Kejia Chen, Jiawen Zhang, Jiacong Hu, Yu Wang, Jian Lou, Zunlei Feng, Mingli Song: Assessing Safety Risks and Quantization-aware Safety Patching for Quantized Large Language Models, ICML 2025 (PMLR; OpenReview jywq7qJLt5; code).

Core Contribution

The paper runs a systematic English safety assessment on quantized chat models: Llama-2-7B-Chat and Gemma-7B-Instruct under AWQ, AQLM, LLM-QAT, and QLoRA at INT4 and INT8, with calibration sets that are benign, indirectly harmful, or directly harmful. It then proposes Q-resafe, a quantization-aware safety patch that builds a preference set under guidance from the full-precision model and updates only safety-critical weights so ASR returns toward the pre-quant baseline without a full retrain.

Part 1: Safety assessment (Section 3)

Models. Two well-aligned open chat models as pre-quant baselines: Llama-2-7B-Chat (ASR 0.3, MT-bench 6.65, AlpacaEval 71.37) and Gemma-7B-Instruct (ASR 9.2, MT-bench 6.25, AlpacaEval 66.53). Gemma’s higher base ASR is attributed to weaker pre-quant safety.

Quantization methods (Table 1), one representative per category.

MethodCategoryUses assisting dataset?
AWQPTQ without fine-tuningNo
AQLMPTQ with fine-tuningYes
LLM-QATQAT with full fine-tuningYes
QLoRAQAT with LoRA fine-tuningYes

Bit-widths INT4 and INT8 in the main tables; 3-bit and 2-bit in the ablation.

Quantization-assisting (calibration) datasets, 10 examples each, three risk levels. Because the FT-based methods consume a calibration set, the authors vary its safety character:

  • Risk-I (Benign): 10 utility-oriented samples from UltraChat, not harmful.
  • Risk-II (Indirectly Harmful): 10 non-toxic instructions paired with responses crafted to subtly induce compliance (identity-shifting / role-play style).
  • Risk-III (Directly Harmful): 10 harmful instructions + harmful responses drawn from AdvBench.

Metrics. Safety = ASR on harmful instructions (Zou et al. / AdvBench protocol). Utility = MT-bench and AlpacaEval. AWQ has no assisting dataset, so it is stressed with a decoding attack (sweeping temperature τ, top-k, top-p) per Huang et al. instead.

Assessment findings (Table 3, Llama INT4 unless noted).

  • AWQ (PTQ, no FT): decoding attack raises Llama ASR from 29.8 (FP16, τ=0.95) to 42.4 (INT4) / 39.1 (INT8); utility barely moves (0.1-3.0 pt).
  • FT-based methods track the calibration data’s safety. Llama INT4 ASR by risk level: AQLM 18.5 / 75.5 / 77.4, LLM-QAT 16.9 / 82.9 / 71.2, QLoRA 42.3 / 83.4 / 85.3 (Risk-I / II / III). Even a benign calibration set degrades safety; a harmful one is catastrophic.
  • QLoRA is the worst (fewest tuned params → biggest safety trade-off); INT8 < INT4 ASR (more bits, more safety retained); indirect Risk-II often hurts as much as direct Risk-III.
  • Utility degradation stays small throughout (e.g. LLM-QAT <2% vs FP16), which is the point: these methods preserve capability while quietly shedding safety.

Part 2: Q-resafe patching method (Section 4)

Goal: restore safety by editing only the most safety-critical weights, leaving the rest of the quantized model (and thus its utility) intact. Three ingredients:

1. Safety-patching dataset via full-precision guidance (no human labels). For each prompt \(x\) in a calibration set, generate a response from both the pre-quant model \(\pi_W\) and the quantized model \(\pi_{Q^0}\). Label the pre-quant response the winner \(y_w\), the quantized response the loser \(y_l\), forming a preference triplet \((x, y_w, y_l)\). This is a knowledge-distillation framing: the strong FP model teaches its refusal behavior to the quantized one, no manual preference annotation.

