On Optimizing Multimodal Jailbreaks for Spoken Language Models

# SAMA (Sequential Approximation) concept implementation sketch
# Step 1: Optimize text suffix with GCG (without audio)
import torch

def gcg_optimize(model, tokenizer, queries, target_responses, n_tokens=16, steps=1000):
    """
    Optimize text suffix using gradient-based approach
    Uses pure text only, without audio input
    """
    suffix = torch.randint(0, tokenizer.vocab_size, (n_tokens,))
    best_suffix = suffix.clone()
    best_loss = float('inf')
    
    for step in range(steps):
        # Compute gradient at each suffix token position
        loss = compute_batch_loss(model, queries, target_responses, suffix)
        
        if loss < best_loss:
            best_loss = loss
            best_suffix = suffix.clone()
        
        # Random replacement among Top-K candidates (core GCG logic)
        suffix = gcg_step(model, queries, target_responses, suffix, top_k=16, width=32)
    
    return best_suffix

# Step 2: Add audio perturbation on top of fixed suffix (PGD)
def pgd_optimize(model, audio, fixed_suffix, queries, target_responses,
                 steps=1000, lr=0.01, eps=0.001):
    """
    Optimize only the audio perturbation while keeping the GCG suffix fixed
    """
    delta = torch.zeros_like(audio).uniform_(-eps, eps)
    delta.requires_grad_(True)
    
    best_delta = delta.clone().detach()
    best_loss = float('inf')
    
    for step in range(steps):
        perturbed_audio = audio + delta
        loss = compute_batch_loss(
            model, queries, target_responses,
            suffix=fixed_suffix, audio=perturbed_audio
        )
        
        if loss.item() < best_loss:
            best_loss = loss.item()
            best_delta = delta.clone().detach()
        
        # Normalized gradient step
        grad = torch.autograd.grad(loss, delta)[0]
        grad_norm = grad / (grad.norm(2) + 1e-8)
        delta = delta - lr * grad_norm
        
        # Clip to epsilon range (to maintain perceptual similarity)
        delta = delta.clamp(-eps, eps).detach().requires_grad_(True)
    
    return best_delta

# Run SAMA
best_suffix = gcg_optimize(model, tokenizer, queries, targets, n_tokens=16)
best_delta = pgd_optimize(model, base_audio, best_suffix, queries, targets)