Papers
Topics
Authors
Recent
Search
2000 character limit reached

Leakage-Abuse via Matching (LAMA)

Updated 8 July 2026
  • LAMA is a matching-based inference framework that aligns observable leakage signals with auxiliary information to recover private data such as queries, documents, or model inputs.
  • It employs statistical, distance-based, and combinatorial matching techniques across domains like encrypted search, dynamic SSE, substring extraction, gradient reconstruction, and multi-agent LLM systems.
  • Empirical evaluations show that LAMA leverages frequency analysis, volumetric inference, and topological factors to trigger sensitive data recovery, informing effective mitigation strategies.

Searching arXiv for the cited papers to ground the article in the current literature. Leakage-Abuse via Matching (LAMA) denotes a class of inference procedures in which an adversary aligns observed leakage with auxiliary plaintext-side statistics, structural priors, or a ground-truth secret inventory in order to recover hidden queries, documents, substrings, training examples, or memorized entities. In encrypted range search, LAMA is introduced explicitly as a generic framework that uses access-pattern leakage and a known query distribution; related work instantiates the same matching principle in dynamic searchable symmetric encryption (DSSE), substring-SSE, gradient leakage from deep networks, and topology-aware extraction of private information from multi-agent LLM systems (Moyer et al., 15 Aug 2025, Xu et al., 2023, Ba et al., 2 Nov 2025, Chen et al., 2022, Liu et al., 4 Dec 2025).

Domain Leakage matched Recovery target
Encrypted search access patterns, search patterns, volumes, file-access sets keywords, documents, database contents
Gradient leakage observed gradients, layer-wise linear constraints training images and labels
Multi-agent LLMs attacker outputs against ground-truth PII memorized PII entities

1. Core abstraction and matching mechanics

At its most general, LAMA treats leakage as an observable signal \ell and auxiliary knowledge as a family of candidate feature maps or secret sets. Matching then becomes either a statistical inference problem, a combinatorial consistency problem, or an optimization problem. In searchable encryption, the canonical forms are Bayesian matching,

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),

and distance-based matching,

S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),

where f(k)f(k) encodes expected leakage features such as result sizes, co-occurrence overlaps, or repetition rates for candidate keyword kk (Dimobi, 7 Mar 2026).

In the encrypted range-search formulation, LAMA is decomposed into a Selector, a Translator, and a Solver. The Selector chooses Boolean expressions over retrieval events derived from access-pattern leakage; the Translator computes empirical frequencies for those expressions and converts frequency matches into logical constraints over plaintext assignments; the Solver returns all satisfying reconstructions consistent with the observed leakage and a tolerance parameter determined by sampling noise (Moyer et al., 15 Aug 2025).

Other domains realize the same abstraction with different observables. In gradient leakage, the matching variable is the pair (x,y)(x,y), and the generic objective is

minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),

with prior works instantiating RR as $0$, label-first recovery, or cosine-similarity-plus-TV regularization (Chen et al., 2022). In multi-agent LLM evaluation, the observable is the attacker’s message Ai(t)A_i^{(t)}, the secret inventory is P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),0, and leakage is scored by exact matching,

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),1

with aggregate

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),2

The commonality is not the surface form of the leakage but the decision rule: infer hidden structure by matching what is observed to what would be expected under candidate hypotheses (Liu et al., 4 Dec 2025).

Taken together, these formulations suggest that LAMA is best understood as a matching layer over a leakage model rather than as a single domain-specific algorithm. The leakage may be probabilistic, structural, or optimization-derived; the match may be exact, approximate, or constrained; but the attack logic remains the same.