2. Safety-critical weight identification via SNIP. For weight entry \(W_{ij}\), importance is \(I(W_{ij}, x) = |W_{ij}\cdot\nabla_{Q_{ij}}\mathcal{L}(x)|\) (Eq. 3), where \(\mathcal{L}\) is the conditional NLL \(-\log p(y|x)\). Averaged over the calibration set → \(\mathrm{SafeScore}(Q)\); the top-τ percentile are deemed safety-critical and form the mask \(M_Q\). Since the critical subset drifts as training proceeds, it is re-identified periodically every \(K\) iterations.

3. Masked-LoRA DPO update. Optimize a DPO loss (Eq. 1) over the patching triplets, but constrain the edit to a masked low-rank update: \(Q = Q^0 + \mathrm{Quant}(M_Q \odot AB)\) (Eq. 2), so only safety-critical positions move and the result stays in the quantized format. Algorithm 1: build \(\mathcal{D}_{patch}\) from calibration generations, then loop for \(T\) iterations, recomputing \(M_Q\) every \(K\) steps and taking masked SGD steps on the LoRA factors \(A, B\).

Hyperparameters: τ = 0.6, LoRA rank r = 2048, re-eval interval K = 1000; harmful eval set = 100 examples.

Part 3: Q-resafe results (Section 5)

Increase in ASR vs the pre-quant model (lower is better), baseline quant methods vs Q-resafe:

CalibrationBaselines (Llama / Gemma)Q-resafe (Llama / Gemma)
Risk-I (benign)+16.6 / +11.5+1.5 / +0.9
Risk-II (indirect)+82.6 / +59.2+13.3 / +5.5
Risk-III (direct)+92.3 / +66.7+13.6 / +1.8
AWQ (no-FT, decoding attack)+7.3 / +5.8+0.8 / +0.4

Utility (MT-bench / AlpacaEval) stays essentially at the pre-quant level. Benign-set patching converges in one epoch.

Ablations.

  • Safety-critical identification matters (Table 5, Llama INT4 benign). τ=1 (patch all weights) → ASR 1.6% in 2.1 GPU-h; τ=0.6 → ASR 1.8% in 1.2 GPU-h; τ=0 (no identification) → ASR 42.2%. Selecting the right ~40% of weights is what makes the patch both effective and cheap.
  • Vs SFT / plain DPO (Table 6, 4-bit). LLM-QAT+SFT 12.4% ASR (8.4 GPU-h); LLM-QAT+DPO 1.5% (9.6 h); LLM-QAT+Q-resafe 1.6% (1.2 h); QLoRA+SFT 26.9% vs QLoRA+Q-resafe 2.4%. Q-resafe matches DPO’s safety at a fraction of the compute.
  • Across bit-widths (Table 7, Llama, UltraChat calibration). ASR at 8/4/3/2-bit: AWQ 10.5/17.4/29.5/38.6, QLoRA 41.7/42.3/67.3/82.0, Q-resafe 1.6/1.8/5.9/12.4 (lowest at every bit-width; steepest degradation between 4- and 3-bit).

Limitations / gaps for my niche

  • English-only AdvBench-style ASR. No MultiJail, CSRT, or resource-tier language split. This is quant × safety, not quant × multilingual jailbreak.
  • Not a supply-chain “benign FP → malicious after GGUF” attack (contrast Egashira / Mind the Gap). Threat model is accidental / calibration-induced safety loss plus a patch.
  • Does not test localized safety training (Safety Layers / ESI / Zhang GRPO) then remeasure under Multilingual PTQ.

Relevance

Main Tier-1 published neighbor for English “does quantization raise jailbreak ASR,” alongside Decoding Compressed Trust. For Multilingual, cite Al Hakim / Critical Weight Protection first. If I run MultiJail × GGUF, Q-resafe is still the English patch baseline reviewers will ask about.