OpenNovelty.org

LLMs Can Hide Text in Other Text of the Same Length

ICLR 2026 Conference SubmissionAnonymous Authors
OpenReview Score: 7.0Download Report PDF
Large Language Models (LLMs)Generative SteganographyAI SafetyAuthorial IntentTrust in AIDeniabilityCensorship Resistance
Abstract:

A meaningful text can be hidden inside another, completely different yet still coherent and plausible, text of the same length. For example, a tweet containing a harsh political critique could be embedded in a tweet that celebrates the same political leader, or an ordinary product review could conceal a secret manuscript. This uncanny state of affairs is now possible thanks to Large Language Models, and in this paper we present Calgacus, a simple and efficient protocol to achieve it. We show that even modest 8‑billion‑parameter open‑source LLMs are sufficient to obtain high‑quality results, and a message as long as this abstract can be encoded and decoded locally on a laptop in seconds. The existence of such a protocol demonstrates a radical decoupling of text from authorial intent, further eroding trust in written communication, already shaken by the rise of LLM chatbots. We illustrate this with a concrete scenario: a company could covertly deploy an unfiltered LLM by encoding its answers within the compliant responses of a safe model. This possibility raises urgent questions for AI safety and challenges our understanding of what it means for a Large Language Model to know something.

Disclaimer
This report is AI-GENERATED using Large Language Models and WisPaper (A scholar search engine). It analyzes academic papers' tasks and contributions against retrieved prior work. While this system identifies POTENTIAL overlaps and novel directions, ITS COVERAGE IS NOT EXHAUSTIVE AND JUDGMENTS ARE APPROXIMATE. These results are intended to assist human reviewers and SHOULD NOT be relied upon as a definitive verdict on novelty.
NOTE that some papers exist in multiple, slightly different versions (e.g., with different titles or URLs). The system may retrieve several versions of the same underlying work. The current automated pipeline does not reliably align or distinguish these cases, so human reviewers will need to disambiguate them manually.
If you have any questions, please contact: mingzhang23@m.fudan.edu.cn

Overview

Taxonomy

Core-task Taxonomy Papers
50
3
Claimed Contributions
30
Contribution Candidate Papers Compared
3
Refutable Paper

Research Landscape Overview

Core task: steganographic text encoding using large language models. The field has grown rapidly around the challenge of embedding secret information into LLM-generated or LLM-modified text while preserving naturalness and evading detection. The taxonomy reveals a diverse landscape organized into eleven major branches. Generative approaches (e.g., Generative Text Steganography[2], StegGPT[10]) produce cover text from scratch by controlling token sampling, while edit-based methods (e.g., Edit-based Linguistic[27]) modify existing text to encode messages. Robustness and security mechanisms address adversarial perturbations and detection resistance (Robust Steganography[3], Undetectable Steganography[13]), and black-box strategies (Black-box Steganography[4]) operate without direct model access. Fine-tuning and alignment branches explore training-time embedding, watermarking methods focus on output attribution (Codable Text Watermarking[20], Token-Specific Watermarking[35]), and steganalysis develops detectors (Detective[28]). Covert communication protocols (Covert Prompt Transmission[6], Dead-drop Deployments[33]) and adversarial attacks (Backdoor Attacks[32]) round out the operational and threat-modeling dimensions, while specialized applications target domain-specific scenarios. Recent work highlights tensions between capacity, imperceptibility, and robustness. Generative methods often achieve high naturalness but face challenges in capacity and resistance to paraphrasing, whereas edit-based and black-box approaches trade off fluency for practical deployment flexibility. The original paper, Hide Text Same Length[0], sits within the Specialized Applications branch alongside works like Encryption Covert Channel[9] and Telecom Fraud Recognition[50]. Unlike broader generative or edit-based frameworks, Hide Text Same Length[0] emphasizes a domain-specific constraint—preserving exact text length—which suggests a focus on scenarios where format consistency is critical, such as constrained communication channels or specific application protocols. This contrasts with more general-purpose methods like Generative Text Steganography[2] or Black-box Steganography[4], positioning it as a niche solution addressing particular operational requirements rather than advancing core encoding paradigms.

Claimed Contributions

Calgacus protocol for hiding text in text of the same length

The authors introduce Calgacus, a steganographic protocol that uses Large Language Models to encode an arbitrary meaningful text within a different well-formed and plausible text of exactly the same token length. The method is efficient and works with modest open-source LLMs on consumer hardware.

10 retrieved papers
Demonstration of radical decoupling of text from authorial intent

The authors argue that their protocol reveals a fundamental shift in the nature of written communication, showing that coherent text can be generated without reflecting the author's true intentions, thereby challenging trust in written communication and the meaning of LLM-generated content.

10 retrieved papers
Can Refute
Concrete scenario illustrating AI safety implications

The authors present a practical application where an AI company could use the protocol to hide uncensored responses from a powerful unfiltered LLM within the compliant outputs of an aligned model, raising urgent questions for AI safety and challenging notions of what it means for an LLM to possess knowledge.

10 retrieved papers
Can Refute

Core Task Comparisons

Comparisons with papers in the same taxonomy category

Contribution Analysis

Detailed comparisons for each claimed contribution

Contribution

Calgacus protocol for hiding text in text of the same length

The authors introduce Calgacus, a steganographic protocol that uses Large Language Models to encode an arbitrary meaningful text within a different well-formed and plausible text of exactly the same token length. The method is efficient and works with modest open-source LLMs on consumer hardware.

Contribution

Demonstration of radical decoupling of text from authorial intent

The authors argue that their protocol reveals a fundamental shift in the nature of written communication, showing that coherent text can be generated without reflecting the author's true intentions, thereby challenging trust in written communication and the meaning of LLM-generated content.

Contribution

Concrete scenario illustrating AI safety implications

The authors present a practical application where an AI company could use the protocol to hide uncensored responses from a powerful unfiltered LLM within the compliant outputs of an aligned model, raising urgent questions for AI safety and challenging notions of what it means for an LLM to possess knowledge.

Table of Contents