pith. sign in

arxiv: 2605.19847 · v1 · pith:M66OQ4ITnew · submitted 2026-05-19 · 💻 cs.CR · cs.IR· cs.LG

Auditing Privacy in Multi-Tenant RAG under Account Collusion

Florian A. D. Burnat , Brittany I. Davidson This is my paper

Pith reviewed 2026-05-20 04:05 UTC · model grok-4.3

classification 💻 cs.CR cs.IRcs.LG
keywords multi-tenant RAGdifferential privacyaccount collusionprivacy auditingGaussian noisemembership inferenceretrieval augmented generation
0
0 comments X

The pith

Same-tenant account collusion degrades per-account DP in multi-tenant RAG to Theta of sqrt(k) times epsilon under Gaussian noise.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Multi-tenant RAG services claim differential privacy for each account relative to the shared index. When k accounts from the same tenant coordinate their queries against that index, standard DP composition for Gaussian noise shows the joint privacy loss grows as the square root of k multiplied by the per-account epsilon. This matters because multi-tenancy is the common operating mode, yet the advertised per-account bound does not automatically protect against this form of collusion. The paper shows an attack that achieves the predicted degradation and supplies an audit protocol that can test the actual retrieval channel in an unmodified deployment.

Core claim

For k same-tenant accounts coordinating against the tenant's index, known DP composition theory implies joint leakage degrades unconditionally at rate Theta of sqrt(k) times epsilon_acc for Gaussian-noised retrieval. The authors exhibit an attack realizing this rate and derive a RAG-specific membership inference attack prediction tested empirically. They then present an audit protocol that issues a quantitative PASS or epsilon_audit verdict for the noise-then-select retrieval channel using Merkle ledgers, zero-knowledge proofs, and RAG-specific primitives without disclosing the index or altering the pipeline.

What carries the argument

The retrieval-score channel, defined as the noise-then-select step whose per-account DP guarantee is verified by a protocol that combines generic cryptographic primitives with six RAG-specific attestations including embedder commitment and coalition-size estimation.

If this is right

  • Joint leakage for k colluding same-tenant accounts scales as Theta of sqrt(k) times epsilon_acc.
  • Cross-tenant and external collusion produce zero leakage unless an explicit access-control failure occurs.
  • A membership inference attack can be derived and tested to match the composition-predicted degradation.
  • The audit protocol yields a concrete quantitative verdict for the retrieval channel on live unmodified systems.
  • Generation-channel privacy is treated as a separate predicate that must be composed afterward.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Providers could run the protocol periodically to publish collusion-resilient privacy bounds to users.
  • System designers may need to adjust per-account budgets in advance once realistic coalition sizes are estimated.
  • The same ledger-and-attestation approach could be reused to audit other shared retrieval services.

Load-bearing premise

The retrieval mechanism applies Gaussian noise before selection so that standard DP composition directly gives the joint leakage rate.

What would settle it

An empirical run with increasing numbers of colluding same-tenant accounts in which the observed membership inference success rate fails to rise proportionally to sqrt(k) times the individual epsilon.

Figures

Figures reproduced from arXiv: 2605.19847 by Brittany I. Davidson, Florian A. D. Burnat.

Figure 1
Figure 1. Figure 1: Multi-tenant RAG with a k-account coalition. The service applies the rate limit per account and adds DP noise before top-K; coalitions evade both bounds by pooling outputs after retrieval (red dashed link). k-coalition (red dashed link) is a subset of accounts that pool their responses through a shared output channel after the LLM has returned them, which the service cannot observe and the per-account rate… view at source ↗
Figure 2
Figure 2. Figure 2: Empirical membership-inference AUC against coalition size [PITH_FULL_IMAGE:figures/full_fig_p024_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Real-embedder rate transfer (bge-small-en-v1.5, 384-dim, n = 200, T = 2 000). At realized ∆ = 0.41, the empirical advantage grows 4.84× across k ∈ {1, 2, 5, 10, 20} against a predicted √ 20 ≈ 4.47 — the √ k rate is preserved. Absolute advantages sit below the ∆ = 1 random-embedder baseline (grey squares) by a constant factor consistent with the ratio of realized ∆. finite-sample noise. 4.6 Alternative-adve… view at source ↗
Figure 4
Figure 4. Figure 4: Alternative-adversary AUC vs. k at εacc = 4, n = 104 , T = 5 000 trials per cell, on the scalar mechanism of Theorem 3.5. Baseline (blue circles) and Bayes LR (green squares) coincide trial-by-trial (monotonicity identity). Diversified split adversaries at ρ = 0.50 (orange triangles) and ρ = 0.25 (red triangles) trail baseline at every k > 1. No alternative adversary tested exceeds the baseline √ k rate. A… view at source ↗
Figure 5
Figure 5. Figure 5: External vs same-tenant collusion against the top- [PITH_FULL_IMAGE:figures/full_fig_p030_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Production-scale HNSW on 106 MS MARCO passages, bge-small-en-v1.5 em￾bedder, HNSW (M=64, efcstr=200, efq=128), ∆ = 0.133, T = 2,000. (a) User-observable hit-indicator AUC: chance at scale (curves flat across k). (b) Auditor-observable pooled noisy-score at the planted slot: monotone curve preserved at εacc ∈ {8, 16}. The two panels show different observation surfaces: (a) is what an attacker account sees; … view at source ↗
Figure 7
Figure 7. Figure 7: Coalition-size estimator calibration on the toy harness ( [PITH_FULL_IMAGE:figures/full_fig_p036_7.png] view at source ↗
read the original abstract