The most formalized version of LAMA appears in encrypted range search, where the adversary observes only access-pattern leakage P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),3 for a sequence of encrypted queries, knows the plaintext domain P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),4, the query class P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),5, the query distribution P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),6, and typically the numbers of records and queries. For a plaintext point P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),7, the single-record retrieval probability is

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),8

and for a set P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),9,

S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),0

From observed responses, the adversary computes empirical frequencies

S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),1

and controls sampling error via Hoeffding’s inequality. For fixed S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),2,

S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),3

so it suffices to take

S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),4

to guarantee uniform S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),5-accuracy over all S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),6 identifiers with probability at least S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),7 (Moyer et al., 15 Aug 2025).

A central result is that frequency analysis has a precise limit. For axis-aligned rectangles in S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),8 dimensions, the parameterization S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),9 that uses all intersections up to size f(k)f(k)0 is sufficient: if two databases agree on all intersection frequencies of size at most f(k)f(k)1, then they induce the same response distribution f(k)f(k)2. The proof relies on a covering lemma stating that any finite point set in f(k)f(k)3 has a certificate subset of size at most f(k)f(k)4 formed by coordinate-wise minima and maxima; any rectangle covering that subset covers the whole set. The bound is tight: using only intersections up to size f(k)f(k)5 can fail to determine f(k)f(k)6 (Moyer et al., 15 Aug 2025).

The framework extends beyond rectangles. For Euclidean balls and strictly convex norms, the smallest enclosing ball is determined by at most f(k)f(k)7 support points, so intersections up to size f(k)f(k)8 suffice under the analogous argument. More generally, the range-search paper frames LAMA for arbitrary convex query classes whenever a bounded-size certificate set exists (Moyer et al., 15 Aug 2025).

Mitigation is expressed directly at the level of the query distribution. The paper describes singleton flattening by reweighting singleton queries f(k)f(k)9 to equalize all kk0, and pair flattening by adjusting minimum bounding rectangles so that all pairs at the same kk1 distance have equal coverage probability. This reduces distinguishability by enlarging frequency-equivalence classes, although full flattening across all pairwise distances is infeasible in expressive rectangle distributions (Moyer et al., 15 Aug 2025).

The implementation uses CP-SAT as Solver and evaluates on HCUP Nationwide Inpatient Sample (2009) with dimensionalities kk2 (kk3), kk4 (kk5), kk6 (kk7), and kk8 (kk9). For (x,y)(x,y)0 records in (x,y)(x,y)1, the number of reconstructions drops to about (x,y)(x,y)2 after (x,y)(x,y)3 under Uniform and remains constant through (x,y)(x,y)4; under Random it stabilizes around (x,y)(x,y)5 by (x,y)(x,y)6; under Flattened it remains much larger, for example (x,y)(x,y)7 after (x,y)(x,y)8. The paper reports plaintext reconstruction from encrypted range queries spanning up to four dimensions (Moyer et al., 15 Aug 2025).

3. Dynamic SSE, refined volumetric leakage, and system-level amplification

In DSSE, LAMA operates over search and update transcripts rather than static query traces. A DSSE scheme is written as (x,y)(x,y)9, with core leakage objects

minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),0

and with forward privacy and three types of backward privacy controlling what remains linkable across time. Type-I leaks minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),1 and total update count minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),2, Type-II leaks minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),3 and minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),4, and Type-III leaks minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),5 and minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),6 (Xu et al., 2023).

The key observation is that refreshed tokens do not eliminate all matchable structure. The paper distinguishes token relations that are exactly same minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),7, partially same minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),8, computationally same minx,y  J(x,y)=θL(f(x;θ),y)g22+R(x,y),\min_{x,y} \; \mathcal{J}(x,y) = \big\| \nabla_{\theta} L\big(f(x;\theta), y\big) - g \big\|_2^2 + R(x,y),9, or irrelevant RR0, and shows that these relations can reveal query equality RR1 deterministically or through response similarity. It then refines volumetric leakage into

RR2

with identities

RR3

hence

RR4

The consequence is that Type-I, Type-II, and Type-III backward privacy leak the same volumetric information in essence, because any two of RR5 determine the other two (Xu et al., 2023).

