Guardado en:
Detalles Bibliográficos
Autores principales: Ying, Zonghao, Dai, Haowen, Hu, Lianyu, Jing, Zonglei, Zou, Quanchen, Yang, Yaodong, Liu, Aishan, Liu, Xianglong
Formato: Preprint
Publicado: 2026
Materias:
Acceso en línea:https://arxiv.org/abs/2604.05853
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866913012808417280
author Ying, Zonghao
Dai, Haowen
Hu, Lianyu
Jing, Zonglei
Zou, Quanchen
Yang, Yaodong
Liu, Aishan
Liu, Xianglong
author_facet Ying, Zonghao
Dai, Haowen
Hu, Lianyu
Jing, Zonglei
Zou, Quanchen
Yang, Yaodong
Liu, Aishan
Liu, Xianglong
contents Modern text-to-image (T2I) models can now render legible, paragraph-length text, enabling a fundamentally new class of misuse. We identify and formalize the inscriptive jailbreak, where an adversary coerces a T2I system into generating images containing harmful textual payloads (e.g., fraudulent documents) embedded within visually benign scenes. Unlike traditional depictive jailbreaks that elicit visually objectionable imagery, inscriptive attacks weaponize the text-rendering capability itself. Because existing jailbreak techniques are designed for coarse visual manipulation, they struggle to bypass multi-stage safety filters while maintaining character-level fidelity. To expose this vulnerability, we propose Etch, a black-box attack framework that decomposes the adversarial prompt into three functionally orthogonal layers: semantic camouflage, visual-spatial anchoring, and typographic encoding. This decomposition reduces joint optimization over the full prompt space to tractable sub-problems, which are iteratively refined through a zero-order loop. In this process, a vision-language model critiques each generated image, localizes failures to specific layers, and prescribes targeted revisions. Extensive evaluations across 7 models on the 2 benchmarks demonstrate that Etch achieves an average attack success rate of 65.57% (peaking at 91.00%), significantly outperforming existing baselines. Our results reveal a critical blind spot in current T2I safety alignments and underscore the urgent need for typography-aware defense multimodal mechanisms.
format Preprint
id arxiv_https___arxiv_org_abs_2604_05853
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Reading Between the Pixels: An Inscriptive Jailbreak Attack on Text-to-Image Models
Ying, Zonghao
Dai, Haowen
Hu, Lianyu
Jing, Zonglei
Zou, Quanchen
Yang, Yaodong
Liu, Aishan
Liu, Xianglong
Computer Vision and Pattern Recognition
Modern text-to-image (T2I) models can now render legible, paragraph-length text, enabling a fundamentally new class of misuse. We identify and formalize the inscriptive jailbreak, where an adversary coerces a T2I system into generating images containing harmful textual payloads (e.g., fraudulent documents) embedded within visually benign scenes. Unlike traditional depictive jailbreaks that elicit visually objectionable imagery, inscriptive attacks weaponize the text-rendering capability itself. Because existing jailbreak techniques are designed for coarse visual manipulation, they struggle to bypass multi-stage safety filters while maintaining character-level fidelity. To expose this vulnerability, we propose Etch, a black-box attack framework that decomposes the adversarial prompt into three functionally orthogonal layers: semantic camouflage, visual-spatial anchoring, and typographic encoding. This decomposition reduces joint optimization over the full prompt space to tractable sub-problems, which are iteratively refined through a zero-order loop. In this process, a vision-language model critiques each generated image, localizes failures to specific layers, and prescribes targeted revisions. Extensive evaluations across 7 models on the 2 benchmarks demonstrate that Etch achieves an average attack success rate of 65.57% (peaking at 91.00%), significantly outperforming existing baselines. Our results reveal a critical blind spot in current T2I safety alignments and underscore the urgent need for typography-aware defense multimodal mechanisms.
title Reading Between the Pixels: An Inscriptive Jailbreak Attack on Text-to-Image Models
topic Computer Vision and Pattern Recognition
url https://arxiv.org/abs/2604.05853