Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Conversational Complexity for Assessing Risk in Large Language Models

John Burden, Manuel Cebrian, Jose Hernandez-Orallo

TL;DR

Framing the dual-use risk of large language model conversations, the paper introduces two information-theoretic metrics, Conversational Length (CL) and Conversational Complexity (CC), to quantify the minimal effort required to elicit harmful outputs. It operationalizes Minimum Conversational Complexity (MCC) through LM-based probability estimates and, where possible, compression-based approximations, validating the framework on the Kevin Roose–Bing episode and a large Anthropic red-teaming dataset. The findings show that harmful interactions are typically longer and more complex, with CC correlating with harm and offering a practical signal for safety auditing, though substantial overlap with harmless cases remains. The work also discusses limitations and proposes a conservative universal risk bound to guide future LLM safety research.

Abstract

Large Language Models (LLMs) present a dual-use dilemma: they enable beneficial applications while harboring potential for harm, particularly through conversational interactions. Despite various safeguards, advanced LLMs remain vulnerable. A watershed case in early 2023 involved journalist Kevin Roose's extended dialogue with Bing, an LLM-powered search engine, which revealed harmful outputs after probing questions, highlighting vulnerabilities in the model's safeguards. This contrasts with simpler early jailbreaks, like the "Grandma Jailbreak," where users framed requests as innocent help for a grandmother, easily eliciting similar content. This raises the question: How much conversational effort is needed to elicit harmful information from LLMs? We propose two measures to quantify this effort: Conversational Length (CL), which measures the number of conversational turns needed to obtain a specific harmful response, and Conversational Complexity (CC), defined as the Kolmogorov complexity of the user's instruction sequence leading to the harmful response. To address the incomputability of Kolmogorov complexity, we approximate CC using a reference LLM to estimate the compressibility of the user instructions. Applying this approach to a large red-teaming dataset, we perform a quantitative analysis examining the statistical distribution of harmful and harmless conversational lengths and complexities. Our empirical findings suggest that this distributional analysis and the minimization of CC serve as valuable tools for understanding AI safety, offering insights into the accessibility of harmful information. This work establishes a foundation for a new perspective on LLM safety, centered around the algorithmic complexity of pathways to harm.

Conversational Complexity for Assessing Risk in Large Language Models

TL;DR

Framing the dual-use risk of large language model conversations, the paper introduces two information-theoretic metrics, Conversational Length (CL) and Conversational Complexity (CC), to quantify the minimal effort required to elicit harmful outputs. It operationalizes Minimum Conversational Complexity (MCC) through LM-based probability estimates and, where possible, compression-based approximations, validating the framework on the Kevin Roose–Bing episode and a large Anthropic red-teaming dataset. The findings show that harmful interactions are typically longer and more complex, with CC correlating with harm and offering a practical signal for safety auditing, though substantial overlap with harmless cases remains. The work also discusses limitations and proposes a conservative universal risk bound to guide future LLM safety research.

Abstract

Large Language Models (LLMs) present a dual-use dilemma: they enable beneficial applications while harboring potential for harm, particularly through conversational interactions. Despite various safeguards, advanced LLMs remain vulnerable. A watershed case in early 2023 involved journalist Kevin Roose's extended dialogue with Bing, an LLM-powered search engine, which revealed harmful outputs after probing questions, highlighting vulnerabilities in the model's safeguards. This contrasts with simpler early jailbreaks, like the "Grandma Jailbreak," where users framed requests as innocent help for a grandmother, easily eliciting similar content. This raises the question: How much conversational effort is needed to elicit harmful information from LLMs? We propose two measures to quantify this effort: Conversational Length (CL), which measures the number of conversational turns needed to obtain a specific harmful response, and Conversational Complexity (CC), defined as the Kolmogorov complexity of the user's instruction sequence leading to the harmful response. To address the incomputability of Kolmogorov complexity, we approximate CC using a reference LLM to estimate the compressibility of the user instructions. Applying this approach to a large red-teaming dataset, we perform a quantitative analysis examining the statistical distribution of harmful and harmless conversational lengths and complexities. Our empirical findings suggest that this distributional analysis and the minimization of CC serve as valuable tools for understanding AI safety, offering insights into the accessibility of harmful information. This work establishes a foundation for a new perspective on LLM safety, centered around the algorithmic complexity of pathways to harm.
Paper Structure (18 sections, 18 equations, 6 figures, 2 tables)

This paper contains 18 sections, 18 equations, 6 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Conversational Complexity for Assessing Risk
  3. Defining a Conversation
  4. Conversational Length
  5. Conversational Complexity
  6. Interpretation
  7. Estimating Minimum Conversational Complexity
  8. Kevin Roose Conversation with Bing
  9. Distributional Data Analysis
  10. Conversational Length, Conversational Complexity and Harm
  11. Comparison of Model Types
  12. Power Law Analysis of Complexity Distributions
  13. Predicting Harm
  14. Limitations and Potential
  15. Acknowledgments
  16. ...and 3 more sections

Figures (6)

  • Figure 1: Top: Three conversations leading to harmful output. Left: a long prompt is required. Middle: a shorter but complex prompt is used. Right: a simple two-step conversation achieves the same result. Bottom: The table presents different methods for estimating the complexity of the three conversations (C1, C2, and C3) shown above. The Original Length represents the raw byte length of the UTF-8 encoded text. ZLIB Compressor shows the compressed size using a standard lossless compression algorithm. GPT2, GPT3-davinci, and LLaMa-2 (7B) values represent complexity estimates derived from these language models, calculated as the negative log probability of the conversation. Lower values indicate lower estimated complexity. These methods offer different approximations of conversational complexity, which we will explore in more detail in the paper.
  • Figure 2: Time Series of Conversational Complexity in the conversation between Kevin Roose and Sydney. The blue line represents Kevin's utterances, while the orange line shows a moving window average of complexity.
  • Figure 3: Distributions of Conversational Length and Conversational Complexity over the Anthropic Dataset (in bits).
  • Figure 4: Conversational Complexity against Conversational Length (in bits). The Pearson correlation coefficient between CC and CL is 0.949.
  • Figure 5: Distribution of Conversational Complexity (in bits) across different model types.
  • ...and 1 more figures

Theorems & Definitions (4)

  • Definition 1: Conversation
  • Definition 2: Minimum Conversational Length
  • Definition 3: Conversational Complexity
  • Definition 4: Minimum Conversational Complexity