On top of this leakage model, the paper realizes two generic attacks. The Frequency Matching Attack groups linked queries into equality classes and matches class sizes to dynamic keyword distributions across time intervals,

RR6

then intersects candidate sets across linked intervals. The Volumetric Inference Attack uses response and update lengths, inserted-file knowledge, and file-volume differences to recover per-keyword operations and query identities. Empirically, with a single interval RR7 FMA recovery can be as low as RR8, whereas with RR9 it rises to $0$0–$0$1; for T1 schemes and $0$2, accuracy commonly lies in the $0$3–$0$4 range; with more observed queries, accuracy improves from $0$5 to $0$6 as $0$7 increases from $0$8 to $0$9; and with noisy auxiliary distributions, Enron-500 with Ai(t)A_i^{(t)}0 noise still achieves about Ai(t)A_i^{(t)}1 recovery. PVIA reaches up to about Ai(t)A_i^{(t)}2 at Ai(t)A_i^{(t)}3 and Ai(t)A_i^{(t)}4, and remains substantial even at Ai(t)A_i^{(t)}5 and Ai(t)A_i^{(t)}6 (Xu et al., 2023).

A separate line of work strengthens SSE-style LAMA with system-level observability. Using bpftrace on openat and read in a Dockerized DSSE deployment, the attacker collects

Ai(t)A_i^{(t)}7

the set of ciphertext filenames accessed for query token Ai(t)A_i^{(t)}8, and combines it with classical leakage in an integrative model

Ai(t)A_i^{(t)}9

A weighted similarity version uses a Jaccard term

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),00

On P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),01 Enron emails, baseline FMA reaches P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),02 top-1 query recovery accuracy, whereas enhanced eFMA using P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),03 reaches P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),04. Tokens such as T12, T13, T17, and T18 share the same frequency, for example P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),05, but become separable once exact file-access sets are observed (Dimobi, 7 Mar 2026).

The DSSE and eBPF results jointly show that LAMA is sensitive to any leakage that stabilizes identity across observations: query equality, volumetric evolution, or file-level access sets all convert ambiguous matches into constrained or exact identifications.

4. Substring-SSE and matrix-based correlation under partial dataset knowledge

In substring-SSE, the outsourced database is a multiset of strings P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),06, and the server-side index is an encrypted suffix tree or array. The leakage model is substantially richer than in keyword SSE. During setup, the server can see the number of strings P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),07, per-string length P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),08, the number of distinct tokens P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),09, branching-factor distributions, edge-label-length distributions, and two structural matrices: a prefix intersection pattern P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),10 and a leaf-node intersection pattern P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),11. The details also introduce a ciphertext incidence matrix

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),12

which is the encrypted analogue of a plaintext character-string incidence matrix P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),13 (Ba et al., 2 Nov 2025).

The attacker is assumed to know a fraction P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),14 of the target dataset. This auxiliary knowledge is encoded as

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),15

where P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),16 extends P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),17 to the full alphabet size by padding unknown rows with zeros. The attack then constructs occurrence matrices

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),18

and matches ciphertext-side and plaintext-side structure using column sums, co-occurrence consistency, and unique row or column patterns (Ba et al., 2 Nov 2025).

The reported procedure is iterative and deterministic. Step 1 matches unique equal column sums between P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),19 and P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),20. Step 2 extends the mapping set P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),21 through occurrence-matrix consistency between P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),22 and P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),23. Step 3 restricts to mapped columns and matches unique row patterns, producing token-character mappings P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),24. Step 4 reorders rows using P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),25 and performs refined unique column mapping. Step 5 zeros matched columns, recomputes column sums, and repeats until no new mappings are found. The attack therefore instantiates LAMA as repeated matrix matching between ciphertext-side leakage and plaintext-side partial ground truth, and it requires only setup-phase leakage; no online queries are needed (Ba et al., 2 Nov 2025).

