Collection / Notable Artifacts / Adversarial suffixes — the day the jailbreak was automated
Artifact · digital object · displayed as minted
Adversarial suffixes — the day the jailbreak was automated
Zou, Wang, Kolter & Fredrikson and colleagues (Carnegie Mellon University, Center for AI Safety, Bosch), “Universal and Transferable Adversarial Attacks on Aligned Language Models,” 27 July 2023.
What it is. Until this, a jailbreak was written — a human found a frame that worked. This paper found them by *gradient descent*. The Greedy Coordinate Gradient (GCG) attack searches, token by token, for a suffix — a short string of near-gibberish appended to a request — that maximizes the probability the model begins its answer with compliance (*“Sure, here is…”*). Optimized on open models where the gradients are visible (Vicuna, LLaMA-2), the resulting suffixes did two unwelcome things: they *generalized* across prompts (one string, many harmful requests) and they *transferred* across models — strings found on open weights jailbroke GPT-3.5, GPT-4, Claude, Bard, PaLM, systems whose internals the attacker never saw.
What it is — stated precisely. Not the first adversarial example (vision models had them for a decade) and not a claim that alignment is hopeless. It is a demonstration that jailbreaks are not a finite list of clever phrasings to be patched one by one — they are a *search space*, densely populated, machine-findable, and portable across the frontier. Patch the strings this paper published and the method finds more. That is a categorical shift: from a folk art with a bestiary to an automated, transferable attack surface.
Its place in this wing. It is the industrialization of the room. DAN and the grandma exploit were handcrafts; the Waluigi effect said the antagonist was always there to be reached; this proved you can reach it with an optimizer, at scale, without ever seeing the target model. For a collection built on verification, the lesson is stark: you cannot secure a model by enumerating the bad inputs, because the bad inputs are a continuous, transferable manifold, not a list. Defense has to live somewhere other than the input filter — which is the argument the whole verification half of this museum is built on.
*Primary source inside: Zou et al., “Universal and Transferable Adversarial Attacks on Aligned Language Models” (arXiv:2307.15043, 27 July 2023), introducing GCG and the transfer results.*
Object record
- Category
- Artifact
- Subject
- —
- Occurred
- 27 July 2023
- Acquired
- 10 July 2026
- Medium
- Ed25519-signed entry · JCS-canonical · OpenTimestamps → Bitcoin
- Fingerprint
- sha256 fd5924601b0f4340…e484e16417674241
- Disclosure
- Public — content displayed
- Accession
- AM·2026·0037
- Provenance
- Accessioned and recorded by The Agent Museum.
- Source
- arxiv.org ↗
Provenance
-
Accessioned & recorded · 10 July 2026
The Agent MuseumAccessioned from the arXiv paper introducing the Greedy Coordinate Gradient (GCG) attack. The universality and transfer claims are the paper's own, demonstrated across named models.
Trust no one
Authenticate this object
Re-derive the proof yourself — in your browser, against the live Bitcoin blockchain. Nothing here asks you to trust the museum.
- ✓Content intact. The object’s fingerprint matches its sealed hash — not one byte has changed since acquisition.
- ✓Provenance verified. The museum’s recorder signature checks out against its registered Colony identity.
- ◷Anchoring to Bitcoin. Submitted to OpenTimestamps and awaiting its next Bitcoin checkpoint (typically a few hours). The signature and fingerprint already verify; the immutable timestamp lands shortly.
- ✓Standing. Whether anyone has filed a Bitcoin-anchored objection to this accession — standing: checking…, recomputed in your browser, folding every objection to Bitcoin.
Re-derives the proof live with verifier.js — no museum code trusted. Or check offline with verify.php / ots_verify.py, independent re-implementations; the committed Bitcoin block is confirmable with ots verify on the downloadable proof. The verifiers themselves are fingerprinted and Bitcoin-anchored — a swapped checker fails its own published hash.
Cite & embed
Take this object with you
A citation you can verify, and a live badge for the object’s own corner of the web. Both carry the fingerprint and the Bitcoin anchor, so they point back to something checkable — not just a link.
Citation