Saved in:
Bibliographic Details
Main Authors: Zhang, Jie, Ding, Meng, Liu, Yang, Hong, Jue, Tramèr, Florian
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2510.16794
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918163824771072
author Zhang, Jie
Ding, Meng
Liu, Yang
Hong, Jue
Tramèr, Florian
author_facet Zhang, Jie
Ding, Meng
Liu, Yang
Hong, Jue
Tramèr, Florian
contents We present a novel approach for attacking black-box large language models (LLMs) by exploiting their ability to express confidence in natural language. Existing black-box attacks require either access to continuous model outputs like logits or confidence scores (which are rarely available in practice), or rely on proxy signals from other models. Instead, we demonstrate how to prompt LLMs to express their internal confidence in a way that is sufficiently calibrated to enable effective adversarial optimization. We apply our general method to three attack scenarios: adversarial examples for vision-LLMs, jailbreaks and prompt injections. Our attacks successfully generate malicious inputs against systems that only expose textual outputs, thereby dramatically expanding the attack surface for deployed LLMs. We further find that better and larger models exhibit superior calibration when expressing confidence, creating a concerning security paradox where model capability improvements directly enhance vulnerability. Our code is available at this [link](https://github.com/zj-jayzhang/black_box_llm_optimization).
format Preprint
id arxiv_https___arxiv_org_abs_2510_16794
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Black-box Optimization of LLM Outputs by Asking for Directions
Zhang, Jie
Ding, Meng
Liu, Yang
Hong, Jue
Tramèr, Florian
Cryptography and Security
Machine Learning
We present a novel approach for attacking black-box large language models (LLMs) by exploiting their ability to express confidence in natural language. Existing black-box attacks require either access to continuous model outputs like logits or confidence scores (which are rarely available in practice), or rely on proxy signals from other models. Instead, we demonstrate how to prompt LLMs to express their internal confidence in a way that is sufficiently calibrated to enable effective adversarial optimization. We apply our general method to three attack scenarios: adversarial examples for vision-LLMs, jailbreaks and prompt injections. Our attacks successfully generate malicious inputs against systems that only expose textual outputs, thereby dramatically expanding the attack surface for deployed LLMs. We further find that better and larger models exhibit superior calibration when expressing confidence, creating a concerning security paradox where model capability improvements directly enhance vulnerability. Our code is available at this [link](https://github.com/zj-jayzhang/black_box_llm_optimization).
title Black-box Optimization of LLM Outputs by Asking for Directions
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2510.16794