similarity between the victim model's space and the output's space of the suspect model. To deal with this problem, we propose two solutions, where the first solution involves verifying whether the outputs of the suspected large model are in the same space as those of the victim model, enabling rapid identification of model infringement, and the second one reconstructs the union of the vector spaces for LLM outputs and the victim model to address situations where the victim model has undergone the Parameter-Efficient Fine-Tuning (PEFT) attacks. Experimental results indicate that the proposed technique achieves superior performance in ownership verification and robustness against PEFT attacks. This work reveals inherent characteristics of LLMs and provides a promising solution for ownership verification of LLMs in black-box scenarios, ensuring efficiency, generality and practicality.