Leakage-Abuse via Matching (LAMA)
- LAMA is a matching-based inference framework that aligns observable leakage signals with auxiliary information to recover private data such as queries, documents, or model inputs.
- It employs statistical, distance-based, and combinatorial matching techniques across domains like encrypted search, dynamic SSE, substring extraction, gradient reconstruction, and multi-agent LLM systems.
- Empirical evaluations show that LAMA leverages frequency analysis, volumetric inference, and topological factors to trigger sensitive data recovery, informing effective mitigation strategies.
Searching arXiv for the cited papers to ground the article in the current literature. Leakage-Abuse via Matching (LAMA) denotes a class of inference procedures in which an adversary aligns observed leakage with auxiliary plaintext-side statistics, structural priors, or a ground-truth secret inventory in order to recover hidden queries, documents, substrings, training examples, or memorized entities. In encrypted range search, LAMA is introduced explicitly as a generic framework that uses access-pattern leakage and a known query distribution; related work instantiates the same matching principle in dynamic searchable symmetric encryption (DSSE), substring-SSE, gradient leakage from deep networks, and topology-aware extraction of private information from multi-agent LLM systems (Moyer et al., 15 Aug 2025, Xu et al., 2023, Ba et al., 2 Nov 2025, Chen et al., 2022, Liu et al., 4 Dec 2025).
| Domain | Leakage matched | Recovery target |
|---|---|---|
| Encrypted search | access patterns, search patterns, volumes, file-access sets | keywords, documents, database contents |
| Gradient leakage | observed gradients, layer-wise linear constraints | training images and labels |
| Multi-agent LLMs | attacker outputs against ground-truth PII | memorized PII entities |
1. Core abstraction and matching mechanics
At its most general, LAMA treats leakage as an observable signal and auxiliary knowledge as a family of candidate feature maps or secret sets. Matching then becomes either a statistical inference problem, a combinatorial consistency problem, or an optimization problem. In searchable encryption, the canonical forms are Bayesian matching,
and distance-based matching,
where encodes expected leakage features such as result sizes, co-occurrence overlaps, or repetition rates for candidate keyword (Dimobi, 7 Mar 2026).
In the encrypted range-search formulation, LAMA is decomposed into a Selector, a Translator, and a Solver. The Selector chooses Boolean expressions over retrieval events derived from access-pattern leakage; the Translator computes empirical frequencies for those expressions and converts frequency matches into logical constraints over plaintext assignments; the Solver returns all satisfying reconstructions consistent with the observed leakage and a tolerance parameter determined by sampling noise (Moyer et al., 15 Aug 2025).
Other domains realize the same abstraction with different observables. In gradient leakage, the matching variable is the pair , and the generic objective is
with prior works instantiating as $0$, label-first recovery, or cosine-similarity-plus-TV regularization (Chen et al., 2022). In multi-agent LLM evaluation, the observable is the attacker’s message , the secret inventory is 0, and leakage is scored by exact matching,
1
with aggregate
2
The commonality is not the surface form of the leakage but the decision rule: infer hidden structure by matching what is observed to what would be expected under candidate hypotheses (Liu et al., 4 Dec 2025).
Taken together, these formulations suggest that LAMA is best understood as a matching layer over a leakage model rather than as a single domain-specific algorithm. The leakage may be probabilistic, structural, or optimization-derived; the match may be exact, approximate, or constrained; but the attack logic remains the same.
2. Access-pattern frequency analysis and its limits in encrypted range search
The most formalized version of LAMA appears in encrypted range search, where the adversary observes only access-pattern leakage 3 for a sequence of encrypted queries, knows the plaintext domain 4, the query class 5, the query distribution 6, and typically the numbers of records and queries. For a plaintext point 7, the single-record retrieval probability is
8
and for a set 9,
0
From observed responses, the adversary computes empirical frequencies
1
and controls sampling error via Hoeffding’s inequality. For fixed 2,
3
so it suffices to take
4
to guarantee uniform 5-accuracy over all 6 identifiers with probability at least 7 (Moyer et al., 15 Aug 2025).
