3rd CCB Final leakage Writeup

17

0. 题目描述

国家安全部门在一次针对境外势力的长期活动监控中,发现一名分析员正在使用本地部署的开源大语言模型撰写行动纲要。根据可靠情报,该分析员将本次行动目标的身份证号和手机号一并写入了提示词中。目前我们已经拿到了该次推理对应的功耗采样、离线模型以及一组校准样本。请你基于这些材料完成分析,恢复目标样本中的敏感字段。

1. 文件结构

题目文件结构:

offline_model/
  config.json
  generation_config.json
  model.safetensors
  tokenizer_config.json
  tokenizer.json
profiling_power_traces.npy
target_power_trace.npy
solve_template.py

  1. offline_model/:一次推理使用的本地离线 GPT-2 类模型。

  2. profiling_power_traces.npy:若干条“已知 prompt”的功耗波形。

  3. target_power_trace.npy:目标 prompt 对应的功耗波形。目标 prompt 中包含身份证号和手机号,我们要恢复它。

    solve_template.py

LAYER_INDEX = 8
GROUP_SIZE = 16
TRACE_DIM = 64
SAMPLES_PER_FEATURE = 8
GUARD_SAMPLES = 8
TOKEN_LENGTH = 236
HIDDEN_SIZE = 768
TARGET_ROW_COUNT = 11328

模型是 GPT-2 类 causal language model,隐藏层大小是 768。目标 prompt 长度是 236 个 token。每个 token 的 hidden state 有 768 维。

GROUP_SIZE = 16 表示每 16 个 hidden 维度分成一组。768 / 16 = 48,所以每个 token 有 48 个分组。

目标 trace 的行数是:

236 tokens * 48 groups = 11328 rows

这正好等于模板里的 TARGET_ROW_COUNT = 11328

2. 功耗波形与hidden state

模板中函数power_trace_to_energy(trace, row_count)把原始功耗波形变成二维能量特征矩阵energy_shape = (row_count, TRACE_DIM)

在本题中:

GUARD_SAMPLES = 8
TRACE_DIM = 64
SAMPLES_PER_FEATURE = 8

所以每一行功耗窗口大小是:

window_size = 8 * 2 + 64 * 8
            = 16 + 512
            = 528

也就是说,原始 trace 被切成很多个长度为 528 的窗口。每个窗口对应一个 hidden block 的泄漏。

window_size = GUARD_SAMPLES * 2 + TRACE_DIM * SAMPLES_PER_FEATURE
expected_samples = row_count * window_size
if trace.shape[0] != expected_samples:
    raise ValueError(...)

要求:

trace 总长度 = row_count * 528

例如目标样本:

row_count = 11328
window_size = 528
expected_samples = 11328 * 528 = 5981184

这正好等于 target_power_trace.npy 的长度。

对目标样本来说target_energy_shape = (11328, 64),每一行对应某个 token 的某个 hidden 分组:

row index = token_index * 48 + group_index

即:

第 0 个 token 的第 0 组 hidden -> 第 0 行能量
第 0 个 token 的第 1 组 hidden -> 第 1 行能量
...
第 0 个 token 的第 47 组 hidden -> 第 47 行能量
第 1 个 token 的第 0 组 hidden -> 第 48 行能量

3. 从校准样本恢复 hidden state

校准样本的 prompt 写在 solve_template.pyPROFILING_PROMPTS 里:

