In the realm of deep learning, transformers have emerged as a dominant architecture, particularly in natural language processing tasks. However, with their widespread adoption, concerns regarding the security and privacy of the data processed by these models have arisen. In this paper, we address a pivotal question: Can the data fed into transformers be recovered using their attention weights and outputs? We introduce a theoretical framework to tackle this problem. Specifically, we present an algorithm that aims to recover the input data $X \in \mathbb{R}^{d \times n}$ from given attention weights $W = QK^\top \in \mathbb{R}^{d \times d}$ and output $B \in \mathbb{R}^{n \times n}$ by minimizing the loss function $L(X)$. This loss function captures the discrepancy between the expected output and the actual output of the transformer. Our findings have significant implications for the Localized Layer-wise Mechanism (LLM), suggesting potential vulnerabilities in the model's design from a security and privacy perspective. This work underscores the importance of understanding and safeguarding the internal workings of transformers to ensure the confidentiality of processed data.

翻译：在深度学习领域，Transformer已成为主导架构，尤其在自然语言处理任务中表现突出。然而，随着其广泛应用，这些模型处理数据时的安全性和隐私问题日益受到关注。本文针对一个关键问题展开研究：能否利用Transformer的注意力权重和输出恢复其输入数据？我们提出了一个理论框架来解决该问题。具体而言，我们设计了一种算法，通过最小化损失函数$L(X)$，从给定的注意力权重$W = QK^\top \in \mathbb{R}^{d \times d}$和输出$B \in \mathbb{R}^{n \times n}$中恢复输入数据$X \in \mathbb{R}^{d \times n}$。该损失函数刻画了Transformer预期输出与实际输出之间的差异。研究结果表明，这一发现对局部逐层机制（Localized Layer-wise Mechanism, LLM）具有重要启示，揭示了该模型设计在安全和隐私方面存在的潜在脆弱性。本工作强调了理解并保护Transformer内部工作机制以确保处理数据机密性的重要性。