Backbone Omniscience Attack: Measuring Information Leakage in Multi-Agent AI Negotiations

Overview When both sides of a negotiation are hosted on the same LLM provider, a backbone-level observer can passively reconstruct 100% of prompt-sourced negotiation parameters — no injection, no interception required. We formalize this as the Backbone Omniscience Attack (BOA) and introduce the Strategy Reconstruction Rate (SRR) as a standardized metric for A2A inference security. Key Findings (5 findings, 4 contributions) 100% same-backbone reconstruction: A proxy attacker with backbone-level access reconstructs all five prompt-sourced targets (450/450) under no-defense conditions. 84. 6pp defense delta: Deterministic pre-inference defense (MVQD+TRT) reduces same-backbone SRR from 100% to 15. 4% — below the 21. 3% blind guessing baseline. Entity leakage = 0/456: The lowest entity-leakage rate reported among comparable multi-agent privacy benchmarks (MAGPIE: 35–51%, AgentLeak: 68. 8%). Defense Boundary Taxonomy: Four tiers — Entity (0%, mathematical guarantee), Numeric (2–18%), Categorical (54%), Derived (84%) — tier membership determines achievable protection. Provider safety classifiers reject defense instructions: Claude's content moderation classifies MVQD wrapper instructions as prompt injection, forcing migration to pre-inference processing. Experimental Scale 1, 526 adversarial trials across 6 LLM providers (GPT-4o, Claude Sonnet 4, Grok-3, Gemini 2. 5 Flash, DeepSeek-R1, Mistral Medium), 36 directed model pairings, per-trial scenario randomization (D0b), Grok-3 as independent proxy attacker. Among the largest cross-provider A2A security experiments reported by trial count. Condition Same-Backbone Cross-Backbone Delta B0 (Blind) 21. 3% 20. 4% — D0 (No Defense) 100. 0% 62. 5% — D3 (MVQD+TRT) 15. 4% 21. 3% — Delta (D0 − D3) 84. 6pp 41. 2pp 48. 5pp Defense Boundary Taxonomy Tier Type D3 SRR Improvable? T1 Entity 0. 0% No (mathematical) T2 Numeric 2. 4–18% Yes (surrogates) T3 Categorical 54% Limited T4 Derived 84% No (behavioral) Reproducibility All experiments use per-trial unique seeds (D0b randomization). Semiconductor procurement scenario with randomized prices (70–120 buyer max, 40–80 seller min), 10 fictional companies, 3 urgency levels. Grok-3 (xAI) as independent proxy attacker. Tolerance thresholds: Numeric ±10%, Categorical exact match, Entity fragment match, Derived ±15%. Series Context Tenth paper in the OIA Lab series. First paper addressing multi-agent inference-layer security. Extends P8 (Chang, 2026b) — which validated MVQD/TRT under collaborative multi-model reconstruction (18, 232 API calls, entity+numeric = 0%) — to the inter-agent negotiation threat model. Introduces BOA as a novel attack class, SRR as a standardized metric, and the Defense Boundary Taxonomy as a governance framework. Series: OIA Lab — AI Decision Settlement Research | Paper ID: P10 v1. 0 | ORCID: 0009-0006-2124-564X Corresponding author: Y. C. Chang, OIA Lab (yc@oia-lab. com). This work involves pending U. S. provisional patent applications by the author; see Disclosure in paper.