{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:LHSLZP6XIAYLJU6KVQ6EETY5MF","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"60e9731e179d5aed76eff359ffe3abd898eae530fff5cdaaf0674c73ef8e585d","cross_cats_sorted":["cs.IR","cs.LG"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T16:44:20Z","title_canon_sha256":"c033338fc04f82194cb46916a77aa08361538296afc980f637628238b14ca8f4"},"schema_version":"1.0","source":{"id":"2605.13764","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.13764","created_at":"2026-05-18T02:44:16Z"},{"alias_kind":"arxiv_version","alias_value":"2605.13764v1","created_at":"2026-05-18T02:44:16Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13764","created_at":"2026-05-18T02:44:16Z"},{"alias_kind":"pith_short_12","alias_value":"LHSLZP6XIAYL","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"LHSLZP6XIAYLJU6K","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"LHSLZP6X","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:db680c9a3f95cd60384680872ed8ca1f3a1d476a3f8c21e01de1a14656b38ad9","target":"graph","created_at":"2026-05-18T02:44:16Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. ... VectorPin ... closes this attack class."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"that post-embedding perturbations can be chosen to preserve surface-level retrieval behavior while still carrying hidden payload data across the tested models and corpora."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Steganographic exfiltration attacks succeed on embedding stores via retrieval-preserving perturbations such as small-angle orthogonal rotation, but an Ed25519-based provenance signature closes the attack class."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes."}],"snapshot_sha256":"e4a37abb0c8abe48e9c8f6dd99a0571651bac7d70ea1b1d161ae97a7cd1726ee"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Modern retrieval-augmented generation (RAG) systems convert sensitive content into high-dimensional embeddings and store them in vector databases that treat the resulting numerical artifacts as opaque. Major vector-store products do not provide native controls for embedding integrity, ingestion-time distributional anomaly detection, or cryptographic provenance attestation. We show this opens a class of steganographic exfiltration attacks: an attacker with write access to the ingestion pipeline can hide payload data inside embeddings using simple post-embedding perturbations (noise injection, r","authors_text":"Jascha Wanger","cross_cats":["cs.IR","cs.LG"],"headline":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes.","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T16:44:20Z","title":"VectorSmuggle: Steganographic Exfiltration in Embedding Stores and a Cryptographic Provenance Defense"},"references":{"count":42,"internal_anchors":2,"resolved_work":42,"sample":[{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":1,"title":"Turning your weakness into a strength: Watermarking deep neural networks by backdooring","work_id":"85a7c69e-02ca-4938-8cdd-c04e6c1ac42a","year":2018},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":2,"title":"Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang","work_id":"6a1c668e-59b4-4a1e-84a3-90a3f6a3e5c2","year":2012},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":3,"title":"Extracting training data from large language models","work_id":"2c567874-ed57-4593-8e8b-d03ed9d5f33c","year":2021},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":4,"title":"C2PA technical specification, version 2.0","work_id":"9a9964ee-dfb8-4120-956b-1929984bd23f","year":2024},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":"Cox, Joe Kilian, F","work_id":"ea083d40-72f1-4e24-9b56-645edaa70c99","year":1997}],"snapshot_sha256":"ae28a49122c1b54df2409b9e330d70624029927506d2450e0868c7ad1e5b0927"},"source":{"id":"2605.13764","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-14T17:42:35.641055Z","id":"35f26228-c073-46bf-b3d0-9235b338a4f9","model_set":{"reader":"grok-4.3"},"one_line_summary":"Steganographic exfiltration attacks succeed on embedding stores via retrieval-preserving perturbations such as small-angle orthogonal rotation, but an Ed25519-based provenance signature closes the attack class.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"Embeddings can hide stolen data via small rotations that evade detectors, but signatures block the changes.","strongest_claim":"small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. ... VectorPin ... closes this attack class.","weakest_assumption":"that post-embedding perturbations can be chosen to preserve surface-level retrieval behavior while still carrying hidden payload data across the tested models and corpora."}},"verdict_id":"35f26228-c073-46bf-b3d0-9235b338a4f9"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:fab085af9c4053d14e8fd038355a74df8853ae79c4b23293827017a8456e76bf","target":"record","created_at":"2026-05-18T02:44:16Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"60e9731e179d5aed76eff359ffe3abd898eae530fff5cdaaf0674c73ef8e585d","cross_cats_sorted":["cs.IR","cs.LG"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T16:44:20Z","title_canon_sha256":"c033338fc04f82194cb46916a77aa08361538296afc980f637628238b14ca8f4"},"schema_version":"1.0","source":{"id":"2605.13764","kind":"arxiv","version":1}},"canonical_sha256":"59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"59e4bcbfd74030b4d3caac3c424f1d61599e69bd980883913a0b3ca43dd250f7","first_computed_at":"2026-05-18T02:44:16.120999Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-18T02:44:16.120999Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"gC4xcl+rOnVutxa2s8NVL0kfobuoVoIIAiWxtnVDY7dPHK3IDemYSz6VuOIUYutZuRWJ50hXC4p97NMjZddwBQ==","signature_status":"signed_v1","signed_at":"2026-05-18T02:44:16.121538Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.13764","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:fab085af9c4053d14e8fd038355a74df8853ae79c4b23293827017a8456e76bf","sha256:db680c9a3f95cd60384680872ed8ca1f3a1d476a3f8c21e01de1a14656b38ad9"],"state_sha256":"c1b1c2ad08da61336fdb3178dc3f6ab3f1cc22c7f69017114a93d42ad9bc0baf"}