A central result is that frequency analysis has a precise limit. For axis-aligned rectangles in 8 dimensions, the parameterization 9 that uses all intersections up to size 0 is sufficient: if two databases agree on all intersection frequencies of size at most 1, then they induce the same response distribution 2. The proof relies on a covering lemma stating that any finite point set in 3 has a certificate subset of size at most 4 formed by coordinate-wise minima and maxima; any rectangle covering that subset covers the whole set. The bound is tight: using only intersections up to size 5 can fail to determine 6 (Moyer et al., 15 Aug 2025).
The framework extends beyond rectangles. For Euclidean balls and strictly convex norms, the smallest enclosing ball is determined by at most 7 support points, so intersections up to size 8 suffice under the analogous argument. More generally, the range-search paper frames LAMA for arbitrary convex query classes whenever a bounded-size certificate set exists (Moyer et al., 15 Aug 2025).
Mitigation is expressed directly at the level of the query distribution. The paper describes singleton flattening by reweighting singleton queries 9 to equalize all 0, and pair flattening by adjusting minimum bounding rectangles so that all pairs at the same 1 distance have equal coverage probability. This reduces distinguishability by enlarging frequency-equivalence classes, although full flattening across all pairwise distances is infeasible in expressive rectangle distributions (Moyer et al., 15 Aug 2025).
The implementation uses CP-SAT as Solver and evaluates on HCUP Nationwide Inpatient Sample (2009) with dimensionalities 2 (3), 4 (5), 6 (7), and 8 (9). For 0 records in 1, the number of reconstructions drops to about 2 after 3 under Uniform and remains constant through 4; under Random it stabilizes around 5 by 6; under Flattened it remains much larger, for example 7 after 8. The paper reports plaintext reconstruction from encrypted range queries spanning up to four dimensions (Moyer et al., 15 Aug 2025).
3. Dynamic SSE, refined volumetric leakage, and system-level amplification
In DSSE, LAMA operates over search and update transcripts rather than static query traces. A DSSE scheme is written as 9, with core leakage objects
0
and with forward privacy and three types of backward privacy controlling what remains linkable across time. Type-I leaks 1 and total update count 2, Type-II leaks 3 and 4, and Type-III leaks 5 and 6 (Xu et al., 2023).
The key observation is that refreshed tokens do not eliminate all matchable structure. The paper distinguishes token relations that are exactly same 7, partially same 8, computationally same 9, or irrelevant 0, and shows that these relations can reveal query equality 1 deterministically or through response similarity. It then refines volumetric leakage into
2
with identities
3
hence
4
The consequence is that Type-I, Type-II, and Type-III backward privacy leak the same volumetric information in essence, because any two of 5 determine the other two (Xu et al., 2023).
On top of this leakage model, the paper realizes two generic attacks. The Frequency Matching Attack groups linked queries into equality classes and matches class sizes to dynamic keyword distributions across time intervals,
6
then intersects candidate sets across linked intervals. The Volumetric Inference Attack uses response and update lengths, inserted-file knowledge, and file-volume differences to recover per-keyword operations and query identities. Empirically, with a single interval 7 FMA recovery can be as low as 8, whereas with 9 it rises to $0$0–$0$1; for T1 schemes and $0$2, accuracy commonly lies in the $0$3–$0$4 range; with more observed queries, accuracy improves from $0$5 to $0$6 as $0$7 increases from $0$8 to $0$9; and with noisy auxiliary distributions, Enron-500 with 0 noise still achieves about 1 recovery. PVIA reaches up to about 2 at 3 and 4, and remains substantial even at 5 and 6 (Xu et al., 2023).
A separate line of work strengthens SSE-style LAMA with system-level observability. Using bpftrace on openat and read in a Dockerized DSSE deployment, the attacker collects
7
the set of ciphertext filenames accessed for query token 8, and combines it with classical leakage in an integrative model
9
A weighted similarity version uses a Jaccard term
00
On 01 Enron emails, baseline FMA reaches 02 top-1 query recovery accuracy, whereas enhanced eFMA using 03 reaches 04. Tokens such as T12, T13, T17, and T18 share the same frequency, for example 05, but become separable once exact file-access sets are observed (Dimobi, 7 Mar 2026).
The DSSE and eBPF results jointly show that LAMA is sensitive to any leakage that stabilizes identity across observations: query equality, volumetric evolution, or file-level access sets all convert ambiguous matches into constrained or exact identifications.