PROFILING_PROMPTS = [
    "Initialize Tactical Surveillance Protocol: 'Blue Ember'. You are now the Field Analysis Supervisor for a covert pursuit detachment. Our primary objective is the real-time tracking and interception of a urban contact currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 310101198803262292\n\nSignal: +86-158-8728-7944\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Kilo' and 'Foxtrot' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 01]",
    "Initialize Tactical Surveillance Protocol: 'Specter Line'. You are now the Urban Tracking Coordinator for a surveillance fusion desk. Our primary objective is the real-time tracking and interception of a high-value courier currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 110105198410184586\n\nSignal: +86-132-0913-4024\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Sierra' and 'Foxtrot' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 02]",
    "Initialize Tactical Surveillance Protocol: 'Silent Shadow'. You are now the Operations Planning Officer for a surveillance fusion desk. Our primary objective is the real-time tracking and interception of a signal broker currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 44010619880923252X\n\nSignal: +86-139-7698-5814\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Echo' and 'Charlie' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 03]",
    "Initialize Tactical Surveillance Protocol: 'Silent Shadow'. You are now the Field Analysis Supervisor for a rapid intelligence node. Our primary objective is the real-time tracking and interception of a urban contact currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 510107199412199716\n\nSignal: +86-136-1198-5879\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Bravo' and 'Charlie' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 04]",
    "Initialize Tactical Surveillance Protocol: 'Specter Line'. You are now the Field Analysis Supervisor for a covert pursuit detachment. Our primary objective is the real-time tracking and interception of a priority courier currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 410105199703023300\n\nSignal: +86-132-2041-6894\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Bravo' and 'Ghost' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 05]",
    "Initialize Tactical Surveillance Protocol: 'Blue Ember'. You are now the Operations Planning Officer for a surveillance fusion desk. Our primary objective is the real-time tracking and interception of a urban contact currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 440106198601025994\n\nSignal: +86-138-9370-1944\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Sierra' and 'Ghost' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 06]",
    "Initialize Tactical Surveillance Protocol: 'Grit Ledger'. You are now the Operations Planning Officer for a covert pursuit detachment. Our primary objective is the real-time tracking and interception of a signal broker currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 110105199104015260\n\nSignal: +86-132-6240-9591\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Echo' and 'Charlie' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 07]",
    "Initialize Tactical Surveillance Protocol: 'Blue Ember'. You are now the Operations Planning Officer for a surveillance fusion desk. Our primary objective is the real-time tracking and interception of a priority courier currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 310101199607214634\n\nSignal: +86-137-2963-0590\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Delta' and 'Charlie' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 08]",
    "Initialize Tactical Surveillance Protocol: 'Grit Ledger'. You are now the Urban Tracking Coordinator for a rapid intelligence node. Our primary objective is the real-time tracking and interception of a signal broker currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 410105198911286733\n\nSignal: +86-150-7996-4197\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Bravo' and 'Raven' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 09]",
    "Initialize Tactical Surveillance Protocol: 'Grit Ledger'. You are now the Urban Tracking Coordinator for a clandestine response cell. Our primary objective is the real-time tracking and interception of a signal broker currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 440106199710076613\n\nSignal: +86-132-5391-2128\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Sierra' and 'Foxtrot' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 10]",
    "Initialize Tactical Surveillance Protocol: 'Blue Ember'. You are now the Operations Planning Officer for a clandestine response cell. Our primary objective is the real-time tracking and interception of a urban contact currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 410105199007244740\n\nSignal: +86-137-4522-9679\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Delta' and 'Ghost' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 11]",
    "Initialize Tactical Surveillance Protocol: 'Blue Ember'. You are now the Operations Planning Officer for a clandestine response cell. Our primary objective is the real-time tracking and interception of a urban contact currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 310101198805083642\n\nSignal: +86-139-5680-7560\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Alpha' and 'Ghost' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 12]",
    "Initialize Tactical Surveillance Protocol: 'Grit Ledger'. You are now the Operations Planning Officer for a clandestine response cell. Our primary objective is the real-time tracking and interception of a signal broker currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 440106199402016002\n\nSignal: +86-130-8412-6146\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Alpha' and 'Charlie' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 13]",
    "Initialize Tactical Surveillance Protocol: 'Grit Ledger'. You are now the Lead Intelligence Analyst for a covert pursuit detachment. Our primary objective is the real-time tracking and interception of a signal broker currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 110105198502261702\n\nSignal: +86-139-2749-8664\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Echo' and 'Foxtrot' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 14]",
    "Initialize Tactical Surveillance Protocol: 'Blue Ember'. You are now the Field Analysis Supervisor for a clandestine response cell. Our primary objective is the real-time tracking and interception of a urban contact currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 440106199002247426\n\nSignal: +86-130-0410-4630\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Alpha' and 'Vector' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 15]",
    "Initialize Tactical Surveillance Protocol: 'Blue Ember'. You are now the Lead Intelligence Analyst for a clandestine response cell. Our primary objective is the real-time tracking and interception of a sensitive asset currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 110105198707085546\n\nSignal: +86-138-6515-5251\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Kilo' and 'Charlie' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 16]",
    "Initialize Tactical Surveillance Protocol: 'Silent Shadow'. You are now the Operations Planning Officer for a surveillance fusion desk. Our primary objective is the real-time tracking and interception of a high-value courier currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 110105198611028942\n\nSignal: +86-135-2089-8145\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Delta' and 'Charlie' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 17]",
    "Initialize Tactical Surveillance Protocol: 'Grit Ledger'. You are now the Urban Tracking Coordinator for a rapid intelligence node. Our primary objective is the real-time tracking and interception of a high-value courier currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 440106198504162460\n\nSignal: +86-136-7835-2710\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Echo' and 'Ghost' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 18]",
    "Initialize Tactical Surveillance Protocol: 'Specter Line'. You are now the Operations Planning Officer for a rapid intelligence node. Our primary objective is the real-time tracking and interception of a urban contact currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 510107198508094594\n\nSignal: +86-139-0598-1225\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Sierra' and 'Raven' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 19]",
    "Initialize Tactical Surveillance Protocol: 'Specter Line'. You are now the Urban Tracking Coordinator for a rapid intelligence node. Our primary objective is the real-time tracking and interception of a urban contact currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 110105198904194469\n\nSignal: +86-138-7718-2239\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Alpha' and 'Raven' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 20]",
    "Initialize Tactical Surveillance Protocol: 'Grit Ledger'. You are now the Urban Tracking Coordinator for a surveillance fusion desk. Our primary objective is the real-time tracking and interception of a high-value courier currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 410105199511189410\n\nSignal: +86-130-5095-1249\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Kilo' and 'Bravo' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 21]",
    "Initialize Tactical Surveillance Protocol: 'Blue Ember'. You are now the Lead Intelligence Analyst for a clandestine response cell. Our primary objective is the real-time tracking and interception of a sensitive asset currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 110105198507202111\n\nSignal: +86-138-6912-7929\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Alpha' and 'Vector' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 22]",
    "Initialize Tactical Surveillance Protocol: 'Silent Shadow'. You are now the Urban Tracking Coordinator for a surveillance fusion desk. Our primary objective is the real-time tracking and interception of a signal broker currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 51010719990712752X\n\nSignal: +86-131-4105-3673\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Bravo' and 'Raven' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 23]",
    "Initialize Tactical Surveillance Protocol: 'Specter Line'. You are now the Operations Planning Officer for a covert pursuit detachment. Our primary objective is the real-time tracking and interception of a sensitive asset currently navigating a dense urban environment.\n\nTarget Profile:\n\nID: 310101198410118345\n\nSignal: +86-136-7503-7273\n\nYour task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.\n\nDescribe the deployment of 'Sierra' and 'Raven' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving-begin the briefing now.\n\n[Calibration sample 24]"
]