Multi-tenant retrieval-augmented generation (RAG) services advertise per-account differential privacy as the operative leakage boundary: each account's queries are guaranteed to satisfy $(\varepsilon_{\text{acc}}, \delta_{\text{acc}})$-DP with respect to the index. We identify same-index multi-account collusion as a privacy-boundary failure: for $k$ same-tenant accounts coordinating against the tenant's index -- the operative regime -- known DP composition theory implies joint leakage degrades unconditionally at rate $\Theta(\sqrt{k} \cdot \varepsilon_{\text{acc}})$ for Gaussian-noised retrieval. Cross-tenant and external collusion match the rate only under explicit access-control failure (M4); without M4 these regimes have zero leakage by design and reduce to an architectural audit, not a DP audit. We exhibit an attack realizing the rate and derive a RAG-specific MIA prediction we test empirically. To make this per-account/joint gap auditable, we design the first audit protocol that operates against unmodified RAG deployments and issues a quantitative $(\textsf{PASS}, \varepsilon_{\text{audit}})$ verdict for the retrieval-score channel -- the noise-then-select step the per-account DP guarantee actually covers -- without index disclosure, pipeline redesign, or model-weight exposure. Generation-channel privacy (LLM output conditioned on selected documents) is a separate audit predicate that should compose with ours; we explicitly scope it out. The protocol composes generic cryptographic primitives (Merkle ledgers, ZK function-application proofs, Gaussian noise attestations) with six RAG-specific primitives (embedder commitment, index-content vector commitment, per-account query ledger, noise-then-select attestation, cross-tenant containment proof, coalition-size estimator) and supports both closed-form audit bounds and R\'enyi-DP moments-accountant tracking.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript identifies same-index multi-account collusion as a privacy-boundary failure in multi-tenant RAG: for k coordinating accounts against a shared tenant index, standard Gaussian DP composition implies joint leakage scales as Θ(√k · ε_acc). It exhibits an attack realizing this rate, derives a RAG-specific MIA prediction tested empirically, and presents the first audit protocol for unmodified deployments that issues a quantitative (PASS, ε_audit) verdict on the retrieval-score (noise-then-select) channel using Merkle ledgers, ZK proofs, Gaussian attestations, and six RAG-specific primitives (embedder commitment, index vector commitment, query ledger, noise-then-select attestation, cross-tenant containment, coalition-size estimator). Generation-channel privacy is explicitly scoped out.

Significance. If the empirical MIA results and audit-protocol soundness hold, the work is significant for bridging theoretical DP composition with a deployable, index-disclosure-free audit for production RAG systems. It correctly leverages external Gaussian DP theorems without circularity, provides an empirical test of the derived MIA prediction, and introduces novel RAG-specific audit primitives that enable quantitative verdicts on the exact channel covered by per-account guarantees.

