pith. sign in

arxiv: 2605.19847 · v2 · pith:M66OQ4ITnew · submitted 2026-05-19 · 💻 cs.CR · cs.IR· cs.LG

Auditing Privacy in Multi-Tenant RAG under Account Collusion

Florian A. D. Burnat , Brittany I. Davidson This is my paper

Pith reviewed 2026-05-20 04:05 UTC · model grok-4.3

classification 💻 cs.CR cs.IRcs.LG
keywords multi-tenant RAGdifferential privacyaccount collusionprivacy auditingGaussian noisemembership inferenceretrieval augmented generation
0
0 comments X

The pith

Same-tenant account collusion degrades per-account DP in multi-tenant RAG to Theta of sqrt(k) times epsilon under Gaussian noise.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Multi-tenant RAG services claim differential privacy for each account relative to the shared index. When k accounts from the same tenant coordinate their queries against that index, standard DP composition for Gaussian noise shows the joint privacy loss grows as the square root of k multiplied by the per-account epsilon. This matters because multi-tenancy is the common operating mode, yet the advertised per-account bound does not automatically protect against this form of collusion. The paper shows an attack that achieves the predicted degradation and supplies an audit protocol that can test the actual retrieval channel in an unmodified deployment.

Core claim

For k same-tenant accounts coordinating against the tenant's index, known DP composition theory implies joint leakage degrades unconditionally at rate Theta of sqrt(k) times epsilon_acc for Gaussian-noised retrieval. The authors exhibit an attack realizing this rate and derive a RAG-specific membership inference attack prediction tested empirically. They then present an audit protocol that issues a quantitative PASS or epsilon_audit verdict for the noise-then-select retrieval channel using Merkle ledgers, zero-knowledge proofs, and RAG-specific primitives without disclosing the index or altering the pipeline.

What carries the argument

The retrieval-score channel, defined as the noise-then-select step whose per-account DP guarantee is verified by a protocol that combines generic cryptographic primitives with six RAG-specific attestations including embedder commitment and coalition-size estimation.

If this is right

  • Joint leakage for k colluding same-tenant accounts scales as Theta of sqrt(k) times epsilon_acc.
  • Cross-tenant and external collusion produce zero leakage unless an explicit access-control failure occurs.
  • A membership inference attack can be derived and tested to match the composition-predicted degradation.
  • The audit protocol yields a concrete quantitative verdict for the retrieval channel on live unmodified systems.
  • Generation-channel privacy is treated as a separate predicate that must be composed afterward.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Providers could run the protocol periodically to publish collusion-resilient privacy bounds to users.
  • System designers may need to adjust per-account budgets in advance once realistic coalition sizes are estimated.
  • The same ledger-and-attestation approach could be reused to audit other shared retrieval services.

Load-bearing premise

The retrieval mechanism applies Gaussian noise before selection so that standard DP composition directly gives the joint leakage rate.

What would settle it

An empirical run with increasing numbers of colluding same-tenant accounts in which the observed membership inference success rate fails to rise proportionally to sqrt(k) times the individual epsilon.

Figures

Figures reproduced from arXiv: 2605.19847 by Brittany I. Davidson, Florian A. D. Burnat.

