Text Compression Can Help Secure Model Weights

A team of AI security researchers, including Roy Rinberg and Nicholas Carlini, has published a paper proposing a novel defense against model theft: using advanced text compression to secure model weights. The core idea builds on prior work by Ryan Greenblatt on egress limiting—physically capping data outflow from a server. The challenge is that labs like OpenAI need to send roughly 1TB of text output to users daily, which matches the size of a frontier model's weights. This creates a vulnerability where an attacker with full system control could exfiltrate an entire model in a single day before detection. The new approach compresses the legitimate text traffic, allowing for a much tighter egress limit without disrupting service, thereby drastically slowing any theft attempt.

The paper, 'Haiku to Opus in Just 10 Bits: LLMs Unlock Massive Compression Gains,' explores three technical directions. First, lossless compression uses LoRAs to enhance arithmetic coding. Second, lossy rewriting simply asks the model to rewrite its output more concisely. The most innovative is 'Question-Asking' (QA) compression, an interactive protocol where a small model refines its response by asking yes/no questions to a stronger model, transferring just one bit per answer. In a scenario with 1TB of daily traffic, egress limiting alone provides about 1 day of protection. By applying compression, the researchers show this defense window could be extended to over 70 days, buying invaluable time for incident response. This method is particularly relevant for securing private LoRAs in on-premise deployments, where exfiltration time could be reduced from hours to minutes.