Attacks on Approximate Caches in Text-to-Image Diffusion Models
Desen Sun, Shuncheng Jie, Sihang Liu

TL;DR
This paper uncovers significant security vulnerabilities in approximate caching for diffusion models, demonstrating remote covert channels, prompt stealing, and poisoning attacks that compromise user isolation and prompt integrity.
Contribution
It provides the first comprehensive security assessment of approximate caching in diffusion models, revealing new remote attack vectors and vulnerabilities.
Findings
Remote covert channel established via approximate cache
Prompt stealing attack recovers cached prompts
Poisoning attack embeds logos into cached prompts
Abstract
Diffusion models are a powerful class of generative models that produce images and other content from user prompts, but they are computationally intensive. To mitigate this cost, recent academic and industry work has adopted approximate caching, which reuses intermediate states from similar prompts in a cache. While efficient, this optimization introduces new security risks by breaking isolation among users. This paper provides a comprehensive assessment of the security vulnerabilities introduced by approximate caching. First, we demonstrate a remote covert channel established with the approximate cache, where a sender injects prompts with special keywords into the cache system and a receiver can recover that even after days, to exchange information. Second, we introduce a prompt stealing attack using the approximate cache, where an attacker can recover existing cached prompts from…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsDistributed systems and fault tolerance
