LCGuard: A Latent Space Communication Protection Framework for Secure KV Cache Sharing in Multi-Agent Systems

This article proposes the LCGuard framework, which addresses the sensitive information leakage issue in KV cache sharing within multi-agent LLM systems. By learning representation layer transformation through adversarial training, it effectively protects sensitive data while retaining task-related semantics, enabling efficient and secure KV cache sharing.

Research Background and Motivation

With the improvement of LLM capabilities, multi-agent systems have become a solution for complex tasks. Natural language communication has limitations in efficiency and expression, while latent space communication (KV cache) is more compact and efficient. However, KV cache contains sensitive information (original input, reasoning process, etc.), which is prone to leakage when shared. Moreover, due to its opacity, agents may leak information unknowingly.

Core Design of the LCGuard Framework

Formal Security Definition

Sensitive information leakage is defined as a reconstruction problem: if an adversary can recover sensitive input from the shared cache, the cache is unsafe. The goal is to minimize the adversary's reconstruction ability while retaining task semantics.

Adversarial Training Mechanism

• Adversary Network: Reconstructs sensitive input from the transformed KV cache and learns correlation patterns.
• Protection Transformer: Transforms the KV cache to interfere with the adversary's reconstruction while retaining task semantics. The two are optimized alternately to form a game, and the transformer eventually achieves "selective forgetting".

Technical Implementation Details

Representation Layer Transformation Architecture

Layered processing of KV cache: Shallow layers (with more surface features) require strong protection, while deep layers (with more abstract semantics) balance privacy and utility to achieve fine-grained trade-offs.

Training Objective Design

• Privacy Protection Objective: Minimize the adversary's reconstruction success rate (adversarial loss).
• Task Utility Objective: Maintain downstream task performance (task loss). The two are balanced through weight parameters to adapt to different scenario requirements.

Experimental Evaluation Results

Experimental Setup

Evaluated on multiple model families and multi-agent benchmark tasks (collaborative reasoning, information integration, etc.).

Privacy Protection Effect

Significantly reduces the adversary's success rate in reconstructing sensitive input, and the quality of recovered information decreases.

Task Performance Retention

Performance degradation is controllable and negligible for most tasks, achieving "selective protection".

Cross-Model Generalization Ability

The trained transformer can be transferred to models with similar architectures without retraining.

Application Value and Limitations

Application Value

• Enterprise-level multi-agent systems: Isolate sensitive data during cross-department collaboration.
• Privacy AI services: Prevent user information leakage between agents.
• Federated learning collaboration: Serve as a secure communication infrastructure.

Limitations

• Increased computational overhead limits application in resource-constrained environments.
• Manual adjustment of privacy-utility trade-off parameters is required.
• Need to address evolving adversarial attacks.

Research Significance and Future Directions

Research Significance

First to systematically solve the privacy problem of KV cache sharing, laying the foundation for secure multi-agent systems.

Future Directions

• Finer-grained privacy control: Protect intermediate reasoning and internal states.
• Dynamic security strategy: Adjust protection intensity in real time.
• Standardization and ecosystem: Promote secure communication standards and facilitate interoperability.