Papers
Topics
Authors
Recent
Search
2000 character limit reached

Quantamination: Dynamic Quantization Leaks Your Data Across the Batch

Published 29 Apr 2026 in cs.CR and cs.LG | (2604.26505v1)

Abstract: Dynamic quantization emerged as a practical approach to increase the utilization and efficiency of the machine learning serving flow. Unlike static quantization, which applies quantization offline, dynamic quantization operates on tensors at run-time, adapting its parameters to the actual input data. Today's mainstream machine learning frameworks, including ML compilers and inference engines, frequently recommend dynamic quantization as an initial step for optimizing model serving. This is because dynamic quantization can significantly reduce memory usage and computational load, leading to faster token generation and improved model serving efficiency without substantial loss in model accuracy. In this paper, we reveal a critical vulnerability in dynamic quantization: an adversary can exploit such quantization strategy to steal sensitive user data placed in the same batch as the adversary's input. Our analysis demonstrates that dynamic quantization, when improperly implemented or configured, can create side channels that expose information about other inputs within the same batch. We call this phenomenon Quantamination, describing contamination from quantization. Specifically, we show that at least 4 of the most popular ML frameworks in use today either default to or can use configurations that leak data across the batch boundary. This data leakage, in theory, allows attackers to partially or even fully recover other users' batched input data, representing a serious privacy risk for existing ML serving frameworks.

Summary

  • The paper establishes that per-tensor dynamic quantization creates a cross-batch side-channel allowing adversaries to decode sensitive input data.
  • It quantitatively analyzes attacks achieving up to 100% token recovery in autoregressive models by exploiting batch quantization statistics.
  • Mitigation is achievable through per-token quantization and output restrictions, highlighting crucial trade-offs in secure ML deployment.

Quantamination: Dynamic Quantization as a Cross-Batch Privacy Vulnerability

Introduction

The paper "Quantamination: Dynamic Quantization Leaks Your Data Across the Batch" (2604.26505) investigates a latent privacy vulnerability in machine learning serving frameworks employing dynamic activation quantization. In multi-tenant environments, concurrent user inputs are batched for inference, often leveraging dynamic quantization to optimize memory and computational overhead. The authors reveal that per-tensor dynamic quantization transforms a runtime across-batch numerical artifact into a potent side-channel, which adversarial actors can exploit to infer or recover sensitive batched user data.

Vulnerability: Mechanism and Scope

Dynamic quantization parameters (scale and zero-point) are computed at runtime based on the aggregated activation statistics (min/max) of the entire batch. If the batch contains samples from both a victim and an adversary, the victim's input directly affects the quantization applied to the adversary's activation, modifying output logits in ways that encode information about the victim's data. Figure 1

Figure 1: Overview of the per-tensor dynamic activation quantization side channel. The victim’s input contaminates the adversary’s quantization, enabling sensitive data inference.

This cross-user leakage, referred to as "Quantamination," is most pronounced in mainstream ML frameworks (vLLM, SGLang, ONNX Runtime, PyTorch) whenever per-tensor dynamic quantization is performed. The authors systematically survey the framework landscape, exposing that vulnerable configurations are either default (vLLM FP8) or easily accessible, and show that per-token quantization—now standard for INT8 in LLM-serving—eliminates the side channel entirely.

Threat Model and Attack Methodologies

Adversary Setup

  • Batch co-location: Adversary can inject input into a batch alongside the victim.
  • Output observation: Adversary observes its own logits or predictions.
  • Candidate access: Full vocabulary for LLMs or dataset for classification tasks.
  • Model knowledge: Adversary knows the target architecture and quantization configuration.
  • Model access: Locally in white-box (open-source) scenario; via API in black-box scenario.

Quantization Mechanics

Let X\mathbf{X} represent the batch activation matrix. Scale α\alpha and zero-point β\beta are computed via:

α=max(X)min(X)255,β=round(min(X)α)\alpha = \frac{\max(\mathbf{X}) - \min(\mathbf{X})}{255}, \quad \beta = -\mathrm{round}\left(\frac{\min(\mathbf{X})}{\alpha}\right)

Quantized activations:

Xq=clip(round(Xα+β),0,255)\mathbf{X}_q = \mathrm{clip}\left(\mathrm{round}\left(\frac{\mathbf{X}}{\alpha} + \beta\right), 0, 255\right)

The adversary crafts probes that accentuate or isolate the victim's statistical influence in quantization, and measures logit perturbations as the information carrier.