Figure 1
Figure 1. Figure 1: Multi-tenant RAG with a k-account coalition. The service applies the rate limit per account and adds DP noise before top-K; coalitions evade both bounds by pooling outputs after retrieval (red dashed link). k-coalition (red dashed link) is a subset of accounts that pool their responses through a shared output channel after the LLM has returned them, which the service cannot observe and the per-account rate… view at source ↗
Figure 2
Figure 2. Figure 2: Empirical membership-inference AUC against coalition size [PITH_FULL_IMAGE:figures/full_fig_p024_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Real-embedder rate transfer (bge-small-en-v1.5, 384-dim, n = 200, T = 2 000). At realized ∆ = 0.41, the empirical advantage grows 4.84× across k ∈ {1, 2, 5, 10, 20} against a predicted √ 20 ≈ 4.47 — the √ k rate is preserved. Absolute advantages sit below the ∆ = 1 random-embedder baseline (grey squares) by a constant factor consistent with the ratio of realized ∆. finite-sample noise. 4.6 Alternative-adve… view at source ↗
Figure 4
Figure 4. Figure 4: Alternative-adversary AUC vs. k at εacc = 4, n = 104 , T = 5 000 trials per cell, on the scalar mechanism of Theorem 3.5. Baseline (blue circles) and Bayes LR (green squares) coincide trial-by-trial (monotonicity identity). Diversified split adversaries at ρ = 0.50 (orange triangles) and ρ = 0.25 (red triangles) trail baseline at every k > 1. No alternative adversary tested exceeds the baseline √ k rate. A… view at source ↗
Figure 5
Figure 5. Figure 5: External vs same-tenant collusion against the top- [PITH_FULL_IMAGE:figures/full_fig_p030_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Production-scale HNSW on 106 MS MARCO passages, bge-small-en-v1.5 em￾bedder, HNSW (M=64, efcstr=200, efq=128), ∆ = 0.133, T = 2,000. (a) User-observable hit-indicator AUC: chance at scale (curves flat across k). (b) Auditor-observable pooled noisy-score at the planted slot: monotone curve preserved at εacc ∈ {8, 16}. The two panels show different observation surfaces: (a) is what an attacker account sees; … view at source ↗
Figure 7
Figure 7. Figure 7: Coalition-size estimator calibration on the toy harness ( [PITH_FULL_IMAGE:figures/full_fig_p036_7.png] view at source ↗
read the original abstract

Multi-tenant RAG services often treat the account as the privacy boundary: each account receives an $(\varepsilon_{\text{acc}},\delta_{\text{acc}})$-DP retrieval guarantee against the tenant index. We show that this framing understates leakage under same-index account collusion. For Gaussian noise-then-select retrieval, $k$ coordinated same-tenant accounts compose to joint leakage $\Theta(\sqrt{k}\,\varepsilon_{\text{acc}})$, not $\varepsilon_{\text{acc}}$; we give a matching membership-inference attack and validate the predicted $\sqrt{k}$ AUC trend in scalar, top-$K$, trained-embedder, and production-scale HNSW settings. We then give a verifier-runnable audit protocol that attests noise-then-select retrieval and reports $(\textsf{PASS},\varepsilon_{\text{audit}})$ for coalitions up to a declared cap $k_{\max}$, without disclosing the index or changing the retrieval decision rule. The claim is retrieval-channel only: generation-channel leakage and adversarially robust coalition-size estimation are complementary audit predicates.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript identifies same-index multi-account collusion as a privacy-boundary failure in multi-tenant RAG: for k coordinating accounts against a shared tenant index, standard Gaussian DP composition implies joint leakage scales as Θ(√k · ε_acc). It exhibits an attack realizing this rate, derives a RAG-specific MIA prediction tested empirically, and presents the first audit protocol for unmodified deployments that issues a quantitative (PASS, ε_audit) verdict on the retrieval-score (noise-then-select) channel using Merkle ledgers, ZK proofs, Gaussian attestations, and six RAG-specific primitives (embedder commitment, index vector commitment, query ledger, noise-then-select attestation, cross-tenant containment, coalition-size estimator). Generation-channel privacy is explicitly scoped out.

Significance. If the empirical MIA results and audit-protocol soundness hold, the work is significant for bridging theoretical DP composition with a deployable, index-disclosure-free audit for production RAG systems. It correctly leverages external Gaussian DP theorems without circularity, provides an empirical test of the derived MIA prediction, and introduces novel RAG-specific audit primitives that enable quantitative verdicts on the exact channel covered by per-account guarantees.

