Quantamination: Privacy Attack in Dynamic Quantization
- Quantamination is a privacy attack where one user’s input contaminates shared dynamic quantization parameters in batched inference, leading to data leakage.
- It leverages batch-level computation of activation statistics—like global minimum, maximum, scale, and zero-point—to indirectly reveal sensitive information.
- Mitigations such as per-token quantization, static calibration, and tenant isolation are proposed to prevent cross-user leakage in multi-tenant systems.
Searching arXiv for the Quantamination paper and closely related work on dynamic quantization side channels. Quantamination is a privacy attack against dynamic activation quantization in batched inference, introduced to describe contamination from quantization when one user’s input influences the quantization parameters applied to another user’s input in the same batch. In the formulation of "Quantamination: Dynamic Quantization Leaks Your Data Across the Batch" (Foerster et al., 29 Apr 2026), the vulnerability arises specifically when an inference system computes quantization parameters jointly across all examples in a batch. Under that design, one user’s activations can affect shared values such as the global minimum, global maximum, scale, and zero-point, thereby subtly altering the numerical processing of co-batched requests. Those perturbations can then be observed through the attacker’s own outputs and exploited to infer private information about another user’s input. The paper situates the attack as an inference-time side channel rather than a training-time issue, cache-sharing problem, or model-modification attack, and emphasizes that the phenomenon is especially consequential in multi-tenant LLM serving during decode (Foerster et al., 29 Apr 2026).
1. Definition and threat model
Quantamination denotes a privacy leak caused when one user’s input contaminates the shared dynamic quantization parameters used for another user’s input in the same batch (Foerster et al., 29 Apr 2026). The attack targets dynamic activation quantization, not static quantization. Static quantization calibrates quantization parameters ahead of deployment and keeps them fixed at inference time, so one user’s request does not affect another’s quantizer. Dynamic activation quantization instead computes quantization parameters at runtime from current activations; if those parameters are computed over the whole batch tensor, all co-batched examples influence the same quantizer (Foerster et al., 29 Apr 2026).
The threat model in (Foerster et al., 29 Apr 2026) is defined by batch co-location, output observation, and knowledge of the model and quantization setup. The attacker places a request in the same batch as a victim, observes only the attacker’s own logits, predictions, or limited API outputs such as top-1 log probabilities, and knows that dynamic quantization is used. In language-model settings, the public vocabulary supplies the candidate space; in classification settings, the attacker is assumed to have access to a public dataset from the same distribution. The paper distinguishes white-box access, in which the attacker can run the model locally for candidate testing, from black-box access, in which the attacker only has API access (Foerster et al., 29 Apr 2026).
The victim is simply another user whose request is co-batched with the attacker in a multi-tenant inference setting. The paper states that the secret may be prompt tokens, generated tokens, image identity, class label, or similarity information about the input. The leakage can therefore range from partial semantic information to full sequence recovery, depending on the task and observability (Foerster et al., 29 Apr 2026).
2. Leakage mechanism in batch-shared dynamic quantization
The central mechanism is batch-shared computation of quantization statistics. For a batch activation tensor
where is batch size and is hidden dimension, the vulnerable configuration computes a single set of quantization parameters from the entire tensor. In the paper’s dynamic INT8 formulation, these are
followed by
Here is the scale and is the zero-point. In the vulnerable setting, and are computed over the entire batch tensor rather than per sample (Foerster et al., 29 Apr 2026).
This makes the quantizer a function of all co-batched examples jointly. If the batch contains attacker and victim 0, then changing the victim can change the global 1 or 2, which changes 3 and 4, which in turn changes the quantized representation of the attacker’s own activations even though the attacker’s input is unchanged. That perturbation propagates through the network and becomes visible in the attacker’s outputs (Foerster et al., 29 Apr 2026).
The observable difference is formalized as
5
This does not expose the victim’s activations directly. Rather, it reveals the victim through the victim’s effect on global minimum and maximum values, resulting quantization parameters, layerwise quantization behavior, and ultimately the attacker’s own logits or log-probabilities. The paper therefore characterizes Quantamination as an indirect numerical side channel (Foerster et al., 29 Apr 2026).
A crucial distinction is granularity. The vulnerability is associated with dynamic quantization whose parameters are shared across multiple users’ data, especially per-tensor dynamic activation quantization in batched inference. By contrast, per-token or per-row dynamic quantization computes separate parameters for each token or row, so one user’s token does not affect another user’s quantizer. The paper treats such per-token configurations as safe against this specific attack (Foerster et al., 29 Apr 2026).