major comments (2)
  1. [§4] §4 (Threat Model and Collusion Regimes): the distinction between same-index (operative) and cross-tenant regimes is load-bearing for the Θ(√k · ε_acc) claim; the manuscript should add an explicit reduction showing that M4 access-control failure is the only way cross-tenant collusion can match the rate, with a concrete counter-example when M4 holds.
  2. [§6.3] §6.3 (Audit Protocol Soundness): the noise-then-select attestation is central to the (PASS, ε_audit) verdict, yet the reduction from the RAG-specific primitive to the Gaussian mechanism's (ε,δ)-DP guarantee lacks a theorem statement or proof sketch; without it the quantitative output rests on an unverified composition.
minor comments (2)
  1. [Abstract] Abstract: the phrase 'RAG-specific MIA prediction' is introduced without a one-sentence gloss; a parenthetical definition would improve readability for readers outside the sub-area.
  2. [Notation] Notation: ε_audit is used before its formal definition in the protocol section; a forward reference or early definition box would prevent confusion.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the positive assessment of our work's significance and for the detailed comments that help improve the manuscript. We address the major comments point-by-point below, agreeing to incorporate revisions where appropriate to strengthen the presentation.

read point-by-point responses

  1. Referee: [§4] §4 (Threat Model and Collusion Regimes): the distinction between same-index (operative) and cross-tenant regimes is load-bearing for the Θ(√k · ε_acc) claim; the manuscript should add an explicit reduction showing that M4 access-control failure is the only way cross-tenant collusion can match the rate, with a concrete counter-example when M4 holds.

    Authors: We concur that an explicit reduction is necessary to make the load-bearing distinction fully rigorous. The current manuscript discusses that cross-tenant collusion requires M4 failure to match the same-index rate, but we will expand §4 with a formal reduction. This reduction will demonstrate that M4 access-control failure is the sole mechanism allowing cross-tenant collusion to achieve Θ(√k · ε_acc) degradation. For a concrete counter-example when M4 holds, we will describe a scenario involving a shared vector store misconfiguration that permits cross-tenant index access, enabling the collusion attack to proceed as in the same-index case. When M4 is enforced, cross-tenant regimes yield zero leakage, confirming they reduce to an architectural rather than DP audit. revision: yes

  2. Referee: [§6.3] §6.3 (Audit Protocol Soundness): the noise-then-select attestation is central to the (PASS, ε_audit) verdict, yet the reduction from the RAG-specific primitive to the Gaussian mechanism's (ε,δ)-DP guarantee lacks a theorem statement or proof sketch; without it the quantitative output rests on an unverified composition.

    Authors: We appreciate this observation regarding the audit protocol soundness. The noise-then-select attestation is indeed pivotal, and while we rely on established Gaussian DP theorems, the manuscript would benefit from an explicit theorem and proof sketch. In the revised version, we will insert a theorem in §6.3 that formally reduces the RAG-specific noise-then-select attestation to the (ε,δ)-DP guarantee of the Gaussian mechanism. The proof sketch will outline the composition steps, ensuring the quantitative (PASS, ε_audit) verdict is rigorously supported without unverified assumptions. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper's core claim on joint leakage degrading at Θ(√k · ε_acc) under same-index collusion is explicitly derived from known external DP composition theorems applied to the Gaussian mechanism in the noise-then-select retrieval step, rather than from any internal fit, self-definition, or self-citation chain. The audit protocol is introduced as a fresh construction composing standard cryptographic primitives with RAG-specific ones, without reducing any prediction or bound to its own inputs by construction. No load-bearing step equates a derived quantity to a fitted parameter or prior self-result; the argument remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The paper rests on standard differential privacy composition theorems for Gaussian mechanisms and introduces new protocol components whose security is not independently evidenced outside the design itself.

axioms (1)
  • standard math Differential privacy composition theorems for Gaussian mechanisms
    Invoked to obtain the unconditional joint leakage rate Θ(√k · ε_acc) under same-index collusion.
invented entities (1)
  • RAG-specific audit primitives (embedder commitment, noise-then-select attestation, coalition-size estimator, etc.) no independent evidence
    purpose: Enable quantitative auditing of the retrieval-score channel without index disclosure or pipeline changes
    Newly postulated components required for the audit protocol; no independent evidence (e.g., formal verification or external test) is supplied in the abstract.

pith-pipeline@v0.9.0 · 5869 in / 1447 out tokens · 71373 ms · 2026-05-20T04:05:40.043186+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

29 extracted references · 29 canonical work pages

  1. [1]

    2024 , booktitle =

    The Good and The Bad: Exploring Privacy Issues in Retrieval-Augmented Generation (RAG) , author =. 2024 , booktitle =

    work page 2024

  2. [2]

    2024 , booktitle =

    Generating Is Believing: Membership Inference Attacks against Retrieval-Augmented Generation , author =. 2024 , booktitle =

    work page 2024

  3. [3]

