This work identifies and systematically exploits a novel timing side channel in large language model (LLM) services, arising from shared GPU caches—specifically KV caches and semantic caches—that enables inference of system prompts and other users’ prompts in multi-tenant settings. We propose a token-level prefix search algorithm that integrates cache hit classification with fine-grained timing measurements to recover private prompts with high accuracy under black-box conditions. We empirically validate the attack across multiple mainstream online LLM services, successfully reconstructing both system and user prompts, thereby demonstrating practical threat relevance. To our knowledge, this is the first work to formally model cache-induced timing leakage as an exploitable side channel in LLM inference systems. Our findings catalyze a paradigm shift in LLM infrastructure security, urging prompt-privacy-aware defenses against cache-based side-channel threats.

The wide deployment of Large Language Models (LLMs) has given rise to strong demands for optimizing their inference performance. Today's techniques serving this purpose primarily focus on reducing latency and improving throughput through algorithmic and hardware enhancements, while largely overlooking their privacy side effects, particularly in a multi-user environment. In our research, for the first time, we discovered a set of new timing side channels in LLM systems, arising from shared caches and GPU memory allocations, which can be exploited to infer both confidential system prompts and those issued by other users. These vulnerabilities echo security challenges observed in traditional computing systems, highlighting an urgent need to address potential information leakage in LLM serving infrastructures. In this paper, we report novel attack strategies designed to exploit such timing side channels inherent in LLM deployments, specifically targeting the Key-Value (KV) cache and semantic cache widely used to enhance LLM inference performance. Our approach leverages timing measurements and classification models to detect cache hits, allowing an adversary to infer private prompts with high accuracy. We also propose a token-by-token search algorithm to efficiently recover shared prompt prefixes in the caches, showing the feasibility of stealing system prompts and those produced by peer users. Our experimental studies on black-box testing of popular online LLM services demonstrate that such privacy risks are completely realistic, with significant consequences. Our findings underscore the need for robust mitigation to protect LLM systems against such emerging threats.