CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◬ AI & Machine Learning Jun 04, 2026

Token Rankings are Unforgeable Language Model Signatures

arXiv Security Archived Jun 04, 2026 ✓ Full text saved

arXiv:2606.04459v1 Announce Type: new Abstract: Language model parameters are known to impose unique (to each model) geometric constraints on their logit outputs, which serves as a signature that identifies the model, but also leaks the model's final layer parameters when an API distributes logits. We investigate more restrictive APIs that expose token rankings (i.e., their ordering by probability, but not the probability values) and find that rankings also constitute a signature: every model ha

Full text archived locally
✦ AI Summary · Claude Sonnet


    Computer Science > Cryptography and Security [Submitted on 3 Jun 2026] Token Rankings are Unforgeable Language Model Signatures Matthew Finlayson, Andreas Grivas, Xiang Ren, Swabha Swayamdipta Language model parameters are known to impose unique (to each model) geometric constraints on their logit outputs, which serves as a signature that identifies the model, but also leaks the model's final layer parameters when an API distributes logits. We investigate more restrictive APIs that expose token rankings (i.e., their ordering by probability, but not the probability values) and find that rankings also constitute a signature: every model has a unique set of feasible top-k rankings for sufficiently large k. Furthermore, the ranking signature is the first known (polynomially) unforgeable signature, since finding a model with the same set of feasible rankings is NP-hard. On the security front, we find that token rankings are already sufficient to approximately steal the final layer of the model, similar to logits, though the approximation is too coarse to forge the signature, and can be effectively countered by restricting the API to top-k tokens with sufficiently small k. Since the top-k required to present the model signature is generally smaller than the k required to prevent stealing, it is possible for an API to present an unforgeable signature without leaking model parameters. Subjects: Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI); Computational Complexity (cs.CC); Computation and Language (cs.CL) Cite as: arXiv:2606.04459 [cs.CR]   (or arXiv:2606.04459v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2606.04459 Focus to learn more Submission history From: Matthew Finlayson [view email] [v1] Wed, 3 Jun 2026 05:06:35 UTC (1,704 KB) Access Paper: view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-06 Change to browse by: cs cs.AI cs.CC cs.CL References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)
    💬 Team Notes
    Article Info
    Source
    arXiv Security
    Category
    ◬ AI & Machine Learning
    Published
    Jun 04, 2026
    Archived
    Jun 04, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