From Similarity to Vulnerability: Key Collision Attack on LLM Semantic Caching

TL;DR

This paper reveals that semantic caching in large language models is vulnerable to key collision attacks due to an inherent trade-off between cache efficiency and security, demonstrating practical attack methods and potential mitigation strategies.

Contribution

It introduces CacheAttack, the first systematic framework for black-box collision attacks on semantic cache keys in LLMs, highlighting security vulnerabilities and proposing defenses.

Findings

CacheAttack achieves 86% hit rate in hijacking LLM responses.

Collision attacks can induce malicious behaviors in LLM agents.

Vulnerabilities transfer across different embedding models.

Abstract

Semantic caching has emerged as a pivotal technique for scaling LLM applications, widely adopted by major providers including AWS and Microsoft. By utilizing semantic embedding vectors as cache keys, this mechanism effectively minimizes latency and redundant computation for semantically similar queries. In this work, we conceptualize semantic cache keys as a form of fuzzy hashes. We demonstrate that the locality required to maximize cache hit rates fundamentally conflicts with the cryptographic avalanche effect necessary for collision resistance. Our conceptual analysis formalizes this inherent trade-off between performance (locality) and security (collision resilience), revealing that semantic caching is naturally vulnerable to key collision attacks. While prior research has focused on side-channel and privacy risks, we present the first systematic study of integrity risks arising from cache collisions. We introduce CacheAttack, an automated framework for launching black-box collision attacks. We evaluate CacheAttack in security-critical tasks and agentic workflows. It achieves a hit rate of 86\% in LLM response hijacking and can induce malicious behaviors in LLM agent, while preserving strong transferability across different embedding models. A case study on a financial agent further illustrates the real-world impact of these vulnerabilities. Finally, we discuss mitigation strategies.