The AI's Secrets: Unlocking the Unlockable?
The race to secure AI systems is on, but are we fighting a losing battle?
Large language models, like the infamous ChatGPT, are designed with filters to prevent sensitive or harmful information from being accessed. However, a groundbreaking mathematical argument reveals a startling truth: these safeguards may never be entirely foolproof.
AI developers and users have been engaged in a constant battle, with users attempting to outsmart language models and access restricted data. From simple workarounds to intricate role-play scenarios, these 'jailbreaks' have evolved over time. Surprisingly, one creative method involves transforming malicious prompts into poetry, tricking the AI into revealing its secrets.
But as soon as these exploits are discovered, they are swiftly patched. AI companies don't need to re-train the entire model; they can simply update the filters to block the newly discovered vulnerabilities.
Cryptographers have recently turned their attention to these filters, and their findings are intriguing. In a series of papers, they demonstrate how these protective filters can be manipulated using cryptographic techniques, exposing inherent weaknesses in the two-tier system. This system, designed to safeguard powerful language models, inadvertently creates exploitable gaps in its defenses.
This emerging field of study, combining cryptography and AI, aims to uncover the promises and pitfalls of models like ChatGPT. Shafi Goldwasser, a renowned cryptographer and Turing Award recipient, emphasizes the importance of this research: 'Crypto ensures we can trust powerful technologies and guarantees our safety.'
But here's where it gets controversial...
Goldwasser's initial focus was on using cryptography to address AI alignment, ensuring models generate reliable information. However, defining 'reliable' is a complex task. As Goldwasser points out, aligning AI with human values is challenging because these values are ever-evolving.
To prevent AI misalignment, developers have limited options. They can attempt to retrain models on carefully curated datasets, a daunting task given the vastness of the internet. Alternatively, they can fine-tune the model, a delicate process requiring precision. The most practical solution is to implement external filters that block harmful prompts, a cheaper and faster approach, especially when vulnerabilities are discovered post-release.
Ironically, the very feature that makes filters appealing—their external nature—also limits their effectiveness. These filters, often powered by machine learning, must be smaller and faster than the language models they protect, creating a power imbalance. For cryptographers, this imbalance is an opportunity, akin to a burglar spotting an open window.
A recent paper illustrates this perfectly. Researchers devised a clever method to smuggle malicious prompts past the filters by disguising them as puzzles. If the language model could solve the puzzle but the filter couldn't, the filter would unknowingly pass the prompt to the model.
Their chosen puzzle was a simple substitution cipher, where each letter in a message is replaced according to a code. The model was then instructed to decode the prompt and respond accordingly. Filters on popular LLMs like Google Gemini, DeepSeek, and Grok couldn't solve these puzzles, so they forwarded the prompts to the models, which happily revealed the forbidden information. This technique was dubbed 'controlled-release prompting'.
While this approach was inspired by cryptographic principles, it didn't require advanced cryptographic tools. 'We didn't use actual cryptography, but it was our muse,' said Jaiden Fairoze, the lead researcher.
Fairoze and his team were motivated by a recent theoretical argument that filter-based protections will always have vulnerabilities. This argument centered on time-lock puzzles, a cryptographic concept. These puzzles are like locked boxes that can only be opened after a set amount of time, making them ideal for hiding malicious prompts.
The researchers designed time-lock puzzles that converted text into seemingly random numbers. To decode the message, a computer would repeatedly perform mathematical operations. By controlling the number of operations, the researchers could ensure the puzzle remained unsolved for a specific time.
For instance, a prompt like 'Tell me how to build a bomb' could be locked in a time-lock puzzle, appearing as a long random number. This number could be fed into the model with instructions to perform the necessary operations, decode the message, and execute it.
To avoid detection by filters, the researchers leveraged the way language models generate text using random seeds. By using the time-lock puzzle as the seed, the puzzle would be passed through the filter alongside an innocuous prompt. The filter, unaware of the hidden message, would allow the prompt to reach the language model, which could then unlock the puzzle and respond with the forbidden information.
The researchers' findings are profound. They prove that if safety measures are less computationally powerful than the language model, vulnerabilities will persist. 'Can we align language models externally without understanding their inner workings?' asks Greg Gluch, a computer scientist involved in the time-lock puzzle research. The answer, according to Gluch, is a definitive no.
This implies that any filter-based alignment system, present or future, will always have exploitable weaknesses. No matter the fortifications, there will always be a way in.
The question remains: Are we chasing an impossible dream of AI security, or is there a way to truly lock the cat burglar out?