    2025 , journal =

    RAG-leaks: difficulty-calibrated membership inference attacks on retrieval-augmented generation , author =. 2025 , journal =

    work page 2025

  4. [4]

    2025 , booktitle =

    RAGLeak: Membership Inference Attacks on RAG-Based Large Language Models , author =. 2025 , booktitle =

    work page 2025

  5. [5]

    2025 , booktitle =

    Riddle Me This! Stealthy Membership Inference for Retrieval-Augmented Generation , author =. 2025 , booktitle =

    work page 2025

  6. [6]

    2025 , booktitle =

    DCMI: A Differential Calibration Membership Inference Attack Against Retrieval-Augmented Generation , author =. 2025 , booktitle =

    work page 2025

  7. [7]

    2024 , booktitle =

    Mask-based Membership Inference Attacks for Retrieval-Augmented Generation , author =. 2024 , booktitle =

    work page 2024

  8. [8]

    2024 , howpublished =

    Here Comes The AI Worm: Unleashing Zero-click Worms that Target GenAI-Powered Applications , author =. 2024 , howpublished =

    work page 2024

  9. [9]

    2025 , booktitle =

    RemoteRAG: A Privacy-Preserving LLM Cloud RAG Service , author =. 2025 , booktitle =

    work page 2025

  10. [10]

    2023 , booktitle =

    Poisoning with Cerberus: Stealthy and Colluded Backdoor Attack against Federated Learning , author =. 2023 , booktitle =

    work page 2023

  11. [11]

    2022 , booktitle =

    Eluding Secure Aggregation in Federated Learning via Model Inconsistency , author =. 2022 , booktitle =

    work page 2022

  12. [12]

    2022 , journal =

    Membership Inference Attacks on Machine Learning: A Survey , author =. 2022 , journal =

    work page 2022

  13. [13]

    2016 , howpublished =

    Privacy Odometers and Filters: Pay-as-you-Go Composition , author =. 2016 , howpublished =

    work page 2016

  14. [14]

    2014 , journal =

    Zerocash: Decentralized Anonymous Payments from Bitcoin , author =. 2014 , journal =

    work page 2014

  15. [15]

    2023 , howpublished =

    Text Embeddings Reveal (Almost) As Much As Text , author =. 2023 , howpublished =

    work page 2023

  16. [16]

    2014 , publisher =

    The Algorithmic Foundations of Differential Privacy , author =. 2014 , publisher =

    work page 2014

  17. [17]

    2010 , booktitle =

    Boosting and Differential Privacy , author =. 2010 , booktitle =

    work page 2010

  18. [18]

    2017 , journal =

    The Composition Theorem for Differential Privacy , author =. 2017 , journal =

    work page 2017

  19. [19]

    Ilya Mironov , year =. R. 2017 IEEE 30th Computer Security Foundations Symposium (CSF) , doi =

    work page 2017

  20. [20]

    2016 , booktitle =

    Deep Learning with Differential Privacy , author =. 2016 , booktitle =

    work page 2016

  21. [21]

    2018 , booktitle =

    Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting , author =. 2018 , booktitle =

    work page 2018

  22. [22]

    2018 , howpublished =

    Improving the Gaussian Mechanism for Differential Privacy: Analytical Calibration and Optimal Denoising , author =. 2018 , howpublished =

    work page 2018

  23. [23]

    2016 , booktitle =

    On the Size of Pairing-Based Non-interactive Arguments , author =. 2016 , booktitle =

    work page 2016

  24. [24]

    2020 , booktitle =

    Spartan: Efficient and General-Purpose zkSNARKs Without Trusted Setup , author =. 2020 , booktitle =

    work page 2020

  25. [25]

    2018 , journal =

    Efficient and Robust Approximate Nearest Neighbor Search Using Hierarchical Navigable Small World Graphs , author =. 2018 , journal =

    work page 2018

  26. [26]

    2013 , booktitle =

    Vector Commitments and Their Applications , author =. 2013 , booktitle =

    work page 2013

  27. [27]

    2021 , booktitle =

    Concurrent Composition of Differential Privacy , author =. 2021 , booktitle =

    work page 2021

  28. [28]

    2025 , booktitle =

    Beyond Per-Question Privacy: Multi-Query Differential Privacy for RAG Systems , author =. 2025 , booktitle =

    work page 2025

  29. [29]

    2026 , howpublished =

    Your Privacy Depends on Others: Collusion Vulnerabilities in Individual Differential Privacy , author =. 2026 , howpublished =. 2601.12922 , archivePrefix =

    work page arXiv 2026