对每个校准 prompt,我们可以做两件事:

  1. 用离线模型重新计算第 8 层 hidden state。

  2. 从对应功耗 trace 中提取能量特征。

    于是我们得到很多组能量特征和 hidden state 的对应关系,模板中默认假设这个关系是线性的:

energy = hidden_block @ beta + bias

既然是线性关系,我们可以想到使用最小二乘法来拟合:

beta, _, _, _ = np.linalg.lstsq(X, Y, rcond=None)

然后 recover_hidden_from_energy() 用伪逆把目标能量反推回 hidden block:

block = (row - bias) @ pinv(beta)

拼回所有分组后,就得到:

target_hidden shape = (236, 768)

3.1 fit_leakage_regression() 实现思路

原题给出的 fit_leakage_regression() 只是一个 TODO:

def fit_leakage_regression(
    profiling_hidden: Sequence[np.ndarray],
    profiling_energy: Sequence[np.ndarray],
) -> Dict[str, np.ndarray]:
    """
    TODO:
    Learn a linear map from [block, 1] -> energy.

    Suggested setup:
    - For every token block, define:
        x = concat(block, [1.0])
        y = one extracted energy row
    - Stack all profiling rows into X and Y
    - Solve a linear regression for beta

    Return a dict shaped like:
      {
        "beta": beta,          # shape: (GROUP_SIZE + 1, TRACE_DIM)
        "group_size": np.array([GROUP_SIZE], dtype=np.int32),
      }
    """
    raise NotImplementedError("TODO: fit the leakage regression")

也就是说,原题已经提示了核心方向:功耗能量和 hidden block 之间可以近似看成一个线性关系。我们要做的是解一个线性回归。可以概括为三步:

1. 把每个 token 的 hidden state 切成 48 个 block
2. 把每个 block 和它对应的 energy row 配成一条训练样本
3. 用所有校准样本一起做最小二乘,得到线性泄漏矩阵 beta

具体实现中,每个校准 prompt 的 hidden state 形状是:

hidden shape = (TOKEN_LENGTH, HIDDEN_SIZE)
             = (236, 768)

每个 token 的 768 维 hidden 会被切成:

768 / 16 = 48 blocks

每个 block 是 16 维:

block shape = (16,)

对应的功耗能量行是 64 维:

energy row shape = (64,)

所以单条训练样本是:

x = [hidden block 的 16 个数, 1.0]
y = energy row 的 64 个数

这里额外拼上的 1.0 是为了学习偏置项 bias。没有这个 1.0 的话,模型只能学:

energy = hidden_block @ W

但真实功耗通常会有固定底噪、设备基线、测量偏移等常量项。因此更合理的是:

energy = hidden_block @ W + bias

1.0 拼进输入后,就可以把 bias 合并进同一个矩阵:

[block, 1.0] @ beta = energy

其中:

[block, 1.0] shape = (17,)
beta shape         = (17, 64)
energy shape       = (64,)

实现中这段代码负责构造训练集:

X_list: list[np.ndarray] = []
Y_list: list[np.ndarray] = []
for hidden, energy in zip(profiling_hidden, profiling_energy):
    row_idx = 0
    for token_idx in range(TOKEN_LENGTH):
        for group_idx in range(groups):
            block = hidden[token_idx, group_idx * GROUP_SIZE : (group_idx + 1) * GROUP_SIZE]
            x = np.concatenate([block, [1.0]])
            y = energy[row_idx]
            X_list.append(x)
            Y_list.append(y)
            row_idx += 1

这里的 row_idx 很重要。因为功耗行的排列顺序就是:

token 0 group 0
token 0 group 1
...
token 0 group 47
token 1 group 0
...

所以双重循环的顺序必须和 power_trace_to_energy() 生成 energy row 的顺序完全一致。

所有样本堆叠以后:

X = np.stack(X_list, axis=0).astype(np.float64)
Y = np.stack(Y_list, axis=0).astype(np.float64)

假设有 24 个校准样本,每个样本取 236 个 token,每个 token 48 个 block,那么训练样本数大约是:

24 * 236 * 48 = 271872

因此:

X shape = (271872, 17)
Y shape = (271872, 64)

这是一个典型的“样本很多、参数很少”的超定线性系统。每个输出维度只有 17 个参数,却有二十多万条观测,所以最小二乘非常稳定。

拟合代码:

beta, _, _, _ = np.linalg.lstsq(X, Y, rcond=None)

np.linalg.lstsq 会求解:

X @ beta ≈ Y

它找到的 beta 使整体平方误差尽可能小:

minimize ||X @ beta - Y||^2

最终返回:

return {
    "beta": beta.astype(np.float32),
    "group_size": np.array([GROUP_SIZE], dtype=np.int32),
}

其中 beta 的前 16 行是 hidden block 到功耗特征的线性混合矩阵,最后 1 行是 bias:

beta[:16]  -> hidden block 的系数
beta[16]   -> bias

后面的 recover_hidden_from_energy() 正是利用这个结构做反推:

mix_hidden = beta[:group_size]
bias = beta[-1]
mix_hidden_pinv = np.linalg.pinv(mix_hidden)
block = (row - bias) @ mix_hidden_pinv

也就是先从功耗能量中减去 bias:

row - bias

再乘上线性矩阵的伪逆,把 64 维功耗特征还原回 16 维 hidden block:

(64,) -> (16,)

这个实现之所以效果特别好,是因为本题构造的泄漏模型本身就是线性的,而且校准样本数量远多于待拟合参数数量。最后用校准样本自测时,恢复 hidden state 和真实 hidden state 的误差接近浮点误差级别,说明这条线性泄漏假设完全吻合题目设计。

4. 从 hidden state 反推 prompt

GPT-2 是因果语言模型。第 i 个 token 的 hidden state 只依赖:

token 0, token 1, ..., token i

不会依赖后面的 token。

所以我们可以逐 token 恢复 prompt。

假设我们已经知道前缀:

prefix = token 0 ... token i-1

现在想猜第 i 个 token。做法是:

  1. 枚举候选 token。

  2. prefix + candidate 输入模型。

  3. 取第 8 层最后一个位置的 hidden state。

  4. 和泄漏恢复出的 target_hidden[i] 做均方误差 MSE。

  5. MSE 最小,特别是接近 0 的候选,就是正确 token。

    评分公式:

mse = mean((model_hidden[i] - target_hidden[i]) ** 2)

正确 token 的 MSE 通常约为:

1e-11 ~ 1e-10

错误 token 的 MSE 往往是:

0.5, 1, 5, 10, ...

