NightVision, an attack described in a Carnegie Mellon University paper, recovers a transformer’s hidden dimension to within 23% average relative error and its depth and parameter count to within 53% on models above three billion parameters, using nothing more than the single logprob that modern APIs return plus the wall-clock latency of each request. The premise behind restricted APIs is that they protect architecture. The NightVision preprint is the latest evidence that they do not, at least not fully.
What did providers actually restrict, and why?
Prior work showed that with limited API access, specifically top-k logits or a logit-bias function, an attacker could recover architectural details such as the feed-forward network’s hidden dimension. In response, most commercial providers restricted their APIs to expose only the single logprob of each decoded token and removed the ability to bias logits, the NightVision paper notes. That is the minimum probabilistic information an API can return and still call itself probabilistic. The resulting threat model is strictly weaker than what earlier attacks assumed, which is exactly the point. Providers reasoned that if attackers needed either logit bias or top-k to invert the softmax bottleneck, removing both should close the channel.
It closed one channel and opened another. The same restriction also removed the easy way to assemble a dense logit matrix, so the attack had to be rebuilt around whatever sparse signal the API still leaks. Two signals survive: the realized logprob of the sampled token, and the time the server takes to return it. Neither is easy to suppress without breaking the API’s usefulness.
How does NightVision read hidden dimension from one logprob at a time?
Without logit bias, a token’s probability is only visible when the model actually decodes it. NightVision’s workaround is what the authors call common-set prompting, a technique in which multiple prompts are chosen to expose log probabilities for the same set of output tokens. The intersection of those prompts’ decoded vocabularies forms a “common set” large enough that the attacker can assemble a log-probability matrix and run spectral analysis on it to read off the hidden dimension.
The sampling makes the spectrum harder to interpret than in the logit-bias setting, where prior work could lean on a sharp eigengap from a nearly complete matrix. The authors run extensive ablations on how recovery accuracy scales with token budget and model properties.
How does timing recover depth and parameter count?
The second prong treats inference latency as a side channel. Transformer inference splits into prefill, where the prompt is processed and the KV cache is built, and decode, where tokens stream out reusing that cache. In the long-context regime, prefill cost is dominated by attention and grows with both sequence length and the model’s hidden dimension, so end-to-end time to first token carries structural information. NightVision combines TTFT measurements with the hidden-dimension estimate from phase one to infer depth and parameter count.
The fit is only as good as its architecture assumptions. A model whose attention or feed-forward structure departs from the template the fit assumes would be expected to land less cleanly, which is the usual failure mode for any black-box timing attack that has to commit to a single cost model.
How accurate is it, and where does it break?
Across 32 open-source LLMs, NightVision recovers hidden dimension to within 23% average relative error overall and 9% on MoE models, and recovers depth and parameter count to within 53% for models exceeding three billion parameters. The depth and parameter-count figure is qualified to models above three billion parameters; smaller models sit outside the regime where the timing fit is claimed to hold. What matters is that three architectural properties fall out of two signals a current API cannot easily stop emitting; the exactness of any single estimate is secondary.
Cost is the real headline for defenders. The single-logprob threat model that current APIs enforce narrows the channel but does not close it. Recovery accuracy scales with the attacker’s token budget, which is the lever that survives the restriction.
What can vendors actually do, and what does it costs them?
The paper’s conclusion is blunt about mitigation: closing this channel requires defending against timing side channels in addition to logit access. Timing is the hard one. A provider cannot hide time-to-first-token without either padding every response to a fixed latency, which wrecks throughput and UX, or randomizing it enough to destroy the signal, which has its own costs and tends to introduce other leaks. The logprob channel is more tractable to suppress, but as the history here shows, suppressing one channel tends to relocate the attack rather than eliminate it.
There is also an awkward strategic bind. The more a provider restricts the API to defend IP, the more those restrictions themselves become discriminators. A vendor that returns only the single decoded logprob, caps temperature aggressively, and pads latency is announcing a specific threat model, and NightVision is calibrated to exactly that threat model. Defense by restriction narrows the hypothesis space the attacker has to search.
Where does this leave closed versus open models?
The transparency asymmetry is now sharper. Open-weight models publish their config.json, so d, L, and parameter count are public by definition; the audit interest there is fingerprinting and copyright, which is a different problem. Closed models have historically relied on API restriction as a substitute for disclosure, and NightVision shows that substitute leaks the very numbers it is meant to hide, noisily and at cost, but leak them.
Concurrent work points in two directions. The Safety Game formulation at ICML 2026 does black-box inference-time alignment via a two-player zero-sum game without touching model internals, treating the closed model as a pure input-output oracle and sidestepping the architecture question entirely. The Wiola architecture illustrates the opposite bet: publish the novelty, including components like Spiral Rotary Positional Encoding and Gated Cross-Layer Attention, and let the community audit it. Whether NightVision’s spectral and timing methods transfer cleanly to state-space or hybrid architectures is an open question; the evaluation covers transformer-family models.
For auditors and regulators, the practical upshot is that “we do not disclose architecture” is no longer the same claim as “you cannot recover it.” The recovery is approximate, expensive, and bounded by model size. It is also reproducible, calibrated against 32 published models, and built from signals that current APIs cannot easily stop emitting. The next round of API hardening, if vendors bother, will have to argue with the timing channel. And timing is the one signal you cannot remove from a system that still has to answer.
Frequently Asked Questions
When does NightVision recover exact dimension versus just an approximation?
Exact recovery occurred in 4 of the 32 evaluated models, while 12 models landed within 10% error. The remaining cases showed wider variance. Exact hits are the exception, not the rule, even under favorable conditions.
Why does NightVision perform better on MoE models than dense transformers?
MoE architectures achieved 9% error on hidden dimension inference versus the 23% overall average. The spectral signature of expert routing produces a cleaner signal for common-set prompting to read, likely because active expert parameters concentrate the rank structure that the attack measures.
Does this work on state-space models like Mamba or hybrid architectures?
The NightVision evaluation covered transformer-family models only. Its timing fit assumes prefill costs are dominated by attention, which state-space models replace. Whether the spectral analysis transfers to architectures without softmax bottlenecks is an open question the authors do not claim.
What is the minimum token budget needed for a reliable estimate?
The paper does not specify a single token floor. Recovery accuracy scales with budget, so the cost depends on the target model and the attacker’s tolerance for error. Larger budgets tighten the estimate; smaller ones widen the confidence interval. The tradeoff is purely economic, not technical.
How is this different from the logit-bias attacks that prompted API restrictions in the first place?
Carlini et al. 2024 and Finlayson et al. 2024 required logit bias or top-k logits to probe the softmax bottleneck directly. NightVision works under the stricter threat model that providers adopted in response: single decoded logprob per step and no bias control. The signal is sparser, the attack is more expensive, but the channel remains open.