3. Attack methodology in LLMs and classification
The strongest attack demonstrated in (Foerster et al., 29 Apr 2026) is token recovery during LLM decode. The paper targets the decode phase because one new token per sequence is processed at each step and co-batched sequences often persist together due to the cost of KV-cache rearrangement. In that setting, shared quantization creates a repeated cross-token side channel (Foerster et al., 29 Apr 2026).
For first-token recovery, the attacker compares the observed output when batched with the true secret token 6 against outputs obtained when batching the attacker token with each candidate token 7:
8
The recovered token is then
9
For later tokens,
0
and candidate ordering is guided by the language-model prior
1
where 2 is the already recovered context. This prior sharply reduces the number of tested candidates compared with brute-force vocabulary search (Foerster et al., 29 Apr 2026).
The paper states that, in the LLM experiments, the attacker does not even use full logits. Logits are converted to log probabilities and only the top-1 prediction value is retained, with threshold
3
This restricted observation channel is central to the paper’s security claim, because it suggests that the side channel can remain practical even when output exposure is narrow (Foerster et al., 29 Apr 2026).
The classification attack is structurally similar but less powerful. For each candidate image 4, the attacker computes
5
and selects
6
If the secret image exists in the candidate set, this can identify the exact victim input. If the exact image is absent, the attack becomes a class-inference problem and is substantially weaker (Foerster et al., 29 Apr 2026).
4. Empirical results and affected frameworks
The paper reports that at least four popular ML frameworks either default to or support vulnerable configurations (Foerster et al., 29 Apr 2026). The following summary reproduces the framework landscape described there.
| Framework | Configuration noted in the paper | Status in the paper |
|---|---|---|
| vLLM | --quantization fp8 online mode, W8A8 FP8, per-tensor dynamic activation quantization |
default vulnerable |
| SGLang | --torchao-config fp8dq-per_tensor, W8A8 FP8 |
optional vulnerable mode |
| ONNX Runtime | quantize_dynamic(), W8A8 INT8, per-tensor dynamic activation quantization |
default vulnerable |
| PyTorch | torch.ao.quantization...PerTensor, W8A8 FP8/INT8, per-tensor activation granularity |
default vulnerable |
The paper contrasts these with per-token or per-row dynamic quantization configurations, including SGLang fp8dq-per_row, SGLang int8dq, SGLang w8a8_fp8/int8, vLLM via LLM-compressor dynamic per-token FP8/INT8, DeepSpeed ZeroQuant W8A8, and static calibrated modes such as TensorRT-LLM defaults and LiteRT full-integer quantization, which it classifies as safe against this specific channel (Foerster et al., 29 Apr 2026).
The LLM evaluation uses three small LLMs: TinyStories-1M, Pythia-70M, and SmolLM2-135M. The experiments use secret sequences up to 20 tokens, batch size 2, CPU execution on Intel Xeon Ice Lake, a 4-hour timeout per sequence, top-1 log probability as the only attacker observation, and 7 (Foerster et al., 29 Apr 2026).
The headline result is 99.6–100% token recovery accuracy. The paper reports the following values: TinyStories-1M on TinyStories, 100 runs, 100.0% accuracy, 424 mean queries per token; TinyStories-1M on WikiText, 12 completed runs, 99.6% accuracy, 8,095 mean queries per token; TinyStories-1M on AG News, 8 completed runs, 100.0% accuracy, 7,489 mean queries per token; Pythia-70M on WikiText, 96 runs, 99.6% accuracy, 1,343 mean queries per token; SmolLM2-135M on WikiText, 88 runs, 100.0% accuracy, 985 mean queries per token (Foerster et al., 29 Apr 2026). The paper contrasts this with a theoretical random-search baseline of roughly 8 queries per token, indicating a large efficiency gain from autoregressive priors.
In classification, the experiments use MNIST, batch size 2, dynamic 8-bit quantization, and three models: a simple 3-layer CNN, ResNet18, and ResNet50. All exceed 98% test accuracy. When the secret image is in the candidate set, exact recovery is strong: the simple CNN reaches 8/10 (80%) with a random probe and 10/10 (100%) with a layer-diverse probe, while ResNet18 and ResNet50 achieve 10/10 (100%) in both probe settings (Foerster et al., 29 Apr 2026). When the secret is not in the candidate set, top-1 class inference is much weaker: 16% for the simple CNN, 14% for ResNet18, and 10% for ResNet50, against a 10% random baseline (Foerster et al., 29 Apr 2026).