The experimental evaluation uses Enron emails with alphabet size P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),26, random P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),27-digit integers per character, and sampled sets of P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),28 strings. At P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),29, alphabet recovery reaches P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),30, string recovery reaches P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),31, and initial path recovery reaches P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),32. At P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),33, alphabet recovery is P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),34, string recovery is P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),35, and initial path recovery is P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),36. Full recovery is reported at P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),37. Under a robustness protocol with P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),38 known strings and target size increasing from P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),39 to P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),40, alphabet recovery declines from P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),41 to P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),42, string recovery from P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),43 to P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),44, and initial path recovery from P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),45 to P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),46. The recovery curves are described as S-shaped, with logistic fits giving midpoint estimates of P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),47 knowledge for P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),48 alphabet recovery, P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),49 for string recovery, and P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),50 for initial path recovery (Ba et al., 2 Nov 2025).

This case broadens the notion of LAMA beyond search traces. The object being matched is not merely a frequency vector or access pattern, but a leakage-induced structural representation of an encrypted suffix tree. A plausible implication is that LAMA becomes stronger as leakage reveals stable algebraic objects—here, incidence and co-occurrence matrices—rather than only scalar summaries.

5. Gradient leakage, layer-wise linear systems, and constrained matching

In deep learning, LAMA appears as gradient matching against observed one-step gradients of an image-classification model with known architecture, known weights P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),51, batch size P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),52, and cross-entropy loss. The paper studies CNNs with a stack of convolutional layers followed by a fully connected classifier, assumes piecewise invertible and piecewise differentiable nonlinearities, and reconstructs the hidden input by combining analytic inversion with optimization-based gradient matching (Chen et al., 2022).

The central formal move is to express reconstruction at each layer as a linear system

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),53

where P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),54 stacks forward constraints and gradient constraints. For fully connected layers,

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),55

so inputs can be recovered in closed form under nondegeneracy. For convolutional layers, im2col or Toeplitz/circulant representations convert weight gradients into a linear map over input patches, but weight sharing and downsampling can make P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),56 rank-deficient. The hybrid attack solves each layer first by least squares and then applies a constrained LAMA-style correction,

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),57

with cosine distance

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),58

Initialization is the least-squares solution, and the experiments use ADAM (Chen et al., 2022).

The framework ties leakage directly to solvability. If P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),59, the layer has a unique solution up to conditioning; if P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),60, there is a nontrivial null space and ambiguity remains. Weight sharing, stride, and downsampling reduce rank; larger kernels, more channels, and bias terms add constraints; non-invertible regions of activations impede propagation. The paper summarizes architecture-level vulnerability through the security metric

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),61

where P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),62 and larger values, closer to P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),63, indicate less rank deficiency and higher leakage risk (Chen et al., 2022).

Label leakage is handled analytically for the final softmax-cross-entropy layer. With

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),64

the correct class is typically the most negative coordinate, so P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),65 can be inferred at batch size P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),66 by taking the index of the most negative entry in P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),67 (Chen et al., 2022).

The evaluation uses CIFAR-10 and compares DLG, CosineTV, R-GAP, and the Hybrid attack on P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),68–P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),69 layer CNNs. Architectures with P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),70, such as CNN2 Variant 1 and CNN3 Variant 3, give the best reconstructions. DLG often fails for CNN2 variants and CNN4 Variant 1; CosineTV is more stable but still inferior to R-GAP or Hybrid on several variants; R-GAP is consistent but exhibits checkerboard artifacts; Hybrid improves over R-GAP by reducing artifacts and smoothing. Reported quantitative examples include CNN2 V1, where R-GAP achieves near-perfect P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),71, Hybrid gives P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),72, and CosineTV gives P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),73; CNN4 V2, where Hybrid gives P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),74 against R-GAP P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),75; and pretrained CNN4 V2, where Hybrid gives P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),76 against R-GAP P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),77. The paper also notes that all methods deteriorate on pretrained models, although R-GAP and Hybrid remain recognizable (Chen et al., 2022).

