Multi-tenant RAG services often treat the account as the privacy boundary: each account receives an (\varepsilon_{acc},δ_{acc})-DP retrieval guarantee against the tenant index. We show that this framing understates leakage under same-index account collusion. For Gaussian noise-then-select retrieval, k coordinated same-tenant accounts compose to joint leakage Θ(\sqrt{k},\varepsilon_{acc}), not \varepsilon_{acc}; we give a matching membership-inference attack and validate the predicted \sqrt{k} AUC trend in scalar, top-K, trained-embedder, and production-scale HNSW settings. We then give a verifier-runnable audit protocol that attests noise-then-select retrieval and reports (PASS,\varepsilon_{audit}) for coalitions up to a declared cap k_{\max}, without disclosing the index or changing the retrieval decision rule. The claim is retrieval-channel only: generation-channel leakage and adversarially robust coalition-size estimation are complementary audit predicates.
Auditing Privacy in Multi-Tenant RAG under Account Collusion
Multi-tenant RAG services often treat the account as the privacy boundary: each account receives an $(\varepsilon_{\text{acc}},δ_{\text{acc}})$-DP retrieval guarantee against the tenant index. We show that this framing understates leakage under same-index account collusion.
- Preview
- Year
- 2026
- Hosting
- Full text hostedCC-BY-4.0
Cite
Notes
Only stored in your browser.
Attribution
- Abstract & full text
- arxiv.org/abs/2605.19847CC-BY-4.0
- TL;DR
- Semantic Scholar