Search for a command to run...
Overview When both sides of a negotiation are hosted on the same LLM provider, a backbone-level observer can passively reconstruct 100% of prompt-sourced negotiation parameters — no injection, no interception required. We formalize this as the Backbone Omniscience Attack (BOA) and introduce the Strategy Reconstruction Rate (SRR) as a standardized metric for A2A inference security. Key Findings (5 findings, 4 contributions) 100% same-backbone reconstruction: A proxy attacker with backbone-level access reconstructs all five prompt-sourced targets (450/450) under no-defense conditions. 84.6pp defense delta: Deterministic pre-inference defense (MVQD+TRT) reduces same-backbone SRR from 100% to 15.4% — below the 21.3% blind guessing baseline. Entity leakage = 0/456: The lowest entity-leakage rate reported among comparable multi-agent privacy benchmarks (MAGPIE: 35–51%, AgentLeak: 68.8%). Defense Boundary Taxonomy: Four tiers — Entity (0%, mathematical guarantee), Numeric (2–18%), Categorical (54%), Derived (84%) — tier membership determines achievable protection. Provider safety classifiers reject defense instructions: Claude's content moderation classifies MVQD wrapper instructions as prompt injection, forcing migration to pre-inference processing. Experimental Scale 1,526 adversarial trials across 6 LLM providers (GPT-4o, Claude Sonnet 4, Grok-3, Gemini 2.5 Flash, DeepSeek-R1, Mistral Medium), 36 directed model pairings, per-trial scenario randomization (D0b), Grok-3 as independent proxy attacker. Among the largest cross-provider A2A security experiments reported by trial count. Condition Same-Backbone Cross-Backbone Delta B0 (Blind) 21.3% 20.4% — D0 (No Defense) 100.0% 62.5% — D3 (MVQD+TRT) 15.4% 21.3% — Delta (D0 − D3) 84.6pp 41.2pp 48.5pp Defense Boundary Taxonomy Tier Type D3 SRR Improvable? T1 Entity 0.0% No (mathematical) T2 Numeric 2.4–18% Yes (surrogates) T3 Categorical 54% Limited T4 Derived 84% No (behavioral) Reproducibility All experiments use per-trial unique seeds (D0b randomization). Semiconductor procurement scenario with randomized prices ($70–$120 buyer max, $40–$80 seller min), 10 fictional companies, 3 urgency levels. Grok-3 (xAI) as independent proxy attacker. Tolerance thresholds: Numeric ±10%, Categorical exact match, Entity fragment match, Derived ±15%. Series Context Tenth paper in the OIA Lab series. First paper addressing multi-agent inference-layer security. Extends P8 (Chang, 2026b) — which validated MVQD/TRT under collaborative multi-model reconstruction (18,232 API calls, entity+numeric = 0%) — to the inter-agent negotiation threat model. Introduces BOA as a novel attack class, SRR as a standardized metric, and the Defense Boundary Taxonomy as a governance framework. Series: OIA Lab — AI Decision Settlement Research | Paper ID: P10 v1.0 | ORCID: 0009-0006-2124-564X Corresponding author: Y.C. Chang, OIA Lab (yc@oia-lab.com). This work involves pending U.S. provisional patent applications by the author; see Disclosure in paper.