major comments (2)
  1. [§4] §4 (Threat Model and Collusion Regimes): the distinction between same-index (operative) and cross-tenant regimes is load-bearing for the Θ(√k · ε_acc) claim; the manuscript should add an explicit reduction showing that M4 access-control failure is the only way cross-tenant collusion can match the rate, with a concrete counter-example when M4 holds.
  2. [§6.3] §6.3 (Audit Protocol Soundness): the noise-then-select attestation is central to the (PASS, ε_audit) verdict, yet the reduction from the RAG-specific primitive to the Gaussian mechanism's (ε,δ)-DP guarantee lacks a theorem statement or proof sketch; without it the quantitative output rests on an unverified composition.
minor comments (2)
  1. [Abstract] Abstract: the phrase 'RAG-specific MIA prediction' is introduced without a one-sentence gloss; a parenthetical definition would improve readability for readers outside the sub-area.
  2. [Notation] Notation: ε_audit is used before its formal definition in the protocol section; a forward reference or early definition box would prevent confusion.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the positive assessment of our work's significance and for the detailed comments that help improve the manuscript. We address the major comments point-by-point below, agreeing to incorporate revisions where appropriate to strengthen the presentation.

read point-by-point responses

  1. Referee: [§4] §4 (Threat Model and Collusion Regimes): the distinction between same-index (operative) and cross-tenant regimes is load-bearing for the Θ(√k · ε_acc) claim; the manuscript should add an explicit reduction showing that M4 access-control failure is the only way cross-tenant collusion can match the rate, with a concrete counter-example when M4 holds.

    Authors: We concur that an explicit reduction is necessary to make the load-bearing distinction fully rigorous. The current manuscript discusses that cross-tenant collusion requires M4 failure to match the same-index rate, but we will expand §4 with a formal reduction. This reduction will demonstrate that M4 access-control failure is the sole mechanism allowing cross-tenant collusion to achieve Θ(√k · ε_acc) degradation. For a concrete counter-example when M4 holds, we will describe a scenario involving a shared vector store misconfiguration that permits cross-tenant index access, enabling the collusion attack to proceed as in the same-index case. When M4 is enforced, cross-tenant regimes yield zero leakage, confirming they reduce to an architectural rather than DP audit. revision: yes

  2. Referee: [§6.3] §6.3 (Audit Protocol Soundness): the noise-then-select attestation is central to the (PASS, ε_audit) verdict, yet the reduction from the RAG-specific primitive to the Gaussian mechanism's (ε,δ)-DP guarantee lacks a theorem statement or proof sketch; without it the quantitative output rests on an unverified composition.

    Authors: We appreciate this observation regarding the audit protocol soundness. The noise-then-select attestation is indeed pivotal, and while we rely on established Gaussian DP theorems, the manuscript would benefit from an explicit theorem and proof sketch. In the revised version, we will insert a theorem in §6.3 that formally reduces the RAG-specific noise-then-select attestation to the (ε,δ)-DP guarantee of the Gaussian mechanism. The proof sketch will outline the composition steps, ensuring the quantitative (PASS, ε_audit) verdict is rigorously supported without unverified assumptions. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper's core claim on joint leakage degrading at Θ(√k · ε_acc) under same-index collusion is explicitly derived from known external DP composition theorems applied to the Gaussian mechanism in the noise-then-select retrieval step, rather than from any internal fit, self-definition, or self-citation chain. The audit protocol is introduced as a fresh construction composing standard cryptographic primitives with RAG-specific ones, without reducing any prediction or bound to its own inputs by construction. No load-bearing step equates a derived quantity to a fitted parameter or prior self-result; the argument remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The paper rests on standard differential privacy composition theorems for Gaussian mechanisms and introduces new protocol components whose security is not independently evidenced outside the design itself.

axioms (1)
  • standard math Differential privacy composition theorems for Gaussian mechanisms
    Invoked to obtain the unconditional joint leakage rate Θ(√k · ε_acc) under same-index collusion.
invented entities (1)
  • RAG-specific audit primitives (embedder commitment, noise-then-select attestation, coalition-size estimator, etc.) no independent evidence
    purpose: Enable quantitative auditing of the retrieval-score channel without index disclosure or pipeline changes
    Newly postulated components required for the audit protocol; no independent evidence (e.g., formal verification or external test) is supplied in the abstract.

pith-pipeline@v0.9.0 · 5869 in / 1447 out tokens · 71373 ms · 2026-05-20T04:05:40.043186+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.