Better Language Model Inversion by Compactly Representing Next-Token Distributions

TL;DR

This paper introduces PILS, a novel method for language model inversion that leverages low-dimensional subspace representations of next-token probabilities to significantly improve prompt recovery accuracy and generalization, raising security concerns.

Contribution

We propose PILS, a linear compression-based approach that enhances prompt inversion by exploiting low-dimensional structures in language model outputs, outperforming prior methods.

Findings

Achieves 2-3.5x higher prompt recovery rates than previous methods.

Demonstrates strong generalization to increased generation steps.

Effectively recovers hidden system messages, highlighting security vulnerabilities.

Abstract

Language model inversion seeks to recover hidden prompts using only language model outputs. This capability has implications for security and accountability in language model deployments, such as leaking private information from an API-protected language model's system message. We propose a new method -- prompt inversion from logprob sequences (PILS) -- that recovers hidden prompts by gleaning clues from the model's next-token probabilities over the course of multiple generation steps. Our method is enabled by a key insight: The vector-valued outputs of a language model occupy a low-dimensional subspace. This enables us to losslessly compress the full next-token probability distribution over multiple generation steps using a linear map, allowing more output information to be used for inversion. Our approach yields massive gains over previous state-of-the-art methods for recovering hidden prompts, achieving 2--3.5 times higher exact recovery rates across test sets, in one case increasing the recovery rate from 17% to 60%. Our method also exhibits surprisingly good generalization behavior; for instance, an inverter trained on 16 generations steps gets 5--27 points higher prompt recovery when we increase the number of steps to 32 at test time. Furthermore, we demonstrate strong performance of our method on the more challenging task of recovering hidden system messages. We also analyze the role of verbatim repetition in prompt recovery and propose a new method for cross-family model transfer for logit-based inverters. Our findings show that next-token probabilities are a considerably more vulnerable attack surface for inversion attacks than previously known.