pith. sign in
Pith Number

pith:LHSLZP6X

pith:2026:LHSLZP6XIAYLJU6KVQ6EETY5MF
not attested not anchored not stored refs resolved

VectorSmuggle: Steganographic Exfiltration in Embedding Stores and a Cryptographic Provenance Defense

Jascha Wanger

Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes.

arxiv:2605.13764 v1 · 2026-05-13 · cs.CR · cs.IR · cs.LG

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{LHSLZP6XIAYLJU6KVQ6EETY5MF}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. ... VectorPin ... closes this attack class.

C2weakest assumption

that post-embedding perturbations can be chosen to preserve surface-level retrieval behavior while still carrying hidden payload data across the tested models and corpora.

C3one line summary

Steganographic exfiltration attacks succeed on embedding stores via retrieval-preserving perturbations such as small-angle orthogonal rotation, but an Ed25519-based provenance signature closes the attack class.

References

42 extracted · 42 resolved · 2 Pith anchors

[1] Turning your weakness into a strength: Watermarking deep neural networks by backdooring 2018
[2] Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang 2012
[3] Extracting training data from large language models 2021
[4] C2PA technical specification, version 2.0 2024
[5] Cox, Joe Kilian, F 1997
Receipt and verification
First computed 2026-05-18T02:44:16.120999Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7

Aliases

arxiv: 2605.13764 · arxiv_version: 2605.13764v1 · doi: 10.48550/arxiv.2605.13764 · pith_short_12: LHSLZP6XIAYL · pith_short_16: LHSLZP6XIAYLJU6K · pith_short_8: LHSLZP6X
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "60e9731e179d5aed76eff359ffe3abd898eae530fff5cdaaf0674c73ef8e585d",
    "cross_cats_sorted": [
      "cs.IR",
      "cs.LG"
    ],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-13T16:44:20Z",
    "title_canon_sha256": "c033338fc04f82194cb46916a77aa08361538296afc980f637628238b14ca8f4"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.13764",
    "kind": "arxiv",
    "version": 1
  }
}