{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:LHSLZP6XIAYLJU6KVQ6EETY5MF","short_pith_number":"pith:LHSLZP6X","canonical_record":{"source":{"id":"2605.13764","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T16:44:20Z","cross_cats_sorted":["cs.IR","cs.LG"],"title_canon_sha256":"c033338fc04f82194cb46916a77aa08361538296afc980f637628238b14ca8f4","abstract_canon_sha256":"60e9731e179d5aed76eff359ffe3abd898eae530fff5cdaaf0674c73ef8e585d"},"schema_version":"1.0"},"canonical_sha256":"59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7","source":{"kind":"arxiv","id":"2605.13764","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.13764","created_at":"2026-05-18T02:44:16Z"},{"alias_kind":"arxiv_version","alias_value":"2605.13764v1","created_at":"2026-05-18T02:44:16Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13764","created_at":"2026-05-18T02:44:16Z"},{"alias_kind":"pith_short_12","alias_value":"LHSLZP6XIAYL","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"LHSLZP6XIAYLJU6K","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"LHSLZP6X","created_at":"2026-05-18T12:33:37Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:LHSLZP6XIAYLJU6KVQ6EETY5MF","target":"record","payload":{"canonical_record":{"source":{"id":"2605.13764","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T16:44:20Z","cross_cats_sorted":["cs.IR","cs.LG"],"title_canon_sha256":"c033338fc04f82194cb46916a77aa08361538296afc980f637628238b14ca8f4","abstract_canon_sha256":"60e9731e179d5aed76eff359ffe3abd898eae530fff5cdaaf0674c73ef8e585d"},"schema_version":"1.0"},"canonical_sha256":"59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T02:44:16.121538Z","signature_b64":"gC4xcl+rOnVutxa2s8NVL0kfobuoVoIIAiWxtnVDY7dPHK3IDemYSz6VuOIUYutZuRWJ50hXC4p97NMjZddwBQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7","last_reissued_at":"2026-05-18T02:44:16.120999Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T02:44:16.120999Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2605.13764","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T02:44:16Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"EsINbL1e09NJLSu2mO4CaijCKg2ZSyC1tjeNyEufaAaPeUavRVLtHWewUIvGBgArtkWJmIwAQgugTbHQc2OUDQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-02T02:48:05.870300Z"},"content_sha256":"fab085af9c4053d14e8fd038355a74df8853ae79c4b23293827017a8456e76bf","schema_version":"1.0","event_id":"sha256:fab085af9c4053d14e8fd038355a74df8853ae79c4b23293827017a8456e76bf"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:LHSLZP6XIAYLJU6KVQ6EETY5MF","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"VectorSmuggle: Steganographic Exfiltration in Embedding Stores and a Cryptographic Provenance Defense","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes.","cross_cats":["cs.IR","cs.LG"],"primary_cat":"cs.CR","authors_text":"Jascha Wanger","submitted_at":"2026-05-13T16:44:20Z","abstract_excerpt":"Modern retrieval-augmented generation (RAG) systems convert sensitive content into high-dimensional embeddings and store them in vector databases that treat the resulting numerical artifacts as opaque. Major vector-store products do not provide native controls for embedding integrity, ingestion-time distributional anomaly detection, or cryptographic provenance attestation. We show this opens a class of steganographic exfiltration attacks: an attacker with write access to the ingestion pipeline can hide payload data inside embeddings using simple post-embedding perturbations (noise injection, r"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. ... VectorPin ... closes this attack class.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"that post-embedding perturbations can be chosen to preserve surface-level retrieval behavior while still carrying hidden payload data across the tested models and corpora.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Steganographic exfiltration attacks succeed on embedding stores via retrieval-preserving perturbations such as small-angle orthogonal rotation, but an Ed25519-based provenance signature closes the attack class.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"e4a37abb0c8abe48e9c8f6dd99a0571651bac7d70ea1b1d161ae97a7cd1726ee"},"source":{"id":"2605.13764","kind":"arxiv","version":1},"verdict":{"id":"35f26228-c073-46bf-b3d0-9235b338a4f9","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T17:42:35.641055Z","strongest_claim":"small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. ... VectorPin ... closes this attack class.","one_line_summary":"Steganographic exfiltration attacks succeed on embedding stores via retrieval-preserving perturbations such as small-angle orthogonal rotation, but an Ed25519-based provenance signature closes the attack class.