VectorSmuggle: Steganographic Exfiltration in Embedding Stores and a Cryptographic Provenance Defense
Description
Modern retrieval-augmented generation (RAG) systems convert sensitive content into high-dimensional embeddings and store them in vector databases that treat the resulting numerical artifacts as opaque. Major vector-store products do not appear to provide native or default controls for embedding integrity, ingestion-time distributional anomaly detection, or cryptographic provenance attestation. This paper shows that this opens a class of steganographic exfiltration attacks: an attacker with write access to the ingestion pipeline can hide payload data inside embeddings using simple post-embedding perturbations (noise injection, rotation, scaling, offset, fragmentation, and combinations thereof) while preserving the surface-level retrieval behavior the RAG system exposes to legitimate users.
The v1.2 evaluation spans a 68-chunk synthetic-PII corpus on OpenAI's text-embedding-3-large (3072-dim), four locally hosted open embedding models (Nomic, EmbeddingGemma, Snowflake Arctic, MXBai), a cross-corpus replication on BEIR NFCorpus and a Quora subset totalling over 26,000 chunks, a 35-point parameter sweep for rotation, seven vector-store configurations spanning the deployed category (FAISS-flat, FAISS-HNSW, FAISS IVF-PQ at two compression levels, Chroma, Qdrant float32, Qdrant scalar int8), an adaptive-attacker variant of the detector evaluation, and a paraphrased-query retrieval benchmark.
Distribution-shifting perturbations (noise, scaling, offset, combinations) are often caught by an off-the-shelf Isolation Forest or One-Class SVM trained on a clean baseline. Small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. A disjoint-Givens rotation encoder gives a closed-form per-vector capacity ceiling of ⌊d/2⌋·b bits, but real embedding manifolds impose a capacity-detectability trade-off at higher payloads, and the retrieval-preserving operating point sits well below the ceiling. Cross-backend, quantization, retrieval, and adaptive-evasion results together show that statistical detection is useful as a first filter but not a load-bearing integrity control.
The paper further proposes VectorPin, a cryptographic provenance protocol that pins each embedding to its source content and producing model via an Ed25519 signature over a canonical byte representation. Any post-embedding modification — including all studied techniques, both perturbation and architectural-smuggling variants — breaks signature verification. Open-source reference implementations in Python and Rust are available, locked together by cross-language test vectors that guarantee bit-for-bit compatibility.
What's new in v1.2:
- Cross-corpus replication on two BEIR-standard public corpora: NFCorpus (3,633 medical-domain documents that chunk into 16,763 chunks) and a 10,000-document subset of Quora (web Q&A, 10,002 chunks). With
nomic-embed-textheld fixed, rotation, noise, and offset AUCs are at chance on every corpus (IF range [0.497, 0.506], OC-SVM range [0.496, 0.522]); the directional finding is identical to the synthetic-corpus baseline despite a 245× corpus-size growth and a complete domain switch. The "small synthetic corpus" critique no longer holds. - Empirical payload-capacity demonstration for the rotation channel. A disjoint-Givens keyed-pair encoder reaches the closed-form ceiling of 1,920 B per vector at d=3072, b=10, with a working encoder/decoder that round-trips arbitrary payloads at zero BER under float64, float32, and float16 storage. The capacity ceiling is distinguished from the retrieval-preserving operating point (∼hundreds of bytes per vector at cos ≥ 0.7), and the AUC behaviour at high K is shown to be data-distribution-dependent: at chance on synthetic-Gaussian baselines but climbing on real
text-embedding-3-largecorpus vectors as random-angle rotations push samples off the trained-on local manifold. - Decoder access assumptions formalised. The capacity demonstration is explicitly mapped onto the attacker-controlled-corpus case (attacker authored the rows, possesses v by construction); three weaker access modes (known-cover, shared-key differential, metadata-assisted) are enumerated and recorded as open follow-up rather than tacitly assumed.
- Internal-consistency pass. The introduction, the rotation parameter sweep, the headline detection finding, and the conclusion are aligned with the new capacity section: rotation is the structural exception in the small-angle / few-rotation regime, and the cryptographic provenance defense is durable because it does not depend on training-set coverage assumptions a defender cannot guarantee out-of-band.
Companion artifacts:
- VectorSmuggle research framework: github.com/jaschadub/VectorSmuggle
- VectorPin reference implementation: github.com/ThirdKeyAI/VectorPin
Files
vectorsmuggle_v1_2.pdf
Files
(789.5 kB)
| Name | Size | Download all |
|---|---|---|
|
md5:16fa6c23443467874326b4607e339987
|
789.5 kB | Preview Download |
Additional details
Related works
- Is supplement to
- Software: https://github.com/ThirdKeyAI/VectorPin (Other)
Software
- Repository URL
- https://github.com/jaschadub/VectorSmuggle
- Programming language
- Python