5. Interpretive significance and deployment implications
The paper’s core interpretive claim is that Quantamination is not merely an implementation bug in one framework, but a broader design-level vulnerability of batch-shared dynamic quantization (Foerster et al., 29 Apr 2026). The mechanism generalizes whenever dynamic quantization parameters are computed from a tensor containing multiple users’ samples. This suggests that the privacy risk is inherent to shared runtime adaptation, not solely to individual codebases.
LLM decode is presented as especially realistic and dangerous. Each active sequence contributes one token per decode step; batching is direct and repeated; the vocabulary is public; autoregressive priors reduce the search space; and many serving systems maintain batch persistence. Under those conditions, the side channel becomes strong enough to recover not just a bit of information but an entire token sequence with near-perfect accuracy in controlled experiments (Foerster et al., 29 Apr 2026).
The paper also argues that the vulnerable choice may be technically inferior even outside security. Per-tensor dynamic activation quantization is described as a “worst-case scenario” because it is bad for both accuracy and privacy/security, whereas per-token dynamic quantization is often safer, better for accuracy, and sometimes better for performance on GPUs because it avoids global synchronization (Foerster et al., 29 Apr 2026). This suggests that the privacy mitigation may align with systems optimization rather than oppose it.
A plausible implication is that Quantamination belongs to a broader class of cross-user side channels induced by runtime adaptation over shared batches. The paper itself frames this more general lesson explicitly: whenever an inference optimization computes data-dependent runtime parameters over a shared batch, it should be treated as a potential cross-user side channel (Foerster et al., 29 Apr 2026).
6. Mitigations, limitations, and unresolved questions
The principal mitigation proposed in (Foerster et al., 29 Apr 2026) is to use per-token or per-row dynamic quantization. If scales are computed per token or per row, one user’s data does not influence another’s quantization parameters, and the cross-batch side channel studied in the paper is eliminated. The paper presents this as already standard in many LLM-serving frameworks for INT8 and states that it eliminates this side channel entirely (Foerster et al., 29 Apr 2026).
A second mitigation is static activation quantization. Because calibration values are fixed offline and do not depend on current runtime inputs, there is no cross-user signal flow through quantization parameters. The trade-off, as the paper notes, is that static quantization may reduce accuracy relative to dynamic methods in some cases (Foerster et al., 29 Apr 2026).
A third mitigation is tenant isolation: if dynamic quantization must be used, providers can avoid sharing quantization parameters across multiple tenants by isolating batches by user or trust domain. The paper notes the throughput and utilization cost of this approach (Foerster et al., 29 Apr 2026). Framework-level safeguards are also recommended, such as making per-token the default, warning or blocking per-tensor dynamic activation quantization in multi-tenant mode, and documenting privacy consequences explicitly (Foerster et al., 29 Apr 2026). Limiting exposure of log probabilities may make black-box exploitation harder, but the paper treats this as only a partial mitigation because the attack already succeeds with top-1 log probabilities alone (Foerster et al., 29 Apr 2026).
The paper is explicit about limitations. Real-world nondeterminism can obscure the small output differences needed by the attack. An example with OpenRouter/Crusoe shows repeated calls to the same prompt at temperature 0 producing noticeable log-probability variation, possibly due to hardware and software heterogeneity, provider-side routing, or hidden decoding logic (Foerster et al., 29 Apr 2026). The strongest results are obtained in controlled settings with batch size 2, deterministic local execution, known vulnerable quantization, and often white-box candidate testing. Classification leakage is uneven: exact matching is strong when the secret candidate is present, but class inference without the exact secret remains weak. The LLM experiments are conducted on relatively small open models rather than frontier-scale hosted systems. Finally, the attacker must be co-batched with the victim, so scheduler behavior and traffic patterns matter (Foerster et al., 29 Apr 2026).
The paper leaves several open questions: robustness under noisy production APIs, averaging strategies to overcome nondeterminism, scaling with larger batch sizes, stronger black-box attacks without greedy decoding assumptions, formal leakage quantification in bits per token or mutual information, and detection of analogous channels in other runtime adaptations beyond quantization (Foerster et al., 29 Apr 2026). These open problems indicate that Quantamination is both a concrete attack and a broader research program on cross-sample isolation in optimized inference systems.