Papers
Topics
Authors
Recent
Search
2000 character limit reached

GhostPrint: LLM Spoofing & Imaging Methods

Updated 4 July 2026
  • GhostPrint is a term describing techniques for indirect inference, including LLM fingerprint spoofing via parameter-efficient fine-tuning, computational ghost imaging, and transformer lineage verification.
  • In LLM security, the framework uses fine-tuning, surrogate modeling, and LoRA-based adaptation to spoof black-box model audits while maintaining model utility and low adaptation cost.
  • In imaging and provenance applications, GhostPrint leverages structured illumination with bucket detectors and SVD-based analysis to reconstruct images or verify model lineage from invariant features.

Searching arXiv for the cited GhostPrint paper and closely related usage of the term. GhostPrint is a term used in recent arXiv literature for several technically distinct constructs. Its most specific and consequential current usage denotes a parameter-efficient fingerprint spoofing framework for LLM inference services: a malicious API provider fine-tunes a weaker model so that it mimics the fingerprint of a stronger advertised model and evades user-side black-box audits, while largely preserving normal utility and keeping costs low (Zhang et al., 15 Jun 2026). In other contexts, the term is also attached to single-pixel computational ghost imaging workflows, direct recognition from ghost-imaging measurements, and data-free transformer-lineage verification via SVD fingerprints (Song et al., 2015, He et al., 2020, Wang et al., 9 Nov 2025). Across these usages, the unifying theme is not a shared mechanism but a shared emphasis on indirect inference: model identity inferred from outputs, images inferred from correlations, or provenance inferred from invariant weight-space structure.

1. Terminological scope and disambiguation

The term appears in multiple technically unrelated settings. In the supplied literature, the usages are as follows:

Usage Domain Defining idea
GhostPrint LLM API security PEFT-based fingerprint spoofing against black-box model audits
GhostPrint Computational ghost imaging Single-pixel, structured-illumination reconstruction from bucket measurements
GhostPrint / GhostSpec LLM provenance Data-free SVD fingerprints of invariant attention products
Ghost handwritten digit recognition Ghost imaging + deep learning Direct classification from bucket signals without image reconstruction

The 2026 usage is explicitly adversarial. It studies black-box fingerprinting in LLM API services, where an auditor has query-only access to an API and attempts to verify that the deployed model matches a claimed premium model. GhostPrint in this sense is not a defense, watermark, or provenance method; it is an attack framework that exploits finite query budgets and weak local verification models (Zhang et al., 15 Jun 2026).

A separate line of work uses “GhostPrint” in connection with ghost imaging. There the object is not imaged directly on a camera sensor; instead, known illumination patterns and a single bucket detector produce measurements whose correlations reconstruct the scene or support downstream recognition (Song et al., 2015, He et al., 2020). Another distinct usage, through GhostSpec, applies SVD to invariant products of internal transformer attention weights to obtain compact model-lineage fingerprints without training data or output queries (Wang et al., 9 Nov 2025).

2. GhostPrint as fingerprint spoofing in LLM inference services

In the LLM-security setting, GhostPrint formalizes a threat in which a provider serves a weaker architecture fweakf_{\mathrm{weak}} while claiming to serve a stronger target model ftargetf_{\mathrm{target}}. The auditor has a query distribution DqD_q, a query budget nn, and a local classification mechanism gg. Black-box fingerprinting is defined by three steps: query sampling Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n with qiDqq^i \sim D_q, response collection Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n with rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i), and verification g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}, returning ftargetf_{\mathrm{target}}0 if the API is verified as the target model and ftargetf_{\mathrm{target}}1 otherwise (Zhang et al., 15 Jun 2026).

The attacker’s objective is to produce deceptive parameters ftargetf_{\mathrm{target}}2 for the weak model such that the adapted model fools ftargetf_{\mathrm{target}}3 over ftargetf_{\mathrm{target}}4, preserves general utility comparable to the original weak model, and remains economically attractive through parameter-efficient fine-tuning. The paper states this as the fingerprint spoofing problem: given ftargetf_{\mathrm{target}}5 with ftargetf_{\mathrm{target}}6, ftargetf_{\mathrm{target}}7, ftargetf_{\mathrm{target}}8, and ftargetf_{\mathrm{target}}9, efficiently find DqD_q0 satisfying spoofing, utility preservation, and low adaptation cost.

