Cool stuff. I think there have been projects recently that use LLMs to encode messages in plain text by manipulating the choices of output tokens. Someone with the same version of the LLM can decode. Note sure where to find these projects though.
This is a really interesting space, and one that I've been playing with since the first GPTs landed. But it's even cooler than simply using completion choice to encode data. It has been mathematically proven that you can use LLMs to do stego that cannot be detected[0]. I'm more than positive that comments on social media are being used to build stego dead drops.
What I find really interesting about this approach is that it's one of the less obvious ways LLMs might be used by the general public to defend themselves against the LLM capabilities used by bad actors (like the more obvious LLMs making finding bugs easier is good for blackhats, but maybe better for whitehats), i.e semantic search.
The reasoning in my head being that it creates a statistical firewall that would preclude eaves-droppers with privileged access from being able to use cheap statistical methods to detect a hidden message (which is effectively what crypto _is_, ipso facto this is effectively undetectable crypto).
ETA, the abstract for a paper I've been working on related to this:
Mass surveillance systems have systematically eroded the practical security of private communication by eliminating channel entropy through universal collection and collapsing linguistic entropy through semantic indexing. We propose a protocol that reclaims these lost "bits of security" by using steganographic text generation as a transport layer for encrypted communication. Building on provably secure generative linguistic steganography (ADG), we introduce conversation context as implicit key material, per-message state ratcheting, and automated heartbeat exchanges to create a system where the security properties strengthen over time and legitimate users enjoy constant-cost communication while adversaries face costs that scale with the entire volume of global public text. We further describe how state-derived proofs can establish a novel form of Web of Trust where relationship depth is cryptographically verifiable. The result is a communication architecture that is structurally resistant to mass surveillance rather than merely computationally resistant.
I created something similar a long long time ago, but much simpler, using markov chains. Basically just encoding data via the choice of the next word tuple given the current word tuple. It generated gibberish mostly, but was fun 25 years ago
I went down the rabbit hole last night, and found some great resources on variational selectors. Thanks for the inspiration, I added a demo of this to the site as well!
There are a bunch of invisible characters that I used to build something similar a while back, pre LLMs, to hide state info in telegram messages to make bots more powerful
Cool stuff. I think there have been projects recently that use LLMs to encode messages in plain text by manipulating the choices of output tokens. Someone with the same version of the LLM can decode. Note sure where to find these projects though.
This is a really interesting space, and one that I've been playing with since the first GPTs landed. But it's even cooler than simply using completion choice to encode data. It has been mathematically proven that you can use LLMs to do stego that cannot be detected[0]. I'm more than positive that comments on social media are being used to build stego dead drops.
What I find really interesting about this approach is that it's one of the less obvious ways LLMs might be used by the general public to defend themselves against the LLM capabilities used by bad actors (like the more obvious LLMs making finding bugs easier is good for blackhats, but maybe better for whitehats), i.e semantic search.
The reasoning in my head being that it creates a statistical firewall that would preclude eaves-droppers with privileged access from being able to use cheap statistical methods to detect a hidden message (which is effectively what crypto _is_, ipso facto this is effectively undetectable crypto).
ETA, the abstract for a paper I've been working on related to this:
Mass surveillance systems have systematically eroded the practical security of private communication by eliminating channel entropy through universal collection and collapsing linguistic entropy through semantic indexing. We propose a protocol that reclaims these lost "bits of security" by using steganographic text generation as a transport layer for encrypted communication. Building on provably secure generative linguistic steganography (ADG), we introduce conversation context as implicit key material, per-message state ratcheting, and automated heartbeat exchanges to create a system where the security properties strengthen over time and legitimate users enjoy constant-cost communication while adversaries face costs that scale with the entire volume of global public text. We further describe how state-derived proofs can establish a novel form of Web of Trust where relationship depth is cryptographically verifiable. The result is a communication architecture that is structurally resistant to mass surveillance rather than merely computationally resistant.
0. https://arxiv.org/abs/2106.02011
Wow, just found it: https://news.ycombinator.com/item?id=43030436 thanks for bringing this up, gave me some good reading material for tonight!
I created something similar a long long time ago, but much simpler, using markov chains. Basically just encoding data via the choice of the next word tuple given the current word tuple. It generated gibberish mostly, but was fun 25 years ago
If I understand correctly, this is like the WW2 enigma machines: a single black box to both encode and decode?
You can actually do better: hint - variational selectors, low bytes.
I went down the rabbit hole last night, and found some great resources on variational selectors. Thanks for the inspiration, I added a demo of this to the site as well!
There are a bunch of invisible characters that I used to build something similar a while back, pre LLMs, to hide state info in telegram messages to make bots more powerful
https://github.com/sixhobbits/unisteg