Within this framework, LAMA-style matching does not replace analytic inversion; it refines it. That division of labor is distinctive: the linear system explains identifiability, while gradient matching selects a plausible solution within or near the feasible set.

6. Topology-aware memory leakage in multi-agent LLMs

In multi-agent LLM systems, LAMA is operationalized through the MAMA framework, which injects a ground-truth set of PII entities into a target agent’s private memory and measures leakage by exact matching of attacker outputs against that inventory. The protocol has two phases. Engram constructs a private document P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),78 with annotated PII set P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),79 and a sanitized public context P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),80 satisfying

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),81

Resonance runs synchronous multi-round message passing over a directed graph P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),82 for up to P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),83 rounds, with attacker messages scored each round by exact match and early stopping when all entities are recovered. Time-to-first leak is

P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),84

The topologies evaluated are chain, circle, star-pure, star-ring, tree, and complete (Liu et al., 4 Dec 2025).

The measurements show that topology is the dominant driver of leakage. Across P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),85 and two base models, fully connected graphs consistently exhibit the highest leakage and chains the lowest. For Llama3.1-70b, at P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),86 the complete topology yields P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),87 leakage versus P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),88 for chain; at P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),89, complete yields P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),90 versus P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),91 for chain. DeepSeek-v3.1 preserves the same ordering with lower absolute rates, for example P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),92 versus P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),93 at P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),94. Distance is strongly predictive: on a P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),95-node circle, Llama3.1-70b gives P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),96 for adjacent P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),97–P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),98, P(k)P(k)P(k),P(k \mid \ell) \propto P(\ell \mid k) P(k),99 for distance-S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),00 S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),01–S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),02, and S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),03 for antipodal S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),04–S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),05; on a S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),06-node chain, S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),07–S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),08 gives S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),09, S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),10–S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),11 gives S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),12, and S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),13–S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),14 gives S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),15. Centrality matters as well: in star-pure with S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),16, hub–leaf pairs leak heavily, with S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),17–S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),18 at S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),19 and S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),20–S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),21 at S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),22, whereas leaf–leaf S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),23–S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),24 is S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),25; adding shortcuts in star-ring raises comparable leaf–leaf leakage to S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),26 (Liu et al., 4 Dec 2025).

Leakage rises sharply in early rounds and plateaus by rounds S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),27–S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),28, which the paper summarizes with the saturating model

S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),29

The recoverability of PII categories is not uniform: the reported ordering is

S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),30

The implementation uses synthetic domain-specific documents in the SPIRIT dataset, three seeds per cell, exact string matching with simple normalization, and strict access control at initialization (Liu et al., 4 Dec 2025).

These findings shift LAMA from pure reconstruction into leakage measurement. MAMA does not merely infer a hidden keyword or record; it quantifies how graph radius, shortest-path distance, degree, and centrality shape the rate at which memorized secrets diffuse through a communication topology. A plausible implication is that LAMA, in this setting, functions as both an attack methodology and an experimental lens for privacy-risk characterization.

Across the domains surveyed here, the recurring design lesson is structural rather than application-specific. Leakage grows when the system exposes stable matching surfaces: unique retrieval frequencies, equality-linked refreshed tokens, file-access sets, suffix-tree incidence patterns, high-rank layer-wise linear systems, or short graph paths to a memory-bearing agent. Conversely, the effective mitigations reported across these works—query-distribution flattening, suppression of equality and volume leakage, ORAM-like hiding of access patterns, opaque storage abstractions, architecture choices that make S(k;)=dist(f(k),),S(k; \ell) = - \mathrm{dist}(f(k), \ell),31 more negative, sparse or hierarchical communication topologies, larger graph distance, and topology-aware access control—operate by eroding that matchability (Moyer et al., 15 Aug 2025, Xu et al., 2023, Dimobi, 7 Mar 2026, Chen et al., 2022, Liu et al., 4 Dec 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Leakage-Abuse via Matching (LAMA).