Saved in:
Bibliographic Details
Main Authors: Li, Miles Q., Fung, Benjamin C. M., Li, Boyang, Rad, Radin Hamidi, Bagheri, Ebrahim
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.24983
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915962043760640
author Li, Miles Q.
Fung, Benjamin C. M.
Li, Boyang
Rad, Radin Hamidi
Bagheri, Ebrahim
author_facet Li, Miles Q.
Fung, Benjamin C. M.
Li, Boyang
Rad, Radin Hamidi
Bagheri, Ebrahim
contents Existing white-box jailbreak attacks against aligned LLMs typically append discrete adversarial suffixes to the user prompt, which visibly alters the prompt and operates in a combinatorial token space. Prior work has avoided directly optimizing the embeddings of the original prompt tokens, presumably because perturbing them risks destroying the prompt's semantic content. We propose Prompt Embedding Optimization (PEO), a multi-round white-box jailbreak that directly optimizes the embeddings of the original prompt tokens without appending any adversarial tokens, and show that the concern is unfounded: the optimized embeddings remain close enough to their originals that the visible prompt string is preserved exactly after nearest-token projection, and quantitative analysis shows the model's responses stay on topic for the large majority of prompts. PEO combines continuous embedding-space optimization with structured continuation targets and an adaptive failure-focused schedule. Counterintuitively, later PEO rounds can benefit from heuristic composite response scaffolds that are not natural standalone templates, yet ASR-Judge shows that the resulting gains are not merely empty formatting or scaffold-only outputs. Across two standard harmful-behavior benchmarks and competing white-box attacks spanning discrete suffix search, appended adversarial embeddings, and search-based adversarial generation, PEO outperforms all of them in our experiments.
format Preprint
id arxiv_https___arxiv_org_abs_2604_24983
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Adaptive Prompt Embedding Optimization for LLM Jailbreaking
Li, Miles Q.
Fung, Benjamin C. M.
Li, Boyang
Rad, Radin Hamidi
Bagheri, Ebrahim
Artificial Intelligence
Existing white-box jailbreak attacks against aligned LLMs typically append discrete adversarial suffixes to the user prompt, which visibly alters the prompt and operates in a combinatorial token space. Prior work has avoided directly optimizing the embeddings of the original prompt tokens, presumably because perturbing them risks destroying the prompt's semantic content. We propose Prompt Embedding Optimization (PEO), a multi-round white-box jailbreak that directly optimizes the embeddings of the original prompt tokens without appending any adversarial tokens, and show that the concern is unfounded: the optimized embeddings remain close enough to their originals that the visible prompt string is preserved exactly after nearest-token projection, and quantitative analysis shows the model's responses stay on topic for the large majority of prompts. PEO combines continuous embedding-space optimization with structured continuation targets and an adaptive failure-focused schedule. Counterintuitively, later PEO rounds can benefit from heuristic composite response scaffolds that are not natural standalone templates, yet ASR-Judge shows that the resulting gains are not merely empty formatting or scaffold-only outputs. Across two standard harmful-behavior benchmarks and competing white-box attacks spanning discrete suffix search, appended adversarial embeddings, and search-based adversarial generation, PEO outperforms all of them in our experiments.
title Adaptive Prompt Embedding Optimization for LLM Jailbreaking
topic Artificial Intelligence
url https://arxiv.org/abs/2604.24983