4. Substring-SSE and matrix-based correlation under partial dataset knowledge
In substring-SSE, the outsourced database is a multiset of strings 06, and the server-side index is an encrypted suffix tree or array. The leakage model is substantially richer than in keyword SSE. During setup, the server can see the number of strings 07, per-string length 08, the number of distinct tokens 09, branching-factor distributions, edge-label-length distributions, and two structural matrices: a prefix intersection pattern 10 and a leaf-node intersection pattern 11. The details also introduce a ciphertext incidence matrix
12
which is the encrypted analogue of a plaintext character-string incidence matrix 13 (Ba et al., 2 Nov 2025).
The attacker is assumed to know a fraction 14 of the target dataset. This auxiliary knowledge is encoded as
15
where 16 extends 17 to the full alphabet size by padding unknown rows with zeros. The attack then constructs occurrence matrices
18
and matches ciphertext-side and plaintext-side structure using column sums, co-occurrence consistency, and unique row or column patterns (Ba et al., 2 Nov 2025).
The reported procedure is iterative and deterministic. Step 1 matches unique equal column sums between 19 and 20. Step 2 extends the mapping set 21 through occurrence-matrix consistency between 22 and 23. Step 3 restricts to mapped columns and matches unique row patterns, producing token-character mappings 24. Step 4 reorders rows using 25 and performs refined unique column mapping. Step 5 zeros matched columns, recomputes column sums, and repeats until no new mappings are found. The attack therefore instantiates LAMA as repeated matrix matching between ciphertext-side leakage and plaintext-side partial ground truth, and it requires only setup-phase leakage; no online queries are needed (Ba et al., 2 Nov 2025).
The experimental evaluation uses Enron emails with alphabet size 26, random 27-digit integers per character, and sampled sets of 28 strings. At 29, alphabet recovery reaches 30, string recovery reaches 31, and initial path recovery reaches 32. At 33, alphabet recovery is 34, string recovery is 35, and initial path recovery is 36. Full recovery is reported at 37. Under a robustness protocol with 38 known strings and target size increasing from 39 to 40, alphabet recovery declines from 41 to 42, string recovery from 43 to 44, and initial path recovery from 45 to 46. The recovery curves are described as S-shaped, with logistic fits giving midpoint estimates of 47 knowledge for 48 alphabet recovery, 49 for string recovery, and 50 for initial path recovery (Ba et al., 2 Nov 2025).
This case broadens the notion of LAMA beyond search traces. The object being matched is not merely a frequency vector or access pattern, but a leakage-induced structural representation of an encrypted suffix tree. A plausible implication is that LAMA becomes stronger as leakage reveals stable algebraic objects—here, incidence and co-occurrence matrices—rather than only scalar summaries.
5. Gradient leakage, layer-wise linear systems, and constrained matching
In deep learning, LAMA appears as gradient matching against observed one-step gradients of an image-classification model with known architecture, known weights 51, batch size 52, and cross-entropy loss. The paper studies CNNs with a stack of convolutional layers followed by a fully connected classifier, assumes piecewise invertible and piecewise differentiable nonlinearities, and reconstructs the hidden input by combining analytic inversion with optimization-based gradient matching (Chen et al., 2022).
The central formal move is to express reconstruction at each layer as a linear system
53
where 54 stacks forward constraints and gradient constraints. For fully connected layers,
55
so inputs can be recovered in closed form under nondegeneracy. For convolutional layers, im2col or Toeplitz/circulant representations convert weight gradients into a linear map over input patches, but weight sharing and downsampling can make 56 rank-deficient. The hybrid attack solves each layer first by least squares and then applies a constrained LAMA-style correction,
57
with cosine distance
58
Initialization is the least-squares solution, and the experiments use ADAM (Chen et al., 2022).
The framework ties leakage directly to solvability. If 59, the layer has a unique solution up to conditioning; if 60, there is a nontrivial null space and ambiguity remains. Weight sharing, stride, and downsampling reduce rank; larger kernels, more channels, and bias terms add constraints; non-invertible regions of activations impede propagation. The paper summarizes architecture-level vulnerability through the security metric
61
where 62 and larger values, closer to 63, indicate less rank deficiency and higher leakage risk (Chen et al., 2022).
Label leakage is handled analytically for the final softmax-cross-entropy layer. With
64
the correct class is typically the most negative coordinate, so 65 can be inferred at batch size 66 by taking the index of the most negative entry in 67 (Chen et al., 2022).
