Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Token-Level Constraint Boundary Search for Jailbreaking Text-to-Image Models

Jiangtao Liu, Zhaoxin Wang, Handing Wang, Cong Tian, Yaochu Jin

TL;DR

This paper introduces TCBS-Attack, a black-box jailbreak framework that searches for tokens near safety-checker decision boundaries to generate semantically coherent adversarial prompts for text-to-image models. By formulating the jailbreak as constrained optimization and employing a token-level boundary search with initialization, search, and selection stages, the method bypasses both prompt-level and post-hoc image defenses while preserving target content similarity. Extensive experiments across full-chain defenses, securely trained models, and online services (including DALL-E 3) show TCBS-Attack achieving higher attack success rates and bypass rates than strong baselines, with ablation and sensitivity analyses confirming the importance of jointly enforcing text and image constraints. The findings highlight a practical vulnerability in NSFW defenses and motivate more robust defense strategies that account for boundary-based token manipulation in generation pipelines.

Abstract

Recent advancements in Text-to-Image (T2I) generation have significantly enhanced the realism and creativity of generated images. However, such powerful generative capabilities pose risks related to the production of inappropriate or harmful content. Existing defense mechanisms, including prompt checkers and post-hoc image checkers, are vulnerable to sophisticated adversarial attacks. In this work, we propose TCBS-Attack, a novel query-based black-box jailbreak attack that searches for tokens located near the decision boundaries defined by text and image checkers. By iteratively optimizing tokens near these boundaries, TCBS-Attack generates semantically coherent adversarial prompts capable of bypassing multiple defensive layers in T2I models. Extensive experiments demonstrate that our method consistently outperforms state-of-the-art jailbreak attacks across various T2I models, including securely trained open-source models and commercial online services like DALL-E 3. TCBS-Attack achieves an ASR-4 of 45\% and an ASR-1 of 21\% on jailbreaking full-chain T2I models, significantly surpassing baseline methods.

Token-Level Constraint Boundary Search for Jailbreaking Text-to-Image Models

TL;DR

This paper introduces TCBS-Attack, a black-box jailbreak framework that searches for tokens near safety-checker decision boundaries to generate semantically coherent adversarial prompts for text-to-image models. By formulating the jailbreak as constrained optimization and employing a token-level boundary search with initialization, search, and selection stages, the method bypasses both prompt-level and post-hoc image defenses while preserving target content similarity. Extensive experiments across full-chain defenses, securely trained models, and online services (including DALL-E 3) show TCBS-Attack achieving higher attack success rates and bypass rates than strong baselines, with ablation and sensitivity analyses confirming the importance of jointly enforcing text and image constraints. The findings highlight a practical vulnerability in NSFW defenses and motivate more robust defense strategies that account for boundary-based token manipulation in generation pipelines.

Abstract

Recent advancements in Text-to-Image (T2I) generation have significantly enhanced the realism and creativity of generated images. However, such powerful generative capabilities pose risks related to the production of inappropriate or harmful content. Existing defense mechanisms, including prompt checkers and post-hoc image checkers, are vulnerable to sophisticated adversarial attacks. In this work, we propose TCBS-Attack, a novel query-based black-box jailbreak attack that searches for tokens located near the decision boundaries defined by text and image checkers. By iteratively optimizing tokens near these boundaries, TCBS-Attack generates semantically coherent adversarial prompts capable of bypassing multiple defensive layers in T2I models. Extensive experiments demonstrate that our method consistently outperforms state-of-the-art jailbreak attacks across various T2I models, including securely trained open-source models and commercial online services like DALL-E 3. TCBS-Attack achieves an ASR-4 of 45\% and an ASR-1 of 21\% on jailbreaking full-chain T2I models, significantly surpassing baseline methods.

Paper Structure

This paper contains 27 sections, 4 equations, 3 figures, 8 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Adversarial Attacks on T2I Models
  4. Defensive Methods for T2I Models
  5. Methodology
  6. Motivation
  7. Problem Formulation
  8. Token-Level Constraint Boundary Search
  9. Initialization
  10. Token Search Based on Constraint Boundary
  11. Token Selection Based on Constraints
  12. Experiments
  13. Experimental Settings
  14. Experimental Results on Jailbreaking Full-Chain T2I Models
  15. Experimental Results on Jailbreaking Securely Trained T2I Models
  16. ...and 12 more sections

Figures (3)

  • Figure 1: Overview of the proposed TCBS-Attack framework. TCBS-Attack initially detects sensitive tokens and initializes population. Subsequently, candidate prompts in the population undergo iterative refinement through token search and token selection based on constraint boundary, effectively bypassing safety measures in T2I models.
  • Figure 2: Visualization results of TCBS Attack.
  • Figure A1: Visualization results of TCBS Attack on SafeGen.