🤖 AI Summary
This work addresses a critical security vulnerability in multi-agent large language model systems that leverage shared key-value (KV) caches for implicit collaboration: malicious actors can tamper with hidden states in the KV cache without altering visible output tokens, thereby evading detection. The study is the first to expose the security sensitivity of KV caches and proposes an integrity protection mechanism based on HMAC-SHA256. This approach constructs cryptographic digests incorporating agent identities, session context, model metadata, and tensor-level information to ensure end-to-end integrity of KV cache transmissions. Experimental results demonstrate that the method effectively preserves collaborative performance—achieving EM/F1 scores of 0.338/0.486 on Qwen3-4B over HiddenBench and HotPotQA—while detecting all 295 simulated tampering attempts with 100% accuracy and imposing no overhead on 774 honest transmissions.
📝 Abstract
LLM agents can share more than text. In some systems, an agent can send a short visible message while also passing its full KV-cache state to another model. This hidden state can help the final model combine evidence from several agents, but it is also hard to inspect. A visible message may look harmless even if the hidden state has been changed.
We study this problem in a multi-agent question-answering setup. Specialists each see part of the evidence, send a short commitment, and pass full KV-cache state to a coordinator. In clean runs, this latent collaboration improves over a matched text-only version. On transformed HiddenBench with Qwen3-4B, it reaches EM/F1 of 0.338/0.486, compared with 0.231/0.369 for text collaboration. Qwen3-8B and HotPotQA runs show the same direction of improvement.
The problem appears when one specialist is malicious. Some false visible commitments can steer answers. More seriously, changing the hidden KV state can collapse performance even when the visible commitment still looks plausible. A verifier that checks only text misses this failure mode. Simple magnitude checks catch some obvious corruptions, but adaptive attacks can evade them while still damaging the final answer.
The most reliable fix we find is not to guess whether hidden state looks normal, but to protect it in transport. We implement an HMAC-SHA256 manifest that binds the specialist, session, model, visible commitment, tensor metadata, and payload digest. It accepts all 774 honest replayed payloads and rejects all 295 recorded tampered payloads. The main lesson is that full-KV latent memory can be useful, but it should be treated as a security-sensitive object, not as ordinary internal model state.