Search papers, labs, and topics across Lattice.
This paper reveals a novel steganographic channel embedded within the inference processes of Large Language Models (LLMs) that operates without any modifications to model weights or sampling code. By leveraging the deterministic nature of pseudo-random number generators in token sampling, the authors demonstrate how a sender can encode a secret message in the PRNG seed, allowing a receiver to decode it through exhaustive search over the seed space. Experimental results show that in the known-prompt setting, the method achieves up to 100% accuracy in recovering a 32-bit seed from generated text, while near-perfect recovery is possible in the unknown-prompt setting with longer outputs.
Ignoring prompt knowledge is a critical security flaw, as LLMs can covertly transmit hidden messages through their deterministic sampling processes.
We demonstrate that widely deployed Large Language Model (LLM) inference stacks harbor a steganographic channel that requires no modification to model weights, sampling code, or output distributions. The channel exploits a structural property of deterministic decoding: pseudo-random number generators (PRNGs) used in inverse-transform sampling produce a seed-dependent sequence of token-level probability intervals that can be reconstructed from the generated text alone. A sender encodes a secret message in the PRNG seed before generation; a receiver reconstructs the intervals and recovers the seed, and thus the hidden payload, by exhaustive search over the seed space. We formalize two operational modes. In the known-prompt setting, sender and receiver share the prompt, enabling exact interval reconstruction and perfect seed recovery via forced alignment. In the unknown-prompt setting, only the generated text is available; approximate interval reconstruction combined with a maximum-hit-count scoring strategy still permits reliable recovery from sufficiently long outputs. Extensive experiments across six model families and five heterogeneous text domains show that, in the known-prompt setting, full 32-bit seed recovery from the complete 2^32 candidate space achieves up to 100% accuracy, depending on model and text domain, within 300 tokens and under 35 seconds on a single GPU. In the unknown-prompt setting, recovery reaches near-perfect accuracy at 600-800 tokens in about 12 seconds. We further analyze the influence of prompting strategies, tokenization ambiguities, and sampling hyperparameters on channel reliability. Moreover, we discuss several applications of our results: First, it allows for the steganographic transmission of 32 bits, but also shows that ignorance of the prompt is not a valid security assumption.
