Multi-tenant retrieval-augmented generation (RAG) services advertise per-account differential privacy as the operative leakage boundary: each account's queries are guaranteed to satisfy $(\varepsilon_{\text{acc}}, δ_{\text{acc}})$-DP with respect to the index. We identify same-index multi-account collusion as a privacy-boundary failure: for $k$ same-tenant accounts coordinating against the tenant's index -- the operative regime -- known DP composition theory implies joint leakage degrades unconditionally at rate $Θ(\sqrt{k} \cdot \varepsilon_{\text{acc}})$ for Gaussian-noised retrieval. Cross-tenant and external collusion match the rate only under explicit access-control failure (M4); without M4 these regimes have zero leakage by design and reduce to an architectural audit, not a DP audit. We exhibit an attack realizing the rate and derive a RAG-specific MIA prediction we test empirically. To make this per-account/joint gap auditable, we design the first audit protocol that operates against unmodified RAG deployments and issues a quantitative $(\textsf{PASS}, \varepsilon_{\text{audit}})$ verdict for the retrieval-score channel -- the noise-then-select step the per-account DP guarantee actually covers -- without index disclosure, pipeline redesign, or model-weight exposure. Generation-channel privacy (LLM output conditioned on selected documents) is a separate audit predicate that should compose with ours; we explicitly scope it out. The protocol composes generic cryptographic primitives (Merkle ledgers, ZK function-application proofs, Gaussian noise attestations) with six RAG-specific primitives (embedder commitment, index-content vector commitment, per-account query ledger, noise-then-select attestation, cross-tenant containment proof, coalition-size estimator) and supports both closed-form audit bounds and Rényi-DP moments-accountant tracking.

翻译：多租户检索增强生成（RAG）服务以每个账户的差分隐私作为操作泄露边界：即每个账户的查询相对于索引满足$(\varepsilon_{\text{acc}}, δ_{\text{acc}})$-差分隐私保证。我们发现同索引多账户串通是一种隐私边界失效：对于协调对抗租户索引的$k$个同租户账户（即操作场景），已知的差分隐私组合理论表明，在高斯噪声检索下，联合泄露以$Θ(\sqrt{k} \cdot \varepsilon_{\text{acc}})$速率无条件恶化。跨租户和外部串通仅在显式访问控制失效（M4）时达到该速率；若无M4，这些场景的设计泄露为零，并退化为架构审计而非差分隐私审计。我们展示了一种实现该速率的攻击，并推导出RAG特异的成员推断攻击预测，通过实验验证。为使该单账户/联合隐私差距可审计，我们设计了首个针对未修改RAG部署的审计协议，对检索得分通道（即单账户差分隐私保证实际覆盖的噪声筛选步骤）输出定量$(\textsf{PASS}, \varepsilon_{\text{audit}})$判定，且无需索引披露、流水线重构或模型权重暴露。生成通道隐私（基于选定文档的LLM输出条件）是独立的审计谓词，应与我们的审计组合使用；我们明确将其排除在范围外。该协议将通用密码学原语（默克尔账本、零知识函数应用证明、高斯噪声证明）与六种RAG特定原语（嵌入器承诺、索引内容向量承诺、单账户查询账本、噪声筛选证明、跨租户包含证明、联盟规模估计器）组合，并支持闭式审计界限和Rényi差分隐私矩会计追踪。