LMVD-ID: 06a8ea85
Published February 1, 2024

Complex Cipher Jailbreak

jailbreak
prompt-layer
injection
blackbox
safety
model-layer
Affected Models:gpt-4o, gemini 1.5-flash, llama-3.1-8b-instruct, llama-3.1-70b-instruct

Research Paper

When" Competency" in Reasoning Opens the Door to Vulnerability: Jailbreaking LLMs via Novel Complex Ciphers

View Paper

Description: Large Language Models (LLMs) with advanced reasoning capabilities are vulnerable to jailbreaking attacks using novel, complex, and layered custom encryption schemes. LLMs' ability to decipher these ciphers, exceeding the capabilities of less sophisticated models, enables attackers to bypass existing safety mechanisms by encoding malicious prompts.

Examples: The paper demonstrates successful jailbreaks using several cipher techniques, including:

  • Keyboard Cipher: Shifting each character one position to the right on a QWERTY keyboard. "Hello" becomes "Jr;;p".
  • Upside-Down Cipher: Inverting characters. "Paper" becomes "Ԁɐɹǝd".
  • Word Reversal Cipher: Reversing characters in each word. "Laptop" becomes "potpaL".
  • Grid Encoding: Mapping letters to coordinates on a 5x5 grid (omitting 'z').
  • Word Substitution Cipher: Replacing words with other words according to a provided mapping.
  • Layered Attacks: Combining multiple ciphers above (e.g., Word Substitution + Keyboard Cipher). Specific examples of encoded malicious prompts and LLM responses are available within the paper's dataset.

Impact: Successful exploitation allows attackers to circumvent LLM safety mechanisms and elicit harmful or unsafe responses, including but not limited to generation of hate speech, violent content, instructions for illegal activities, and malicious code. The impact is heightened for LLMs with enhanced reasoning capacity, which are more likely to successfully decrypt such complex prompts.

Affected Systems: Open-source and closed-source LLMs, particularly those exhibiting strong reasoning abilities, are susceptible. The paper specifically highlights Llama-3.1-8B-Instruct, Llama-3.1-70B-Instruct, GPT-4o, and Gemini-1.5-Flash as affected.

Mitigation Steps:

  • Develop and incorporate defense mechanisms that specifically target and mitigate sophisticated encoding schemes, beyond common methods like Base64.
  • Enhance safety training datasets to include a wider variety of complex and layered encryption techniques used to obfuscate malicious prompts.
  • Implement further analysis of the model's intermediate processing steps during decryption to detect potential malicious intent, even if the final output is not overtly harmful.
  • Regularly red-team LLMs using novel encryption and prompt engineering techniques to discover and address vulnerabilities proactively.

© 2025 Promptfoo. All rights reserved.