OptiLeak: Efficient Prompt Reconstruction via Reinforcement Learning in Multi-tenant LLM Services
#OptiLeak #Prompt Leakage #Reinforcement Learning #Multi-tenant LLM #Key-Value Cache #Privacy Risk #Side-channel Vulnerability #Direct Preference Optimization
📌 Key Takeaways
- OptiLeak achieves up to 12.48x reduction in average requests per token compared to baseline approaches
- The framework automatically identifies 'hard tokens' through likelihood ranking to construct preference pairs
- Evaluated on medical and financial domains with consistent results across 3B to 14B parameter models
- Research demonstrates cache-based prompt leakage is more severe than previously reported
📖 Full Retelling
Researchers led by Longxiang Wang and five colleagues introduced OptiLeak, a reinforcement learning-enhanced framework for efficient prompt reconstruction in multi-tenant LLM services, in a paper submitted to arXiv on February 24, 2026, addressing critical security vulnerabilities in shared Key-Value caches that enable prompt leakage attacks which previous studies had underestimated due to impractically high reported attack costs. The researchers discovered that multi-tenant LLM serving frameworks widely adopt shared Key-Value caches to enhance efficiency, but this creates side-channel vulnerabilities that can be exploited to reconstruct sensitive prompts. OptiLeak represents a significant advancement over prior approaches by focusing on optimizing attack performance rather than simply expanding attack vectors. The framework employs a novel two-stage fine-tuning process that automatically identifies domain-specific 'hard tokens'—terms that are difficult to predict yet contain sensitive information—through likelihood ranking. These tokens are then used to construct preference pairs for Direct Preference Optimization, eliminating the need for manual annotation while avoiding overfitting issues associated with extended supervised fine-tuning. When evaluated across three benchmarks spanning medical and financial domains, OptiLeak demonstrated remarkable efficiency, achieving up to 12.48 times reduction in average requests per token compared to baseline approaches. The researchers tested the framework consistently across different model scales, from 3B to 14B parameters, confirming its versatility and effectiveness. Their findings reveal that cache-based prompt leakage poses a more severe threat to privacy than previously reported, highlighting an urgent need for robust cache isolation mechanisms in production deployments of multi-tenant LLM services.
🏷️ Themes
AI Security, Privacy Protection, Reinforcement Learning
📚 Related People & Topics
Reinforcement learning
Field of machine learning
In machine learning and optimal control, reinforcement learning (RL) is concerned with how an intelligent agent should take actions in a dynamic environment in order to maximize a reward signal. Reinforcement learning is one of the three basic machine learning paradigms, alongside supervised learnin...
Entity Intersection Graph
Connections for Reinforcement learning:
🌐
Large language model
8 shared
🌐
Artificial intelligence
6 shared
🌐
Machine learning
4 shared
🏢
Science Publishing Group
2 shared
🌐
Reasoning model
2 shared
Mentioned Entities
Original Source
--> Computer Science > Cryptography and Security arXiv:2602.20595 [Submitted on 24 Feb 2026] Title: OptiLeak: Efficient Prompt Reconstruction via Reinforcement Learning in Multi-tenant LLM Services Authors: Longxiang Wang , Xiang Zheng , Xuhao Zhang , Yao Zhang , Ye Wu , Cong Wang View a PDF of the paper titled OptiLeak: Efficient Prompt Reconstruction via Reinforcement Learning in Multi-tenant LLM Services, by Longxiang Wang and 5 other authors View PDF HTML Abstract: Multi-tenant LLM serving frameworks widely adopt shared Key-Value caches to enhance efficiency. However, this creates side-channel vulnerabilities enabling prompt leakage attacks. Prior studies identified these attack surfaces yet focused on expanding attack vectors rather than optimizing attack performance, reporting impractically high attack costs that underestimate the true privacy risk. We propose OptiLeak, a reinforcement learning-enhanced framework that maximizes prompt reconstruction efficiency through two-stage fine-tuning. Our key insight is that domain-specific ``hard tokens'' -- terms difficult to predict yet carrying sensitive information -- can be automatically identified via likelihood ranking and used to construct preference pairs for Direct Preference Optimization, eliminating manual annotation. This enables effective preference alignment while avoiding the overfitting issues of extended supervised fine-tuning. Evaluated on three benchmarks spanning medical and financial domains, OptiLeak achieves up to $12.48\times$ reduction in average requests per token compared to baseline approaches, with consistent improvements across model scales from 3B to 14B parameters. Our findings demonstrate that cache-based prompt leakage poses a more severe threat than previously reported, underscoring the need for robust cache isolation in production deployments. Subjects: Cryptography and Security (cs.CR) ; Artificial Intelligence (cs.AI) Cite as: arXiv:2602.20595 [cs.CR] (or arXiv:2602.20595v1 [cs.CR]...
Read full article at source