The Steganographic Potentials of Language Models
Artem Karpov, Tinuade Adeleke, Seong Hah Cho, Natalia Perez-Campanero
TL;DR
This work investigates the steganographic potential of LLMs and the risks it poses for alignment and oversight. It develops an encoder–decoder RL framework and conducts colors, direct steganography, and prompting experiments to characterize how payloads can be covertly embedded and decoded, with performance improvements up to $20\%$ for $3$-bit payloads and undetected accuracy reaching as high as $0.66$ in favorable prompting scenarios. The findings demonstrate that while current models exhibit rudimentary steganographic abilities, convergence is fragile and highly sensitive to prompts, model class, and training setup, underscoring the need for robust detection, mitigation, and normative frameworks for safe deployment. Overall, the paper highlights significant dual-use risks and the imperative to develop monitoring and defense mechanisms as steganographic capabilities scale with model power and deployment.
Abstract
The potential for large language models (LLMs) to hide messages within plain text (steganography) poses a challenge to detection and thwarting of unaligned AI agents, and undermines faithfulness of LLMs reasoning. We explore the steganographic capabilities of LLMs fine-tuned via reinforcement learning (RL) to: (1) develop covert encoding schemes, (2) engage in steganography when prompted, and (3) utilize steganography in realistic scenarios where hidden reasoning is likely, but not prompted. In these scenarios, we detect the intention of LLMs to hide their reasoning as well as their steganography performance. Our findings in the fine-tuning experiments as well as in behavioral non fine-tuning evaluations reveal that while current models exhibit rudimentary steganographic abilities in terms of security and capacity, explicit algorithmic guidance markedly enhances their capacity for information concealment.