Empirical Evaluation: LLM Token Recovery

The attack is especially effective in autoregressive LLMs, where the vocabulary is known, and token-by-token recovery can exploit strong language priors. During batched decoding, quantization parameters are shared per token batch.

Experimental results across TinyStories-1M, Pythia-70M, and SmolLM2-135M demonstrate 99.6–100% token recovery accuracy for in-distribution secrets with only top-1 log probability exposure, vastly reducing the search space versus random baseline (from \sim25,000 to \sim400–1,343 queries/token, depending on model/data alignment). Figure 2

Figure 2: Llama log probability variability in production APIs, evidencing practical limitations for deterministic exploitation.

Query efficiency dramatically improves after the first token due to context accumulation. Out-of-distribution recovery is less efficient but remains practical. Precision in threshold selection (ϵ\epsilon) is critical; strict matching eliminates false positives.

Empirical Evaluation: Classification Model Recovery

In image classification, per-layer dynamic quantization effects propagate through the network, with domination or split control of scale parameters affecting adversary logit outcomes. Experiments on MNIST with models of increasing depth (Simple CNN, ResNet18, ResNet50) show:

  • Exact secret recovery: For deep networks, random/optimized probes achieve 100% success when the secret exists in the candidate set.
  • Class-level recovery: Cluster analysis of per-layer scales reveals strong class-separable signatures, especially in deeper models. Figure 3

Figure 3

Figure 3

Figure 3

Figure 3

Figure 3

Figure 3: t-SNE projections of per-layer dynamic quantization profiles illustrate class-level clustering in deep networks.

Yet class inference via logit-based side channel is only marginally above random baseline (10–16%), indicating limited effectiveness. This is attributed to an information bottleneck: the adversary can only observe aggregate perturbation, not direct quantization scale profiles.

Discussion and Real-World Limitations

Several practical deployment challenges complicate exploitation:

  • Inference non-determinism: Production APIs exhibit logit variability even at temperature zero, arising from hardware/software heterogeneity and dynamic sampling pipelines (see Figure 2).
  • Batch size and noise: Larger batches introduce more noise, potentially masking quantization artifacts but not eliminating the underlying vulnerability.

The authors also note that provider-side adaptations—such as non-greedy decoding, custom logits processors, or novel sampling strategies—may further obscure the deterministic relationship necessary for precise attacks.

Implications and Future Directions

Theoretical:

  • Quantamination exposes the non-obvious privacy risk inherent in numerical computation sharing. Prior research focused on architectural deviations, routing-based leaks, or cache-based side channels; this work demonstrates that pure numerical artifacts—activated at runtime—can suffice for cross-user inference.
  • As model compression and efficient serving proliferate, numerical side-channels become a core concern for privacy and security research.

Practical:

  • Serving frameworks must default to per-token quantization in multi-tenant settings and audit for cross-batch contamination in all runtime statistical computations.
  • API designers should restrict output granularity (e.g., top-k prediction exposure) and consider incorporating inference-time noise or stochastic quantization.

Future development will likely involve:

  • Safe quantization primitives for model serving.
  • Robust side-channel detection tools integrated into ML serving stacks.
  • Broader surveys of numerical side-channels beyond quantization, encompassing all post-training optimizations.

Conclusion

This paper formally establishes that dynamic per-tensor activation quantization, as implemented in prevalent machine learning frameworks, forms an actionable cross-batch side-channel that adversarial actors can exploit with minimal capabilities, enabling systematic recovery of sensitive user input. The vulnerability is mitigated by per-token quantization, which should be adopted as a universal standard for secure inference. Consideration of numerical artifacts, both at the operator and architectural level, is crucial for future secure and privacy-preserving AI deployment.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 7 likes about this paper.