Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Breaking Diffusion with Cache: Exploiting Approximate Caches in Diffusion Models

Desen Sun, Shuncheng Jie, Sihang Liu

TL;DR

This work reveals security vulnerabilities introduced by approximate caching in diffusion-model serving, examining how reusing intermediate states can create novel attack surfaces. It introduces three attacks—remote covert channel, CacheTransparency prompt stealing, and CachePollution image poisoning—and demonstrates them on state-of-the-art models (FLUX, SD3) using real-world datasets (DiffusionDB, Lexica) on cloud GPUs. The results show high covert-channel accuracy, effective prompt recovery, and meaningful logo poisoning capabilities, underscoring the need for defenses like random cache selection and content filters. Overall, the paper highlights a critical tension between performance gains from approximate caching and the elevated risk of user-data and prompt leakage in diffusion-model infrastructures.

Abstract

Diffusion models are a powerful class of generative models that produce content, such as images, from user prompts, but they are computationally intensive. To mitigate this cost, recent academic and industry work has adopted approximate caching, which reuses intermediate states from similar prompts in a cache. While efficient, this optimization introduces new security risks by breaking isolation among users. This work aims to comprehensively assess new security vulnerabilities arising from approximate caching. First, we demonstrate a remote covert channel established with the cache, where a sender injects prompts with special keywords into the cache and a receiver can recover that even after days, to exchange information. Second, we introduce a prompt stealing attack using the cache, where an attacker can recover existing cached prompts based on cache hit prompts. Finally, we introduce a poisoning attack that embeds the attacker's logos into the previously stolen prompt, to render them in future user prompts that hit the cache. These attacks are all performed remotely through the serving system, which indicates severe security vulnerabilities in approximate caching.

Breaking Diffusion with Cache: Exploiting Approximate Caches in Diffusion Models

TL;DR

This work reveals security vulnerabilities introduced by approximate caching in diffusion-model serving, examining how reusing intermediate states can create novel attack surfaces. It introduces three attacks—remote covert channel, CacheTransparency prompt stealing, and CachePollution image poisoning—and demonstrates them on state-of-the-art models (FLUX, SD3) using real-world datasets (DiffusionDB, Lexica) on cloud GPUs. The results show high covert-channel accuracy, effective prompt recovery, and meaningful logo poisoning capabilities, underscoring the need for defenses like random cache selection and content filters. Overall, the paper highlights a critical tension between performance gains from approximate caching and the elevated risk of user-data and prompt leakage in diffusion-model infrastructures.

Abstract

Diffusion models are a powerful class of generative models that produce content, such as images, from user prompts, but they are computationally intensive. To mitigate this cost, recent academic and industry work has adopted approximate caching, which reuses intermediate states from similar prompts in a cache. While efficient, this optimization introduces new security risks by breaking isolation among users. This work aims to comprehensively assess new security vulnerabilities arising from approximate caching. First, we demonstrate a remote covert channel established with the cache, where a sender injects prompts with special keywords into the cache and a receiver can recover that even after days, to exchange information. Second, we introduce a prompt stealing attack using the cache, where an attacker can recover existing cached prompts based on cache hit prompts. Finally, we introduce a poisoning attack that embeds the attacker's logos into the previously stolen prompt, to render them in future user prompts that hit the cache. These attacks are all performed remotely through the serving system, which indicates severe security vulnerabilities in approximate caching.

Paper Structure

This paper contains 43 sections, 24 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Text-to-Image Diffusion Models
  4. Approximate Cache Serving System
  5. Vulnerabilities of Diffusion Models
  6. Attacks on Diffusion Models
  7. New Vulnerabilities from Caching
  8. Timing of Approximate Cache
  9. Similarity of Image Generations
  10. Remote Covert Channel
  11. Attack Model
  12. Covert Channel Design
  13. Setup
  14. Results
  15. Overall covert channel accuracy
  16. ...and 28 more sections

Figures (24)

  • Figure 1: Diffusion model generation (a) directly from Gaussian noise and (b) from an approximate cache.
  • Figure 2: Approximate cache latency distribution ($n=100$).
  • Figure 3: SSIM distribution ($n=100$).
  • Figure 4: The setup of the remote covert channel, which is based on approximate cache in diffusion models.
  • Figure 5: Covert channel examples (image generated by FLUX).
  • ...and 19 more figures