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"that post-embedding perturbations can be chosen to preserve surface-level retrieval behavior while still carrying hidden payload data across the tested models and corpora.","pith_extraction_headline":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes."},"references":{"count":42,"sample":[{"doi":"","year":2018,"title":"Turning your weakness into a strength: Watermarking deep neural networks by backdooring","work_id":"85a7c69e-02ca-4938-8cdd-c04e6c1ac42a","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2012,"title":"Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang","work_id":"6a1c668e-59b4-4a1e-84a3-90a3f6a3e5c2","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2021,"title":"Extracting training data from large language models","work_id":"2c567874-ed57-4593-8e8b-d03ed9d5f33c","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"C2PA technical specification, version 2.0","work_id":"9a9964ee-dfb8-4120-956b-1929984bd23f","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":1997,"title":"Cox, Joe Kilian, F","work_id":"ea083d40-72f1-4e24-9b56-645edaa70c99","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":42,"snapshot_sha256":"ae28a49122c1b54df2409b9e330d70624029927506d2450e0868c7ad1e5b0927","internal_anchors":2},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"35f26228-c073-46bf-b3d0-9235b338a4f9"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T02:44:16Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"vjUtozt7SQQ6fWpyd2EudyLkdGXUGKasTuFRk2yhQFIl1OTRnrbh9sgARcQb0tX1ycM9yXBRVVNCfqk36a+LAg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-02T02:48:05.870833Z"},"content_sha256":"db680c9a3f95cd60384680872ed8ca1f3a1d476a3f8c21e01de1a14656b38ad9","schema_version":"1.0","event_id":"sha256:db680c9a3f95cd60384680872ed8ca1f3a1d476a3f8c21e01de1a14656b38ad9"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/bundle.json","state_url":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-02T02:48:05Z","links":{"resolver":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF","bundle":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/bundle.json","state":"https://pith.science/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/state.json","well_known_bundle":"https://pith.science/.well-known/pith/LHSLZP6XIAYLJU6KVQ6EETY5MF/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:LHSLZP6XIAYLJU6KVQ6EETY5MF","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"60e9731e179d5aed76eff359ffe3abd898eae530fff5cdaaf0674c73ef8e585d","cross_cats_sorted":["cs.IR","cs.LG"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T16:44:20Z","title_canon_sha256":"c033338fc04f82194cb46916a77aa08361538296afc980f637628238b14ca8f4"},"schema_version":"1.0","source":{"id":"2605.13764","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.13764","created_at":"2026-05-18T02:44:16Z"},{"alias_kind":"arxiv_version","alias_value":"2605.13764v1","created_at":"2026-05-18T02:44:16Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13764","created_at":"2026-05-18T02:44:16Z"},{"alias_kind":"pith_short_12","alias_value":"LHSLZP6XIAYL","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"LHSLZP6XIAYLJU6K","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"LHSLZP6X","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:db680c9a3f95cd60384680872ed8ca1f3a1d476a3f8c21e01de1a14656b38ad9","target":"graph","created_at":"2026-05-18T02:44:16Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. ... VectorPin ... closes this attack class."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"that post-embedding perturbations can be chosen to preserve surface-level retrieval behavior while still carrying hidden payload data across the tested models and corpora."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Steganographic exfiltration attacks succeed on embedding stores via retrieval-preserving perturbations such as small-angle orthogonal rotation, but an Ed25519-based provenance signature closes the attack class."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes."