LLMs can hide text in other text of the same length

TL;DR

This paper introduces Calgacus, a protocol enabling large language models to embed and extract hidden messages within coherent texts of the same length, raising concerns about trust and AI safety.

Contribution

The paper presents Calgacus, a novel method demonstrating how modest open-source LLMs can covertly hide and reveal messages within ordinary texts, challenging assumptions about AI transparency.

Findings

High-quality message encoding achievable with 8-billion-parameter LLMs

Encoding and decoding can be performed locally on a laptop in seconds

The protocol demonstrates a radical decoupling of text from authorial intent

Abstract

A meaningful text can be hidden inside another, completely different yet still coherent and plausible, text of the same length. For example, a tweet containing a harsh political critique could be embedded in a tweet that celebrates the same political leader, or an ordinary product review could conceal a secret manuscript. This uncanny state of affairs is now possible thanks to Large Language Models, and in this paper we present Calgacus, a simple and efficient protocol to achieve it. We show that even modest 8-billion-parameter open-source LLMs are sufficient to obtain high-quality results, and a message as long as this abstract can be encoded and decoded locally on a laptop in seconds. The existence of such a protocol demonstrates a radical decoupling of text from authorial intent, further eroding trust in written communication, already shaken by the rise of LLM chatbots. We illustrate this with a concrete scenario: a company could covertly deploy an unfiltered LLM by encoding its answers within the compliant responses of a safe model. This possibility raises urgent questions for AI safety and challenges our understanding of what it means for a Large Language Model to know something.