Steganography Without Modification: Hidden Communication via LLM Seeds
Key Takeaways
- ▸LLM inference stacks contain an undiscovered steganographic channel exploiting PRNG seed properties in inverse-transform sampling without modifying model weights or code
- ▸Full 32-bit seed recovery achieves up to 100% accuracy from just 300 tokens in known-prompt scenarios and near-perfect accuracy at 600-800 tokens in unknown-prompt settings
- ▸The vulnerability affects at least six model families across five heterogeneous text domains, suggesting widespread impact on deployed LLM systems
Summary
A new research paper demonstrates that large language models contain a steganographic channel that enables hidden communication without requiring any modifications to model weights, sampling code, or output distributions. The vulnerability exploits pseudo-random number generators (PRNGs) used in inverse-transform sampling, allowing senders to encode secret messages in PRNG seeds before text generation, while receivers can recover these hidden payloads by reconstructing token-level probability intervals from the generated text.
The researchers tested their approach across six model families and five text domains, achieving up to 100% accuracy in recovering full 32-bit seeds in known-prompt settings with as few as 300 tokens. In the more challenging unknown-prompt setting—where only generated text is available—the technique achieves near-perfect accuracy at 600-800 tokens within approximately 12 seconds on a single GPU. The work highlights a previously unknown security property of widely deployed LLM inference stacks.
The findings have significant implications for LLM security and challenge the assumption that ignorance of prompts provides security. The researchers discuss how sampling hyperparameters, tokenization strategies, and prompting approaches influence the reliability of the steganographic channel, with potential applications extending beyond hidden communication to broader security and reliability analysis of LLM systems.
- Prompt ignorance is not a valid security assumption, as PRNG seeds and thus hidden payloads can be recovered from generated text alone
Editorial Opinion
This research exposes a subtle but potentially significant security vulnerability in a core component of modern LLM inference. While steganographic channels themselves have legitimate applications, the discovery highlights how foundational assumptions about LLM randomness and reproducibility can be exploited. The work underscores the need for formal security analysis of LLM systems beyond their generative capabilities, as implementation details in sampling algorithms can harbor unexpected information leakage that practitioners may not expect.
