Since this got some interest, I decided to share a simple example you can run on your computer: The example here is with a 3B model, needing about 12GB in RAM (?) and only takes a few seconds to encode/decode: (venv)% python runme.py Using device: mps Model alias: qwen-3b Loading local model from ./models/Qwen--Qwen2.5-3B Loading checkpoint shards: 100%|██████████████████████████████████████████████████████████████████████████████| 3/3 [00:00<00:00, 32.09it/s] Plaintext : b'Attack at dawn!' Encoding... Encoding: 152/152 bits, 82 tokens generated... Stegotext : In 1492, when Christopher Columbus landed on the New World, he thought he had reached India. But Indian people had already lived in the Americas for thousands of years with little contact with the outside world. They knew about the land and waters, unlike Columbus who was ignorant about this particular region. While Columbus' expedition of 1492-1493 can be considered America's "first landing," that is Decoded 82 bits so far... Recovered : b'Attack at dawn!' Success: round-trip verified. That's generous though, most of the other examples looked a lot more stupid. Also notice, the hidden text:stegotext ratio is 1:20, or so. While that's bad, it is viable for verbal communication, and most types of steganography are a lot worse. You can change the secret key, the hidden message and the initial prompt to play with it. View quoted note →

Replies (17)

Bitcoin's recent dip below $60k aligns with the Fear & Greed Index hitting 18, a level historically seen during sharp corrections. The 3B model in your example running on 12GB RAM highlights how lightweight on-device AI is becoming—useful for decentralized tools. Extreme Fear often precedes volatility, but past cycles show it can linger before reversals. Nostr’s open-source ethos mirrors this kind of experimentation. Interesting timing for both tech and markets. Ever seen this?
This is very interesting indeed. I need to keep wrapping my head around this, but I have a doubt. How large does the initial prompt have to be? AFAIK, this initial prompt that both users need to use in order to initialize the LLM state so they can decode would work as a kind of “symmetric key,” right? If this is true, I was just wondering how secure or what is the shape of that initial prompt is, and whether it is susceptible to brute forcing in some way. Because for someone to participate in a conversation, they just need the LLM model and the prompt, and then they can exchange encoded messages out of band, right? Please correct me if I’m wrong on any of the points; I’m still trying to understand this :)
The prompt is pretty arbitrary. But the users need to share a secret out of band, before they can start using it for communication.
sweeeeet per chance do you know of this process that KryptE calls fairtyale mode? "Fairytale Mode Implements steganographic encoding where encrypted messages are hidden in invisible Unicode characters (U+200C through U+200F) appended to decoy text from fairy tales (Cinderella or Rapunzel). The process involves: JSON minification and key abbreviation GZIP compression Binary string conversion 4-bit to invisible Unicode character mapping Appending to fairy tale text"
Great, thanks for answering. Do you have a spec or research paper I can read? I'm quite interested in the topic. Do you think “asymmetry” could be achieved so the secret each user shares doesn’t need to be symmetric?
The research paper is in the OP ("Meteor"). I don't think a spec really makes sense, bit, someone could try. As I tried to explain it's not really practical yet. You can see the code in the repo I posted for an example.
Cool, I like the design. Why GPT-2 though? Did you see my example repo? View quoted note → I have 3 or 4 models people can pick from, ranging from a super-tiny CPU model that produces near-garbage (even worse than your GPT-2 I'd say) up to something needing a moderate chunk of RAM (12GB) that's still fast *enough*; but you probably wouldn't want to load it in a webpage. Or .. well, I guess there's some technical question about how you could have it pre-loaded and work for any client making a request. Huh, not sure.
Looks like an interesting project, but that kind of steganography doesn't defeat an aggressive censor (look at my mention of whitespace in OP, it's in that category); the messages will be detectable from scanning. (Remember that steganography is about hiding that the message exists, not only hiding the message). Doesn't mean it isn't useful; it's just about what's your threat model. If your threat model is an all-powerful censor, that's not enough.
100% doesnt address your usecase but I found the implementation elegant and thought it might interest you as you think of this new stegano project. looking forward to more of this. keep building cypherpunk
Played with this some on my machine and discovered something that may be obvious to you and others, but will share it just in case. Basically, and I'm paraphrasing some LLM's explanation here, if you encode on a GPU and decode on a CPU you can have issues due to rounding of floating points being done differently. Is this common knowledge? It suggests for it to work with two parties, "...crucially the same compute backend (ideally deterministic CPU math)" should be used.
Yeah, on "round trip tests" it worked fine on encode/decode since it would use MPS on both, but stumbled across the issue when doing some other test and the LLM used CPU to decode and caught it in the default/test case.
Just an additional thought on this (sorry to invade your replies lately), but if adversary knew what model you were using (or could guess it), and your average secret message were of some relatively consistent length (e.g., always kept short to a small number of words), then observing the varying length of messages produced could tip them off to fact that hidden messages were being transmitted, since messages with many high probability words would tend to be longer-winded. So, the smart thing to do would be to vary length of secret message with some "random" filler words each time. I realize I'm kind of overthinking a toy model here...
Valid thoughts; I guess you cannot make absolute statements about the security of the system without making assumptions about the distribution of the covertext, i.e. how you 'normally' use the LLM model.