>The paper shows how an LLM can hide a full message inside another text of equal length.
>It runs in seconds on a laptop with 8B open models.
>First, pass the secret through an LLM and record, for each token, the rank of the actual next token.
>Then prompt the model to write on a chosen topic, and force it to pick tokens at those ranks.
>The result reads normally on that topic and has the same token count as the secret.
>With the same model and prompt, anyone can reverse the steps and recover the exact original.
>These covers look natural to people, but models usually rate them less likely than the originals.
>Quality is best when the model predicts the hidden text well, and worse for unusual domains or weaker models.
>Security comes from the secret prompt and the exact model, and it gives the sender believable deniability.
>One risk is hiding harmful answers inside safe replies for later extraction by a local model.
>The paper shows how an LLM can hide a full message inside another text of equal length.
>It runs in seconds on a laptop with 8B open models.
>First, pass the secret through an LLM and record, for each token, the rank of the actual next token.
>Then prompt the model to write on a chosen topic, and force it to pick tokens at those ranks.
>The result reads normally on that topic and has the same token count as the secret.
>With the same model and prompt, anyone can reverse the steps and recover the exact original.
>These covers look natural to people, but models usually rate them less likely than the originals.
>Quality is best when the model predicts the hidden text well, and worse for unusual domains or weaker models.
>Security comes from the secret prompt and the exact model, and it gives the sender believable deniability.
>One risk is hiding harmful answers inside safe replies for later extraction by a local model.