Full Report
Turns out that LLMs are really good at hiding text messages in other text messages.
Analysis Summary
# Research: LLMs and Text-in-Text Steganography
## Metadata
- **Authors:** Based on the analysis by Bruce Schneier (referencing ArXiv:2510.20075)
- **Institution:** Referenced via *Schneier on Security*
- **Publication:** ArXiv (Technical Preprint); Summary via Schneier.com
- **Date:** May 11, 2026 (Blog Post); Original Paper ArXiv reference implies late 2025/early 2026.
## Abstract
This research explores the intersection of Large Language Models (LLMs) and steganography—the practice of concealing a file, message, image, or video within another file. The study demonstrates that LLMs are exceptionally proficient at "Text-in-Text" steganography, where a secret message is embedded within an innocuous-looking cover text. By leveraging the statistical properties of natural language that LLMs already master, these models can generate cover texts that are virtually indistinguishable from organic human or machine-generated communication, making detection significantly more difficult than traditional methods.
## Research Objective
The primary objective of this research is to evaluate the effectiveness of LLMs as engines for steganographic communication. Specifically, it seeks to answer:
1. Can LLMs generate "cover text" that hides secret information without alerting human observers or statistical detection tools?
2. How do LLMs compare to traditional "linguistic steganography" techniques in terms of capacity (bits per word) and imperceptibility?
## Methodology
### Approach
The researchers utilized LLMs to perform linguistic steganography by manipulating the token selection process. Instead of simply picking the most "probable" next word, the model selects from a distribution of probable words based on the bits of the secret message it needs to encode.
### Dataset/Environment
- **Models:** Tested across various parameter scales (notably including smaller 4-billion parameter models and larger frontier models).
- **Control Groups:** Compared against traditional synonym-substitution steganography and "white-text" (hidden character) methods.
### Tools & Technologies
- Large Language Models (LLMs) as generators/decoders.
- Statistical analysis tools to measure "perplexity" (how "natural" the text remains after hiding data).
- Tokenization analysis to bypass human phonological detection.
## Key Findings
### Primary Results
1. **High Imperceptibility:** LLM-generated steganography is highly resistant to human detection because the models maintain local and global coherence even while encoding data.
2. **Robustness to Distortion:** Small models (4B parameters) can decode messages even when the text has undergone phonological changes or minor "shrouding" attempts.
3. **Capacity vs. Stealth:** LLMs achieve a superior balance between the amount of data hidden and the "naturalness" of the resulting text compared to previous algorithmic approaches.
### Supporting Evidence
- Empirical testing showed that even when human-readable text was scrambled with "phonological changes" (e.g., intentional misspellings like "phashyon" for "fashion"), LLMs could still reconstruct the underlying meaning and hidden data with high accuracy.
### Novel Contributions
- **Semantic Anchoring:** Unlike older methods that replaced words with synonyms (often resulting in awkward phrasing), LLMs generate the entire sentence structure *around* the hidden bits.
- **Deep Deciphering:** Proof that LLMs can act as "universal decoders" for obscured or modified text that would baffle traditional rule-based systems.
## Technical Details
The core innovation lies in **Probabilistic Token Selection**. In typical generation, an LLM predicts the next token $T$ based on previous tokens. In this steganographic approach, the secret message is converted into a bitstream. For each token generation step, the model identifies a set of highly probable candidate tokens. The specific candidate chosen is determined by a mapping function of the secret bitstream. Because all candidates are statistically "likely," the resulting sentence remains grammatically and contextually sound.
## Practical Implications
### For Security Practitioners
- **Exfiltration Risks:** LLMs can be used to bypass Data Loss Prevention (DLP) systems. A sensitive password or token could be hidden inside a 500-word "summary" of a movie, which would look like harmless traffic.
- **Command and Control (C2):** Malware could receive instructions hidden in benign-looking social media comments or AI-generated emails.
### For Defenders
- **Perplexity Analysis:** Defenders should monitor for unexpected statistical patterns in text, though LLM proficiency makes this increasingly difficult.
- **Verification:** One possible defense is "re-generation"—taking the suspicious text and asking another LLM to summarize/paraphrase it. This usually "cleans" the steganography and destroys the hidden message.
### For Researchers
- There is a need to develop "steganalyzers" specifically trained on LLM-generated probability distributions to identify when a model is picking "second-best" tokens too frequently.
## Limitations
- **Model Consistency:** The receiver must often use the exact same model or prompt parameters as the sender to decode the message correctly.
- **Error Propagation:** A single modified word (by a spam filter or human editor) can sometimes break the entire decryption chain for the remaining message.
## Comparison to Prior Work
Traditional steganography (like "Snowdrop") often relied on whitespace or specific character substitutions in source code/plain text. This research moves the field into the **semantic layer**, where the "meaning" and "style" are preserved, making it invisible to traditional signature-based detection.
## Real-world Applications
- **Whistleblowing:** Sending sensitive information out of a restrictive environment through public-facing LLM interfaces.
- **Watermarking:** Identifying AI-generated content by "hiding" a signature within the text to prove its origin.
## Future Work
- Exploring "Zero-shot" steganography where no pre-shared key is required between the sender and receiver.
- Investigating the impact of "AI Slop" (low-quality AI content) on the ability to hide messages at scale across the internet.
## References
- Schneier, B. (2026). *LLMs and Text-in-Text Steganography*. [schneier[.]com/blog/archives/2026/05/llms-and-text-in-text-steganography.html]
- ArXiv:2510.20075 (Primary Source)
- Kuhn, M. G. (Soft Tempest Research, referenced in discussion).