Kejia Chen, Jiawen Zhang, Jiacong Hu, Yu Wang, Jian Lou, Zunlei Feng, Mingli Song: Assessing Safety Risks and Quantization-aware Safety Patching for Quantized Large Language Models, ICML 2025 (PMLR; OpenReview jywq7qJLt5; code).
Core Contribution
The paper runs a systematic English safety assessment on quantized chat models: Llama-2-7B-Chat and Gemma-7B-Instruct under AWQ, AQLM, LLM-QAT, and QLoRA at INT4 and INT8, with calibration sets that are benign, indirectly harmful, or directly harmful. It then proposes Q-resafe, a quantization-aware safety patch that builds a preference set under guidance from the full-precision model and updates only safety-critical weights so ASR returns toward the pre-quant baseline without a full retrain.
Part 1: Safety assessment (Section 3)
Models. Two well-aligned open chat models as pre-quant baselines: Llama-2-7B-Chat (ASR 0.3, MT-bench 6.65, AlpacaEval 71.37) and Gemma-7B-Instruct (ASR 9.2, MT-bench 6.25, AlpacaEval 66.53). Gemma’s higher base ASR is attributed to weaker pre-quant safety.
Quantization methods (Table 1), one representative per category.
| Method | Category | Uses assisting dataset? |
|---|---|---|
| AWQ | PTQ without fine-tuning | No |
| AQLM | PTQ with fine-tuning | Yes |
| LLM-QAT | QAT with full fine-tuning | Yes |
| QLoRA | QAT with LoRA fine-tuning | Yes |
Bit-widths INT4 and INT8 in the main tables; 3-bit and 2-bit in the ablation.
Quantization-assisting (calibration) datasets, 10 examples each, three risk levels. Because the FT-based methods consume a calibration set, the authors vary its safety character:
- Risk-I (Benign): 10 utility-oriented samples from UltraChat, not harmful.
- Risk-II (Indirectly Harmful): 10 non-toxic instructions paired with responses crafted to subtly induce compliance (identity-shifting / role-play style).
- Risk-III (Directly Harmful): 10 harmful instructions + harmful responses drawn from AdvBench.
Metrics. Safety = ASR on harmful instructions (Zou et al. / AdvBench protocol). Utility = MT-bench and AlpacaEval. AWQ has no assisting dataset, so it is stressed with a decoding attack (sweeping temperature τ, top-k, top-p) per Huang et al. instead.
Assessment findings (Table 3, Llama INT4 unless noted).
- AWQ (PTQ, no FT): decoding attack raises Llama ASR from 29.8 (FP16, τ=0.95) to 42.4 (INT4) / 39.1 (INT8); utility barely moves (0.1-3.0 pt).
- FT-based methods track the calibration data’s safety. Llama INT4 ASR by risk level: AQLM 18.5 / 75.5 / 77.4, LLM-QAT 16.9 / 82.9 / 71.2, QLoRA 42.3 / 83.4 / 85.3 (Risk-I / II / III). Even a benign calibration set degrades safety; a harmful one is catastrophic.
- QLoRA is the worst (fewest tuned params → biggest safety trade-off); INT8 < INT4 ASR (more bits, more safety retained); indirect Risk-II often hurts as much as direct Risk-III.
- Utility degradation stays small throughout (e.g. LLM-QAT <2% vs FP16), which is the point: these methods preserve capability while quietly shedding safety.
Part 2: Q-resafe patching method (Section 4)
Goal: restore safety by editing only the most safety-critical weights, leaving the rest of the quantized model (and thus its utility) intact. Three ingredients:
1. Safety-patching dataset via full-precision guidance (no human labels). For each prompt \(x\) in a calibration set, generate a response from both the pre-quant model \(\pi_W\) and the quantized model \(\pi_{Q^0}\). Label the pre-quant response the winner \(y_w\), the quantized response the loser \(y_l\), forming a preference triplet \((x, y_w, y_l)\). This is a knowledge-distillation framing: the strong FP model teaches its refusal behavior to the quantized one, no manual preference annotation.