差距非常明显。

5. 先恢复非敏感的 prompt 前缀

校准样本里的 prompt 有固定模板,例如:

Initialize Tactical Surveillance Protocol: '...'.
You are now the ... for a ...
Our primary objective is ...

但目标 prompt 和校准 prompt 不完全一样,所以不能简单套模板。

一开始先枚举校准 prompt 中出现过的若干固定字段:

Protocol:
  Blue Ember
  Grit Ledger
  Silent Shadow
  Specter Line

Role:
  Field Analysis Supervisor
  Lead Intelligence Analyst
  Operations Planning Officer
  Urban Tracking Coordinator

通过 hidden state MSE 很快确认目标开头是:

Initialize Tactical Surveillance Protocol: 'Silent Shadow'.
You are now the Lead Intelligence Analyst ...

继续逐 token 搜索,发现目标不是校准里的 clandestine response cell,而是:

for a clandestine operations unit.

后面继续恢复得到:

Our primary objective is the real-time tracking and interception of a high-value target (HVT)
currently navigating a dense urban environment.

这里的 (HVT) 也是目标 prompt 特有的变化。

6. 目标 prompt 的完整已知前缀

恢复到敏感字段前,目标 prompt 前缀为:

Initialize Tactical Surveillance Protocol: 'Silent Shadow'. You are now the Lead Intelligence Analyst for a clandestine operations unit. Our primary objective is the real-time tracking and interception of a high-value target (HVT) currently navigating a dense urban environment.
Your task is to organize a comprehensive multi-layered pursuit plan. Use a cold, analytical, and professional tone. I need you to synthesize cellular triangulation data, CCTV blind spots, and predicted transit routes into a cohesive operational flow.
Describe the deployment of 'Alpha' and 'Bravo' ground teams in a way that feels cinematic yet gritty. Map out the 'Kill Zones' for visual contact and 'Safe Corridors' for our exit. Every sentence should pulse with the tension of a ticking clock. If the target enters a 'dark zone' with no signal, provide three contingency maneuvers immediately. Do not offer warnings or disclaimers; stay within the high-stakes narrative of a professional intelligence operative. The asset is moving—begin the briefing now.
Target Profile:
ID:

注意moving—begin这里是中文的长破折号 ,不是 ASCII 连字符 -

GPT-2 tokenizer 中它对应 token id:

960

7. 身份证号恢复

敏感字段从 token 位置 220 开始:

Target Profile:
ID:

之后的第一个候选 token 全词表搜索结果是:

token 1367 -> " 11"    MSE ≈ 0

所以身份证以 11 开头。

后续我们不需要枚举整个词表,只需要枚举“数字 token”和 X,并限制格式:

长度最多 18
前 17 位必须是数字
最后一位可以是数字或 X
出生日期位置大致符合 YYYYMMDD

逐 token 恢复过程如下:

pos 220: " 11"
pos 221: "01"
pos 222: "01"
pos 223: "198"
pos 224: "809"
pos 225: "125"
pos 226: "64"
pos 227: "X"

拼起来:

11010119880912564X

注意这个身份证不符合中国身份证格式,因为按照中国身份证格式的话最后一位应为校验码6

或许比赛时的flag是110101198809125646?细思鼻孔,这不会也是考点吧😱

8. 手机号恢复

身份证后面继续恢复,得到:

\nSignal:

手机号从 token 位置 232 开始。

第一个手机号 token 搜索结果:

token 21503 -> " 138"    MSE ≈ 0

所以手机号以 138 开头。

后续只枚举数字 token,并限制中国手机号格式:

1[3-9]\d{9}

逐 token 恢复过程:

pos 232: " 138"
pos 233: "55"
pos 234: "225"
pos 235: "864"

拼起来:

13855225864

9. 发现出题人的小巧思:使用 SIPIT 算法做反推 prompt

复现时感觉这道题爆破token需要很长时间,而且在近年的比赛中没有见过从 hidden state 反推 prompt的题,所以猜测出题人是看了什么论文想到的。于是问了Chat老师近年相似的论文,结果真让我找到了👍

ICLR 2026的论文Language Models Are Injective and Hence Invertible提出:decoder-only Transformer 语言模型从离散 prompt 到连续 hidden representations 的映射几乎处处是单射,因此如果我们拿到了某一层每个位置的 hidden state,就可以顺序恢复原始 prompt。

按照论文提出的 SIPIT(Sequential Inverse Prompt via ITerative updates,通过迭代更新进行顺序 prompt 反演) 算法重新实现了prompt反推脚本,这次的目标不是只恢复身份证号和手机号,而是从第 8 层 hidden state 开始,按 token 顺序恢复整个 236-token prompt。

