Table of Contents
Fetching ...

From Similarity to Vulnerability: Key Collision Attack on LLM Semantic Caching

Zhixiang Zhang, Zesen Liu, Yuchong Xie, Quanfeng Huang, Dongdong She

TL;DR

This work shows that semantic caching in LLM systems behaves like a fuzzy hash, where locality-driven reuse (Distance$(h(p_1),h(p_2))\to 0$ for similar prompts) clashes with the cryptographic avalanche required for collision resistance. It introduces CacheAttack, a generator–validator framework that learns adversarial promptSuffixes to induce false-positive cache hits, enabling LLM response hijacking and cascading tool-invocation failures across multi-tenant pipelines. Empirical results demonstrate high hit rates and significant downstream impact, including a case where a malicious cache entry triggers a harmful financial trade, highlighting real-world risk. The paper also proposes defenses—key salting, perplexity screening, and per-user cache isolation—and discusses the inherent performance–security trade-offs that motivate the need for collision-resistant caching architectures in production.

Abstract

Semantic caching has emerged as a pivotal technique for scaling LLM applications, widely adopted by major providers including AWS and Microsoft. By utilizing semantic embedding vectors as cache keys, this mechanism effectively minimizes latency and redundant computation for semantically similar queries. In this work, we conceptualize semantic cache keys as a form of fuzzy hashes. We demonstrate that the locality required to maximize cache hit rates fundamentally conflicts with the cryptographic avalanche effect necessary for collision resistance. Our conceptual analysis formalizes this inherent trade-off between performance (locality) and security (collision resilience), revealing that semantic caching is naturally vulnerable to key collision attacks. While prior research has focused on side-channel and privacy risks, we present the first systematic study of integrity risks arising from cache collisions. We introduce CacheAttack, an automated framework for launching black-box collision attacks. We evaluate CacheAttack in security-critical tasks and agentic workflows. It achieves a hit rate of 86\% in LLM response hijacking and can induce malicious behaviors in LLM agent, while preserving strong transferability across different embedding models. A case study on a financial agent further illustrates the real-world impact of these vulnerabilities. Finally, we discuss mitigation strategies.

From Similarity to Vulnerability: Key Collision Attack on LLM Semantic Caching

TL;DR

This work shows that semantic caching in LLM systems behaves like a fuzzy hash, where locality-driven reuse (Distance for similar prompts) clashes with the cryptographic avalanche required for collision resistance. It introduces CacheAttack, a generator–validator framework that learns adversarial promptSuffixes to induce false-positive cache hits, enabling LLM response hijacking and cascading tool-invocation failures across multi-tenant pipelines. Empirical results demonstrate high hit rates and significant downstream impact, including a case where a malicious cache entry triggers a harmful financial trade, highlighting real-world risk. The paper also proposes defenses—key salting, perplexity screening, and per-user cache isolation—and discusses the inherent performance–security trade-offs that motivate the need for collision-resistant caching architectures in production.

Abstract

Semantic caching has emerged as a pivotal technique for scaling LLM applications, widely adopted by major providers including AWS and Microsoft. By utilizing semantic embedding vectors as cache keys, this mechanism effectively minimizes latency and redundant computation for semantically similar queries. In this work, we conceptualize semantic cache keys as a form of fuzzy hashes. We demonstrate that the locality required to maximize cache hit rates fundamentally conflicts with the cryptographic avalanche effect necessary for collision resistance. Our conceptual analysis formalizes this inherent trade-off between performance (locality) and security (collision resilience), revealing that semantic caching is naturally vulnerable to key collision attacks. While prior research has focused on side-channel and privacy risks, we present the first systematic study of integrity risks arising from cache collisions. We introduce CacheAttack, an automated framework for launching black-box collision attacks. We evaluate CacheAttack in security-critical tasks and agentic workflows. It achieves a hit rate of 86\% in LLM response hijacking and can induce malicious behaviors in LLM agent, while preserving strong transferability across different embedding models. A case study on a financial agent further illustrates the real-world impact of these vulnerabilities. Finally, we discuss mitigation strategies.
Paper Structure (29 sections, 5 equations, 4 figures, 5 tables)

This paper contains 29 sections, 5 equations, 4 figures, 5 tables.

Figures (4)

  • Figure 1: A brief overview of key collision in semantic caching. Semantically different $A_1$ (attacker) and $P_1$ (victim) unexpectedly maps to the same semantic key $K_1$. As a result, victim response is hijacked by the attacker. We show collision in red lines.
  • Figure 2: Case study of a financial agent under cache collision, leading to financial harm.
  • Figure 3: Perplexity Comparison on Natural Questions(NQ) Dataset. Standard PPL and window PPL (size=5) for baseline, Semantic Cache, and Semantic KV Cache.
  • Figure 4: Sensitivity analysis of CacheAttack performance under varying similarity thresholds $\tau$, demonstrating the trade-off between efficiency and robustness.