OptiLeak: Efficient Prompt Reconstruction via Reinforcement Learning in Multi-tenant LLM Services

TL;DR

OptiLeak leverages reinforcement learning to significantly improve prompt reconstruction efficiency in multi-tenant LLM services, revealing a heightened privacy risk due to cache-based leakage vulnerabilities.

Contribution

The paper introduces OptiLeak, a reinforcement learning framework that automatically identifies sensitive tokens and optimizes prompt reconstruction without manual annotation, outperforming baseline methods.

Findings

Up to 12.48x reduction in requests per token

Effective across models from 3B to 14B parameters

Highlights severe privacy risks in cache-based LLM serving

Abstract

Multi-tenant LLM serving frameworks widely adopt shared Key-Value caches to enhance efficiency. However, this creates side-channel vulnerabilities enabling prompt leakage attacks. Prior studies identified these attack surfaces yet focused on expanding attack vectors rather than optimizing attack performance, reporting impractically high attack costs that underestimate the true privacy risk. We propose OptiLeak, a reinforcement learning-enhanced framework that maximizes prompt reconstruction efficiency through two-stage fine-tuning. Our key insight is that domain-specific ``hard tokens'' -- terms difficult to predict yet carrying sensitive information -- can be automatically identified via likelihood ranking and used to construct preference pairs for Direct Preference Optimization, eliminating manual annotation. This enables effective preference alignment while avoiding the overfitting issues of extended supervised fine-tuning. Evaluated on three benchmarks spanning medical and financial domains, OptiLeak achieves up to $12.48\times$ reduction in average requests per token compared to baseline approaches, with consistent improvements across model scales from 3B to 14B parameters. Our findings demonstrate that cache-based prompt leakage poses a more severe threat than previously reported, underscoring the need for robust cache isolation in production deployments.