Adversarial Decoding: Generating Readable Documents for Adversarial Objectives
Collin Zhang, Tingwei Zhang, Vitaly Shmatikov
TL;DR
The paper tackles adversarial text generation for retrieval-augmented systems by introducing Adversarial Decoding (AdvDec), a beam-search framework that optimizes multiple objectives to produce readable documents that both attract retrieval and steer generation. AdvDec integrates a soft readability score with retrieval- and safety-focused scorers, enabling attacks such as RAG poisoning, jailbreaking, and defense evasion without requiring defense-model access. It demonstrates that high readability or low perplexity alone do not shield systems from such attacks and shows competitive effectiveness against prior methods across several encoders, LLMs, and datasets. The work also outlines defenses, acknowledges limitations, and calls for stronger, more robust detection and filtering strategies to mitigate emergent adversarial text generation.
Abstract
We design, implement, and evaluate adversarial decoding, a new, generic text generation technique that produces readable documents for different adversarial objectives. Prior methods either produce easily detectable gibberish, or cannot handle objectives that include embedding similarity. In particular, they only work for direct attacks (such as jailbreaking) and cannot produce adversarial text for realistic indirect injection, e.g., documents that (1) are retrieved in RAG systems in response to broad classes of queries, and also (2) adversarially influence subsequent generation. We also show that fluency (low perplexity) is not sufficient to evade filtering. We measure the effectiveness of adversarial decoding for different objectives, including RAG poisoning, jailbreaking, and evasion of defensive filters, and demonstrate that it outperforms existing methods while producing readable adversarial documents.