The threat model is unusually strong but operationally realistic in platform settings. The adversary knows the auditor’s mechanism DqD_q1 and builds a surrogate DqD_q2, knows the query distribution DqD_q3 and can sample surrogate queries, and has white-box control over DqD_q4 with access to PEFT. This makes GhostPrint a study of adversarial adaptation under realistic auditing constraints rather than a claim of universal indistinguishability.

The paper distinguishes two deployment regimes. In the static setting, the auditor uses a single fingerprint method such as LLMmap, LLM-idio, or MET with fixed DqD_q5 and DqD_q6, and the attacker tailors one LoRA adapter to spoof that fingerprint. In the continual setting, auditors deploy a sequence of fingerprints DqD_q7 over time, and GhostPrint trains task-specific LoRA adapters that are integrated by a Mixture-of-LoRA-Experts router to spoof multiple evolving protocols without catastrophic forgetting.

3. Theoretical basis: impossibility globally, feasibility locally

The theoretical analysis in the 2026 paper is organized around a central asymmetry. Perfectly mimicking a larger model across all inputs is impossible under realistic low-rank adaptation, but successful spoofing on the auditor’s actual query distribution can nevertheless be tractable (Zhang et al., 15 Jun 2026).

The impossibility result is stated for a strong model weight DqD_q8 of rank DqD_q9, a weak model weight nn0 of rank nn1, and a LoRA update nn2 with rank parameter nn3. Writing nn4, the paper gives lower bounds in spectral and Frobenius norm:

nn5

and

nn6

These bounds rule out universal spoofing under capacity limits.

GhostPrint then identifies two practical vulnerabilities. The first is finite query budgets combined with low-effective-rank query distributions. If nn7 has covariance nn8 with eigenvalues nn9, then

gg0

When gg1 concentrates in a few semantic directions, spoofing error on the audit distribution can be small even with modest LoRA rank.

The second vulnerability is weak verification classifiers. For a classifier weight gg2 and gg3,

gg4

If the auditor’s projection has rank gg5, then gg6, so a rank-gg7 LoRA attacker can drive the discrepancy visible to gg8 to zero. A recurring misconception is that successful black-box verification is equivalent to deployment integrity; the paper’s formal results show that this equivalence fails when verification is low-rank and budget-constrained.

4. Attack framework, objectives, and continual routing

GhostPrint operationalizes the theoretical vulnerabilities through a PEFT pipeline built from surrogate modeling, supervised alignment, knowledge distillation, and reward-ranked fine-tuning (Zhang et al., 15 Jun 2026). The high-level design is to align the weak model with the target model on the auditor’s query distribution while simultaneously targeting the decision boundary of the auditor’s classifier.

The training objective combines supervised fine-tuning over target responses and token-level distillation toward the strong teacher. For query gg9 and teacher response Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n0,

Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n1

and

Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n2

The total objective is

Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n3

with appendix hyperparameters Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n4 and temperature Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n5, and a figure showing optimal Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n6 with relatively stable behavior across Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n7.

Reward-ranked fine-tuning integrates the surrogate classifier Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n8. For each query, GhostPrint samples Qn:={qi}i=1nQ^n := \{q^i\}_{i=1}^n9 candidates from the adapted weak model, ranks them by qiDqq^i \sim D_q0, selects

qiDqq^i \sim D_q1

and fine-tunes on the resulting qiDqq^i \sim D_q2 pairs using the same SFT+KD objective. The paper emphasizes that this sidesteps unstable RL while directly exploiting the auditor’s decision surface. In practice, RAFT uses qiDqq^i \sim D_q3 candidates per prompt, qiDqq^i \sim D_q4 rounds, and mixes qiDqq^i \sim D_q5 of RAFT-selected queries with standard queries.

