Search papers, labs, and topics across Lattice.
The paper introduces OptiLeak, a reinforcement learning-based framework to efficiently reconstruct prompts leaked through shared Key-Value caches in multi-tenant LLM services. OptiLeak identifies domain-specific "hard tokens" via likelihood ranking and uses them to construct preference pairs for Direct Preference Optimization (DPO), avoiding manual annotation and overfitting. Experiments on medical and financial benchmarks show OptiLeak achieves up to 12.48x reduction in average requests per token compared to baselines, demonstrating a more severe prompt leakage threat than previously estimated.
Prompt leakage attacks on multi-tenant LLMs are far more efficient than previously thought: a new RL-based method reconstructs prompts with over 12x fewer requests.
Multi-tenant LLM serving frameworks widely adopt shared Key-Value caches to enhance efficiency. However, this creates side-channel vulnerabilities enabling prompt leakage attacks. Prior studies identified these attack surfaces yet focused on expanding attack vectors rather than optimizing attack performance, reporting impractically high attack costs that underestimate the true privacy risk. We propose OptiLeak, a reinforcement learning-enhanced framework that maximizes prompt reconstruction efficiency through two-stage fine-tuning. Our key insight is that domain-specific ``hard tokens''-- terms difficult to predict yet carrying sensitive information -- can be automatically identified via likelihood ranking and used to construct preference pairs for Direct Preference Optimization, eliminating manual annotation. This enables effective preference alignment while avoiding the overfitting issues of extended supervised fine-tuning. Evaluated on three benchmarks spanning medical and financial domains, OptiLeak achieves up to $12.48\times$ reduction in average requests per token compared to baseline approaches, with consistent improvements across model scales from 3B to 14B parameters. Our findings demonstrate that cache-based prompt leakage poses a more severe threat than previously reported, underscoring the need for robust cache isolation in production deployments.