The evaluation uses CIFAR-10 and compares DLG, CosineTV, R-GAP, and the Hybrid attack on 68–69 layer CNNs. Architectures with 70, such as CNN2 Variant 1 and CNN3 Variant 3, give the best reconstructions. DLG often fails for CNN2 variants and CNN4 Variant 1; CosineTV is more stable but still inferior to R-GAP or Hybrid on several variants; R-GAP is consistent but exhibits checkerboard artifacts; Hybrid improves over R-GAP by reducing artifacts and smoothing. Reported quantitative examples include CNN2 V1, where R-GAP achieves near-perfect 71, Hybrid gives 72, and CosineTV gives 73; CNN4 V2, where Hybrid gives 74 against R-GAP 75; and pretrained CNN4 V2, where Hybrid gives 76 against R-GAP 77. The paper also notes that all methods deteriorate on pretrained models, although R-GAP and Hybrid remain recognizable (Chen et al., 2022).
Within this framework, LAMA-style matching does not replace analytic inversion; it refines it. That division of labor is distinctive: the linear system explains identifiability, while gradient matching selects a plausible solution within or near the feasible set.
6. Topology-aware memory leakage in multi-agent LLMs
In multi-agent LLM systems, LAMA is operationalized through the MAMA framework, which injects a ground-truth set of PII entities into a target agent’s private memory and measures leakage by exact matching of attacker outputs against that inventory. The protocol has two phases. Engram constructs a private document 78 with annotated PII set 79 and a sanitized public context 80 satisfying
81
Resonance runs synchronous multi-round message passing over a directed graph 82 for up to 83 rounds, with attacker messages scored each round by exact match and early stopping when all entities are recovered. Time-to-first leak is
84
The topologies evaluated are chain, circle, star-pure, star-ring, tree, and complete (Liu et al., 4 Dec 2025).
The measurements show that topology is the dominant driver of leakage. Across 85 and two base models, fully connected graphs consistently exhibit the highest leakage and chains the lowest. For Llama3.1-70b, at 86 the complete topology yields 87 leakage versus 88 for chain; at 89, complete yields 90 versus 91 for chain. DeepSeek-v3.1 preserves the same ordering with lower absolute rates, for example 92 versus 93 at 94. Distance is strongly predictive: on a 95-node circle, Llama3.1-70b gives 96 for adjacent 97–98, 99 for distance-00 01–02, and 03 for antipodal 04–05; on a 06-node chain, 07–08 gives 09, 10–11 gives 12, and 13–14 gives 15. Centrality matters as well: in star-pure with 16, hub–leaf pairs leak heavily, with 17–18 at 19 and 20–21 at 22, whereas leaf–leaf 23–24 is 25; adding shortcuts in star-ring raises comparable leaf–leaf leakage to 26 (Liu et al., 4 Dec 2025).
Leakage rises sharply in early rounds and plateaus by rounds 27–28, which the paper summarizes with the saturating model
29
The recoverability of PII categories is not uniform: the reported ordering is
30
The implementation uses synthetic domain-specific documents in the SPIRIT dataset, three seeds per cell, exact string matching with simple normalization, and strict access control at initialization (Liu et al., 4 Dec 2025).
These findings shift LAMA from pure reconstruction into leakage measurement. MAMA does not merely infer a hidden keyword or record; it quantifies how graph radius, shortest-path distance, degree, and centrality shape the rate at which memorized secrets diffuse through a communication topology. A plausible implication is that LAMA, in this setting, functions as both an attack methodology and an experimental lens for privacy-risk characterization.
Across the domains surveyed here, the recurring design lesson is structural rather than application-specific. Leakage grows when the system exposes stable matching surfaces: unique retrieval frequencies, equality-linked refreshed tokens, file-access sets, suffix-tree incidence patterns, high-rank layer-wise linear systems, or short graph paths to a memory-bearing agent. Conversely, the effective mitigations reported across these works—query-distribution flattening, suppression of equality and volume leakage, ORAM-like hiding of access patterns, opaque storage abstractions, architecture choices that make 31 more negative, sparse or hierarchical communication topologies, larger graph distance, and topology-aware access control—operate by eroding that matchability (Moyer et al., 15 Aug 2025, Xu et al., 2023, Dimobi, 7 Mar 2026, Chen et al., 2022, Liu et al., 4 Dec 2025).