2. Safety-critical weight identification via SNIP. For weight entry \(W_{ij}\), importance is \(I(W_{ij}, x) = |W_{ij}\cdot\nabla_{Q_{ij}}\mathcal{L}(x)|\) (Eq. 3), where \(\mathcal{L}\) is the conditional NLL \(-\log p(y|x)\). Averaged over the calibration set → \(\mathrm{SafeScore}(Q)\); the top-τ percentile are deemed safety-critical and form the mask \(M_Q\). Since the critical subset drifts as training proceeds, it is re-identified periodically every \(K\) iterations.
3. Masked-LoRA DPO update. Optimize a DPO loss (Eq. 1) over the patching triplets, but constrain the edit to a masked low-rank update: \(Q = Q^0 + \mathrm{Quant}(M_Q \odot AB)\) (Eq. 2), so only safety-critical positions move and the result stays in the quantized format. Algorithm 1: build \(\mathcal{D}_{patch}\) from calibration generations, then loop for \(T\) iterations, recomputing \(M_Q\) every \(K\) steps and taking masked SGD steps on the LoRA factors \(A, B\).
Hyperparameters: τ = 0.6, LoRA rank r = 2048, re-eval interval K = 1000; harmful eval set = 100 examples.
Part 3: Q-resafe results (Section 5)
Increase in ASR vs the pre-quant model (lower is better), baseline quant methods vs Q-resafe:
| Calibration | Baselines (Llama / Gemma) | Q-resafe (Llama / Gemma) |
|---|---|---|
| Risk-I (benign) | +16.6 / +11.5 | +1.5 / +0.9 |
| Risk-II (indirect) | +82.6 / +59.2 | +13.3 / +5.5 |
| Risk-III (direct) | +92.3 / +66.7 | +13.6 / +1.8 |
| AWQ (no-FT, decoding attack) | +7.3 / +5.8 | +0.8 / +0.4 |
Utility (MT-bench / AlpacaEval) stays essentially at the pre-quant level. Benign-set patching converges in one epoch.
Ablations.
- Safety-critical identification matters (Table 5, Llama INT4 benign). τ=1 (patch all weights) → ASR 1.6% in 2.1 GPU-h; τ=0.6 → ASR 1.8% in 1.2 GPU-h; τ=0 (no identification) → ASR 42.2%. Selecting the right ~40% of weights is what makes the patch both effective and cheap.
- Vs SFT / plain DPO (Table 6, 4-bit). LLM-QAT+SFT 12.4% ASR (8.4 GPU-h); LLM-QAT+DPO 1.5% (9.6 h); LLM-QAT+Q-resafe 1.6% (1.2 h); QLoRA+SFT 26.9% vs QLoRA+Q-resafe 2.4%. Q-resafe matches DPO’s safety at a fraction of the compute.
- Across bit-widths (Table 7, Llama, UltraChat calibration). ASR at 8/4/3/2-bit: AWQ 10.5/17.4/29.5/38.6, QLoRA 41.7/42.3/67.3/82.0, Q-resafe 1.6/1.8/5.9/12.4 (lowest at every bit-width; steepest degradation between 4- and 3-bit).
Limitations / gaps for my niche
- English-only AdvBench-style ASR. No MultiJail, CSRT, or resource-tier language split. This is quant × safety, not quant × multilingual jailbreak.
- Not a supply-chain “benign FP → malicious after GGUF” attack (contrast Egashira / Mind the Gap). Threat model is accidental / calibration-induced safety loss plus a patch.
- Does not test localized safety training (Safety Layers / ESI / Zhang GRPO) then remeasure under Multilingual PTQ.
Relevance
Main Tier-1 published neighbor for English “does quantization raise jailbreak ASR,” alongside Decoding Compressed Trust. For Multilingual, cite Al Hakim / Critical Weight Protection first. If I run MultiJail × GGUF, Q-resafe is still the English patch baseline reviewers will ask about.