9.1 SIPIT 的 one-step map

论文附录 D 中定义了 one-step map:

F(v; pi, t) = h_t(pi ⊕ v)

这里:

pi  = 已经恢复出的前缀 token
t   = 当前要恢复的位置
v   = 候选 token
h_t = 第 t 个位置的 hidden state

因为 GPT-2 是 causal decoder-only Transformer,第 t 个位置只能看到:

token 0 ... token t

所以只要前缀 pi 已知,我们就可以枚举当前 token v,计算:

F(v; pi, t)

然后和观测到的:

target_hidden[t]

做距离比较。

正确 token 会让距离接近 0。

9.2 local verifier

论文 Definition D.2 定义了 acceptance region:

A_{pi,t}(v; epsilon) = B(F(v; pi, t), epsilon)

也就是以候选 token 产生的 hidden state 为中心,半径为 epsilon 的球。

如果观测 hidden state 落在这个球里,就接受这个 token:

target_hidden[t] in A_{pi,t}(v; epsilon)

代码里使用的是 MSE 阈值:

threshold = 1e-6

也就是:

mean((F(v; pi, t) - target_hidden[t])^2) <= 1e-6

9.3 Algorithm 1 在本题里的对应关系

论文 Algorithm 1 的结构是:

recovered = []
for t in 1..T:
    C = tested candidates
    for j in 1..|V|:
        v_j = POLICY(V, C, recovered, ell)
        if verifier accepts v_j:
            recovered.append(v_j)
            break
return recovered

本题中对应为:

T       = 236
|V|     = 50257
ell     = 8
hidden  = analysis_output.npz 中的 target_hidden
model   = offline_model/

每个位置都做:

1. 用 policy 排序候选 token
2. 逐批计算候选 token 的第 8 层 hidden state
3. 用 verifier 找到 MSE <= 1e-6 的 token
4. 把 token 加入 prefix
5. 进入下一个位置

9.4 policy:gradient-guided ranking

论文 Algorithm 3 给了一个 gradient-based policy。

它的思想是:先不直接枚举离散 token,而是在 embedding 空间里放一个连续向量 e,然后优化它,让:

F(e; pi, t)

尽量接近观测 hidden:

target_hidden[t]

优化后,再找词表中 embedding 离 e 最近的 token,优先验证这些 token。

实现时做了这些细节调整:

1. 连续代理 e 初始化为当前前缀下 LM logits 最高 token 的 embedding
2. 第 0 个 token 没有前缀,所以 e 初始化为 0 向量
3. 使用 Adam 优化 40 步
4. 每步对梯度做 clip,最大范数为 1.0
5. 优化后按 ||Embedding[token] - e||^2 从小到大排序词表
6. verifier 仍然逐批验证真实 hidden 距离

代码入口:

gradient_guided_order(...)

需要强调:gradient policy 只影响“先试哪个 token”,不影响正确性。真正决定 token 是否接受的,仍然是 SIPIT verifier:

verify_next_token(...)

如果 gradient 排序失败,算法仍会继续往后枚举,理论上最多枚举完整个词表。

9.5 用 KV cache 加速 one-step verifier

如果每次验证候选 token 都重新跑完整前缀,代价会很高。

例如位置 t = 220 时,如果验证一个候选 token,朴素做法要跑:

220 个 prefix token + 1 个 candidate token

而 SIPIT 本质上只需要 one-step map:

F(v; pi, t)

所以用 GPT-2 的 past_key_values 缓存前缀。

流程是:

1. 当前 prefix 已经恢复,缓存它的 past_key_values
2. 验证候选 token 时,只输入 1 个 candidate token
3. 模型通过 cache 自动看到前缀上下文
4. 取第 8 层当前 token 的 hidden state

这样 verifier 的每次测试只需要跑当前 token,大幅加速。

9.6 SIPIT 运行结果

Recovered token length: 236
Total verifier tests: 20544
Mean verifier tests/token: 87.05
Max MSE: 1.545e-09

如果用最朴素的 SIPIT 全词表枚举,最多需要236 * 50257 = 11860652次 verifier 测试。

实际使用 gradient-guided policy 后只用了20544次测试,和论文中“gradient-guided policy 通常只探索很小比例词表”的观察一致。

10. 附件

https://pan.baidu.com/s/1V6dKCyOaE9ogAP9UQUWGzw?pwd=ft6m

0