{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2026:LHSLZP6XIAYLJU6KVQ6EETY5MF","short_pith_number":"pith:LHSLZP6X","schema_version":"1.0","canonical_sha256":"59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7","source":{"kind":"arxiv","id":"2605.13764","version":1},"attestation_state":"computed","paper":{"title":"VectorSmuggle: Steganographic Exfiltration in Embedding Stores and a Cryptographic Provenance Defense","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes.","cross_cats":["cs.IR","cs.LG"],"primary_cat":"cs.CR","authors_text":"Jascha Wanger","submitted_at":"2026-05-13T16:44:20Z","abstract_excerpt":"Modern retrieval-augmented generation (RAG) systems convert sensitive content into high-dimensional embeddings and store them in vector databases that treat the resulting numerical artifacts as opaque. Major vector-store products do not provide native controls for embedding integrity, ingestion-time distributional anomaly detection, or cryptographic provenance attestation. We show this opens a class of steganographic exfiltration attacks: an attacker with write access to the ingestion pipeline can hide payload data inside embeddings using simple post-embedding perturbations (noise injection, r"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":false},"canonical_record":{"source":{"id":"2605.13764","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T16:44:20Z","cross_cats_sorted":["cs.IR","cs.LG"],"title_canon_sha256":"c033338fc04f82194cb46916a77aa08361538296afc980f637628238b14ca8f4","abstract_canon_sha256":"60e9731e179d5aed76eff359ffe3abd898eae530fff5cdaaf0674c73ef8e585d"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T02:44:16.121538Z","signature_b64":"gC4xcl+rOnVutxa2s8NVL0kfobuoVoIIAiWxtnVDY7dPHK3IDemYSz6VuOIUYutZuRWJ50hXC4p97NMjZddwBQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7","last_reissued_at":"2026-05-18T02:44:16.120999Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T02:44:16.120999Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"VectorSmuggle: Steganographic Exfiltration in Embedding Stores and a Cryptographic Provenance Defense","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes.","cross_cats":["cs.IR","cs.LG"],"primary_cat":"cs.CR","authors_text":"Jascha Wanger","submitted_at":"2026-05-13T16:44:20Z","abstract_excerpt":"Modern retrieval-augmented generation (RAG) systems convert sensitive content into high-dimensional embeddings and store them in vector databases that treat the resulting numerical artifacts as opaque. Major vector-store products do not provide native controls for embedding integrity, ingestion-time distributional anomaly detection, or cryptographic provenance attestation. We show this opens a class of steganographic exfiltration attacks: an attacker with write access to the ingestion pipeline can hide payload data inside embeddings using simple post-embedding perturbations (noise injection, r"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. ... VectorPin ... closes this attack class.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"that post-embedding perturbations can be chosen to preserve surface-level retrieval behavior while still carrying hidden payload data across the tested models and corpora.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Steganographic exfiltration attacks succeed on embedding stores via retrieval-preserving perturbations such as small-angle orthogonal rotation, but an Ed25519-based provenance signature closes the attack class.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"e4a37abb0c8abe48e9c8f6dd99a0571651bac7d70ea1b1d161ae97a7cd1726ee"},"source":{"id":"2605.13764","kind":"arxiv","version":1},"verdict":{"id":"35f26228-c073-46bf-b3d0-9235b338a4f9","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T17:42:35.641055Z","strongest_claim":"small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. ... VectorPin ... closes this attack class.","one_line_summary":"Steganographic exfiltration attacks succeed on embedding stores via retrieval-preserving perturbations such as small-angle orthogonal rotation, but an Ed25519-based provenance signature closes the attack class.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"that post-embedding perturbations can be chosen to preserve surface-level retrieval behavior while still carrying hidden payload data across the tested models and corpora.","pith_extraction_headline":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes."},"references":{"count":42,"sample":[{"doi":"","year":2018,"title":"Turning your weakness into a strength: Watermarking deep neural networks by backdooring","work_id":"85a7c69e-02ca-4938-8cdd-c04e6c1ac42a","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2012,"title":"Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang","work_id":"6a1c668e-59b4-4a1e-84a3-90a3f6a3e5c2","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2021,"title":"Extracting training data from large language models","work_id":"2c567874-ed57-4593-8e8b-d03ed9d5f33c","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"C2PA technical specification, version 2.0","work_id":"9a9964ee-dfb8-4120-956b-1929984bd23f","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":1997,"title":"Cox, Joe Kilian, F","work_id":"ea083d40-72f1-4e24-9b56-645edaa70c99","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":42,"snapshot_sha256":"ae28a49122c1b54df2409b9e330d70624029927506d2450e0868c7ad1e5b0927","internal_anchors":2},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2605.13764","created_at":"2026-05-18T02:44:16.121070+00:00"},{"alias_kind":"arxiv_version","alias_value":"2605.13764v1","created_at":"2026-05-18T02:44:16.121070+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13764","created_at":"2026-05-18T02:44:16.121070+00:00"},{"alias_kind":"pith_short_12","alias_value":"LHSLZP6XIAYL","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"LHSLZP6XIAYLJU6K","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"LHSLZP6X","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":0,"internal_anchor_count":0,"sample":[]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF","json":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF.json","graph_json":"https://pith.science/api/pith-number/LHSLZP6XIAYLJU6KVQ6EETY5MF/graph.json","events_json":"https://pith.science/api/pith-number/LHSLZP6XIAYLJU6KVQ6EETY5MF/events.json","paper":"https://pith.science/paper/LHSLZP6X"},"agent_actions":{"view_html":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF","download_json":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF.json","view_paper":"https://pith.science/paper/LHSLZP6X","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2605.13764&json=true","fetch_graph":"https://pith.science/api/pith-number/LHSLZP6XIAYLJU6KVQ6EETY5MF/graph.json","fetch_events":"https://pith.science/api/pith-number/LHSLZP6XIAYLJU6KVQ6EETY5MF/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/action/timestamp_anchor","attest_storage":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/action/storage_attestation","attest_author":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/action/author_attestation","sign_citation":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/action/citation_signature","submit_replication":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/action/replication_record"}},"created_at":"2026-05-18T02:44:16.121070+00:00","updated_at":"2026-05-18T02:44:16.121070+00:00"}