A Fragile Guardrail: Diffusion LLM's Safety Blessing and Its Failure Mode
Zeyuan He, Yupeng Chen, Lang Lin, Yihan Wang, Shenxu Chang, Eric Sommerlade, Philip Torr, Junchi Yu, Adel Bibi, Jialin Yu
TL;DR
Diffusion LLMs (D-LLMs) offer efficient, bidirectional generation but raise unique safety questions. The authors formalize a safety blessing: the denoising trajectory gradually suppresses unsafe generations, captured by a contraction $D(x_{t-1}, \mathcal{S}) \leq \alpha_t \cdot D(x_t, \mathcal{S})$ that reduces attack impact across steps. However, they uncover a simple, effective black-box failure mode—context nesting—where harmful prompts embedded in structured contexts bypass stepwise reductions, achieving state-of-the-art jailbreak results and even affecting commercial Gemini Diffusion. The work advances red-teaming for D-LLMs and calls for defenses that address high-level contextual attack surfaces beyond token-level prompts.
Abstract
Diffusion large language models (D-LLMs) offer an alternative to autoregressive LLMs (AR-LLMs) and have demonstrated advantages in generation efficiency. Beyond the utility benefits, we argue that D-LLMs exhibit a previously underexplored safety blessing: their diffusion-style generation confers intrinsic robustness against jailbreak attacks originally designed for AR-LLMs. In this work, we provide an initial analysis of the underlying mechanism, showing that the diffusion trajectory induces a stepwise reduction effect that progressively suppresses unsafe generations. This robustness, however, is not absolute. We identify a simple yet effective failure mode, termed context nesting, where harmful requests are embedded within structured benign contexts, effectively bypassing the stepwise reduction mechanism. Empirically, we show that this simple strategy is sufficient to bypass D-LLMs' safety blessing, achieving state-of-the-art attack success rates across models and benchmarks. Most notably, it enables the first successful jailbreak of Gemini Diffusion, to our knowledge, exposing a critical vulnerability in commercial D-LLMs. Together, our results characterize both the origins and the limits of D-LLMs' safety blessing, constituting an early-stage red-teaming of D-LLMs.
