Seed Hijacking of LLM Sampling and Quantum Random Number Defense
For LLM security practitioners, this reveals a critical supply-chain vulnerability in the sampling layer that bypasses existing alignment methods.
The paper introduces SeedHijack, a backdoor attack on LLM sampling that manipulates PRNG outputs to force token selection, achieving 99.6% success on GPT-2 and 100% on aligned models. A hardware QRNG-based defense neutralizes the attack with minimal overhead.
Large language models (LLMs) rely on deterministic pseudorandom number generators (PRNGs) for autoregressive sampling, creating a critical supply-chain attack surface overlooked by existing defenses. We present SeedHijack, a backdoor attack that manipulates PRNG outputs to force attacker-specified token selection without altering model logits. In a 540-trial benchmark on GPT-2 (124M), the attack achieves 99.6% exact token injection across 9 sampling configurations; it reaches 100% success on four aligned models (1.5B-7B, RLHF/SFT/reasoning distillation) and bypasses all alignment methods tested in this work. We further propose a defense based on a hardware quantum random number generator (QRNG), which neutralizes the attack in our evaluated threat model with negligible median overhead (+0.6% latency, +7.7 MB memory). Our work identifies a critical sampling-layer vulnerability and provides a practical, deployable QRNG-based defense.