}],"snapshot_sha256":"e4a37abb0c8abe48e9c8f6dd99a0571651bac7d70ea1b1d161ae97a7cd1726ee"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Modern retrieval-augmented generation (RAG) systems convert sensitive content into high-dimensional embeddings and store them in vector databases that treat the resulting numerical artifacts as opaque. Major vector-store products do not provide native controls for embedding integrity, ingestion-time distributional anomaly detection, or cryptographic provenance attestation. We show this opens a class of steganographic exfiltration attacks: an attacker with write access to the ingestion pipeline can hide payload data inside embeddings using simple post-embedding perturbations (noise injection, r","authors_text":"Jascha Wanger","cross_cats":["cs.IR","cs.LG"],"headline":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes.","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T16:44:20Z","title":"VectorSmuggle: Steganographic Exfiltration in Embedding Stores and a Cryptographic Provenance Defense"},"references":{"count":42,"internal_anchors":2,"resolved_work":42,"sample":[{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":1,"title":"Turning your weakness into a strength: Watermarking deep neural networks by backdooring","work_id":"85a7c69e-02ca-4938-8cdd-c04e6c1ac42a","year":2018},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":2,"title":"Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang","work_id":"6a1c668e-59b4-4a1e-84a3-90a3f6a3e5c2","year":2012},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":3,"title":"Extracting training data from large language models","work_id":"2c567874-ed57-4593-8e8b-d03ed9d5f33c","year":2021},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":4,"title":"C2PA technical specification, version 2.0","work_id":"9a9964ee-dfb8-4120-956b-1929984bd23f","year":2024},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":"Cox, Joe Kilian, F","work_id":"ea083d40-72f1-4e24-9b56-645edaa70c99","year":1997}],"snapshot_sha256":"ae28a49122c1b54df2409b9e330d70624029927506d2450e0868c7ad1e5b0927"},"source":{"id":"2605.13764","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-14T17:42:35.641055Z","id":"35f26228-c073-46bf-b3d0-9235b338a4f9","model_set":{"reader":"grok-4.3"},"one_line_summary":"Steganographic exfiltration attacks succeed on embedding stores via retrieval-preserving perturbations such as small-angle orthogonal rotation, but an Ed25519-based provenance signature closes the attack class.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes.","strongest_claim":"small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. ... VectorPin ... closes this attack class.","weakest_assumption":"that post-embedding perturbations can be chosen to preserve surface-level retrieval behavior while still carrying hidden payload data across the tested models and corpora."}},"verdict_id":"35f26228-c073-46bf-b3d0-9235b338a4f9"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:fab085af9c4053d14e8fd038355a74df8853ae79c4b23293827017a8456e76bf","target":"record","created_at":"2026-05-18T02:44:16Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"60e9731e179d5aed76eff359ffe3abd898eae530fff5cdaaf0674c73ef8e585d","cross_cats_sorted":["cs.IR","cs.LG"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T16:44:20Z","title_canon_sha256":"c033338fc04f82194cb46916a77aa08361538296afc980f637628238b14ca8f4"},"schema_version":"1.0","source":{"id":"2605.13764","kind":"arxiv","version":1}},"canonical_sha256":"59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7","first_computed_at":"2026-05-18T02:44:16.120999Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-18T02:44:16.120999Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"gC4xcl+rOnVutxa2s8NVL0kfobuoVoIIAiWxtnVDY7dPHK3IDemYSz6VuOIUYutZuRWJ50hXC4p97NMjZddwBQ==","signature_status":"signed_v1","signed_at":"2026-05-18T02:44:16.121538Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.13764","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:fab085af9c4053d14e8fd038355a74df8853ae79c4b23293827017a8456e76bf","sha256:db680c9a3f95cd60384680872ed8ca1f3a1d476a3f8c21e01de1a14656b38ad9"],"state_sha256":"c1b1c2ad08da61336fdb3178dc3f6ab3f1cc22c7f69017114a93d42ad9bc0baf"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"MpabV8mO2oD9KK+K8nQcjU1nwg1AROVozSAHsuuKKmhYMsfB+INLFXRKzDMxIYgANXd9MSxvN4GRwsphCAahCw==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-02T02:48:05.873165Z","bundle_sha256":"3aef1e19babf2913d0daf1b73ea025d705442934ef7d4ce8d292f1c3d266cb57"}}