Hidden in Plain Text provides a model organism of steganography. How do they solve the challenges here?
Condition 1 is satisfied by having a separate encoder and decoder, s.t. the decoder only sees the encoder’s output (and not the prompt). This is most similar to “long-context task” in my framing.
Condition 2 is satisfied by RL fine-tuning against a CoT monitor. (It’s slightly more complicated than that because the encoder and decoder are trained separately, so there’s a loop where encoder is trained for some time, then decoder is trained for some time, etc).
It seems like this setup could be simplified:
The encoder and decoder could be the same model. BUT, we still delete the original prompt from the decoder’s context, so the model must learn to encode the prompt information. (This represents task-relevant information falling out of the context window at some point. Seems plausible in particularly important threat models like scheming)
The RL setup could be simplified to a single reward formulation, where the reward is 0 if the model is detected to be engaging in reasoning, or if the model predicts wrongly, and 1 otherwise. Some reward shaping may be beneficial.
The simplified setting may be easier to generalise to different tasks (e.g. sycophancy, evading trusted monitoring, etc)
Hidden in Plain Text provides a model organism of steganography. How do they solve the challenges here?
Condition 1 is satisfied by having a separate encoder and decoder, s.t. the decoder only sees the encoder’s output (and not the prompt). This is most similar to “long-context task” in my framing.
Condition 2 is satisfied by RL fine-tuning against a CoT monitor. (It’s slightly more complicated than that because the encoder and decoder are trained separately, so there’s a loop where encoder is trained for some time, then decoder is trained for some time, etc).
It seems like this setup could be simplified:
The encoder and decoder could be the same model. BUT, we still delete the original prompt from the decoder’s context, so the model must learn to encode the prompt information. (This represents task-relevant information falling out of the context window at some point. Seems plausible in particularly important threat models like scheming)
The RL setup could be simplified to a single reward formulation, where the reward is 0 if the model is detected to be engaging in reasoning, or if the model predicts wrongly, and 1 otherwise. Some reward shaping may be beneficial.
The simplified setting may be easier to generalise to different tasks (e.g. sycophancy, evading trusted monitoring, etc)