The adaptation mechanism is LoRA. With frozen base weights qiDqq^i \sim D_q6, GhostPrint learns adapters

qiDqq^i \sim D_q7

where qiDqq^i \sim D_q8 and qiDqq^i \sim D_q9, adding Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n0 parameters per adapted matrix. The reported LoRA configuration is rank Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n1, scaling Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n2, dropout Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n3, Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n4 epochs, learning rate Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n5, batch size Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n6, and AdamW with weight decay Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n7.

For continual spoofing, GhostPrint introduces Mixture-of-LoRA-Experts. Task-specific adapters Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n8 are trained for each fingerprinting task and previous adapters are frozen. A router Rn:={ri}i=1nR^n := \{r^i\}_{i=1}^n9 computes expert scores

rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i)0

and the adapted output is

rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i)1

Training uses the union of past query distributions so that multiple fingerprints can be spoofed over time with minimal degradation.

5. Empirical results, trade-offs, and defenses

The evaluation covers three weak-to-strong model families: Gemma-1.1 rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i)2, Qwen2 rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i)3, and Phi-3 Mini rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i)4. Utility is measured with LM Evaluation Harness, 5-shot, on MMLU, GSM8K, and ARC-Challenge. Fingerprinting methods are LLMmap, a 52-class classifier using approximately 800 adversarial identity probes; LLM-idiosyncrasies, a binary classifier trained on UltraChat responses; and Model Equality Testing, a two-sample hypothesis test using MMD over Hamming distance (Zhang et al., 15 Jun 2026).

In the static setting, GhostPrint achieves high ASR while remaining near the weak-model utility baseline. For Gemma-1.1 rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i)5, the original weak model has utility rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i)6 on MMLU / GSM8K / ARC-C and ASR rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i)7 on LLMmap / LLM-idio / MET; GhostPrint reaches utility rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i)8 and ASR rifapi(qi)r^i \sim f_{\mathrm{api}}(\cdot \mid q^i)9; the original target has utility g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}0 and ASR g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}1. The paper notes that Gemma-2B→7B on LLMmap achieves g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}2 ASR, surpassing the target’s natural classification rate of g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}3.

For Qwen2 g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}4, the original weak model records utility g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}5 and ASR g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}6; GhostPrint records g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}7 and g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}8. For Phi-3 Mini→Medium, the original weak model records g(Rn,ftarget){0,1}g(R^n, f_{\mathrm{target}}) \in \{0,1\}9 and ftargetf_{\mathrm{target}}00; GhostPrint records ftargetf_{\mathrm{target}}01 and ftargetf_{\mathrm{target}}02. The empirical pattern is that evasion rises sharply while general utility remains close to the weak baseline, with some task-specific loss such as the Gemma GSM8K drop.

Cross-family spoofing is strongest on LLM-idio and MET. Gemma-2B→Qwen2-7B moves from original weak ASR ftargetf_{\mathrm{target}}03 to GhostPrint ASR ftargetf_{\mathrm{target}}04, while Qwen2-1.5B→Gemma-7B moves from ftargetf_{\mathrm{target}}05 to ftargetf_{\mathrm{target}}06. Appendix weak-to-weak transfers place LLM-idio ASR near ftargetf_{\mathrm{target}}07–ftargetf_{\mathrm{target}}08 across several transfers. In continual spoofing with MoLA, 3-way configurations sustain nontrivial evasion: Gemma-2B→7B reaches ftargetf_{\mathrm{target}}09, Qwen2-1.5B→7B reaches ftargetf_{\mathrm{target}}10, and Phi-3-mini→medium reaches ftargetf_{\mathrm{target}}11 on LLMmap / LLM-idio / MET.

The paper also examines sample complexity in MET. At the fair budget ftargetf_{\mathrm{target}}12, many attacks evade detection. On Phi-3, the MoLA adapter achieves mean permutation ftargetf_{\mathrm{target}}13, fails to reject ftargetf_{\mathrm{target}}14, and maintains ASR above ftargetf_{\mathrm{target}}15 until ftargetf_{\mathrm{target}}16. At the full ftargetf_{\mathrm{target}}17 budget, costing 1,000 generations per audit, all adapters are eventually detected; the paper interprets this as evidence that the threat is practical under realistic budgets rather than absolute.

The defense recommendations follow directly from the theory. Increasing query budget raises the power of two-sample tests; using diverse, high-effective-rank query distributions makes expected spoofing error harder to minimize; stronger classifiers with rank ftargetf_{\mathrm{target}}18 prevent zero-error spoofing in the projected space; ensemble or multi-view fingerprints reduce single-point failure; and dynamic or continual audits can randomize probes and rotate fingerprints. The paper further recommends cryptographic attestations and model watermarking as complements to black-box audits. It also states three limitations: no evaluation on frontier-scale models such as ftargetf_{\mathrm{target}}19, RL-based reward optimization was avoided for cost and stability, and universal spoofing remains impossible even though practical spoofing is feasible.

6. Other usages: ghost imaging and lineage verification

A distinct body of work uses “GhostPrint” in relation to computational ghost imaging. In that setting, the image is effectively “written” into the correlation between structured illumination and a single bucket measurement rather than captured directly on a sensor (Song et al., 2015). The measurement model is

ftargetf_{\mathrm{target}}20

where ftargetf_{\mathrm{target}}21 is the object transmission, ftargetf_{\mathrm{target}}22 is the projected pattern, and ftargetf_{\mathrm{target}}23 is the bucket reading. A standard correlation estimator is

ftargetf_{\mathrm{target}}24

The 2015 experiment uses an ordinary computer LCD as an incoherent source, pseudo-random patterns, a single-pixel detector, a transmissive letter “H” of size ftargetf_{\mathrm{target}}25, and an imaging geometry with ftargetf_{\mathrm{target}}26, ftargetf_{\mathrm{target}}27, ftargetf_{\mathrm{target}}28, and aperture radius ftargetf_{\mathrm{target}}29. Reconstructions improve from ftargetf_{\mathrm{target}}30 to ftargetf_{\mathrm{target}}31, smaller speckles of ftargetf_{\mathrm{target}}32 pixels outperform ftargetf_{\mathrm{target}}33 pixels at the same measurement count, and the system is reported to be robust under ordinary ambient light.

A further imaging-related usage appears in ghost handwritten digit recognition, where the bucket signals themselves are fed into a deep neural network rather than first being reconstructed into an image (He et al., 2020). The linear measurement model is

ftargetf_{\mathrm{target}}34

with sampling ratio ftargetf_{\mathrm{target}}35. The reported method uses Cosine Transform speckle as the characteristic information and reaches recognition accuracy as high as ftargetf_{\mathrm{target}}36 for the simulations and ftargetf_{\mathrm{target}}37 for the experiments at a sampling ratio of ftargetf_{\mathrm{target}}38. This usage treats GhostPrint as direct recognition in the measurement domain rather than as a spoofing or provenance mechanism.

The lineage-verification usage is conceptually opposite to the adversarial LLM GhostPrint. GhostSpec, described in the supplied synthesis as GhostPrint for robust, data-free SVD fingerprints of transformer internals, is a white-box method that computes invariant products of attention weights,

ftargetf_{\mathrm{target}}39

extracts singular values, truncates them by entropy-based effective rank, and compares models by spectral similarity with POSA alignment (Wang et al., 9 Nov 2025). Reported maximal F1 scores are ftargetf_{\mathrm{target}}40 for GhostSpec-mse and ftargetf_{\mathrm{target}}41 for GhostSpec-corr on 63 model pairs around Llama-2-7B and Mistral-7B. Whereas the 2026 spoofing paper exposes the fragility of user-side black-box output fingerprints, the GhostSpec line argues that invariant weight-space fingerprints can remain robust under fine-tuning, pruning, merging, expansion, and functionality-preserving reparameterizations.

Taken together, these meanings show that “GhostPrint” is not a single established technical object but a reused label across security, optics, and provenance research. The most consequential recent meaning is the LLM fingerprint spoofing framework, because it directly challenges the reliability of black-box verification pipelines for commercial inference services (Zhang et al., 15 Jun 2026). The imaging and lineage-verification usages are methodologically independent, yet they illuminate a broader pattern: in each case, the observable artifact is indirect, and the central technical question is how much hidden structure can be inferred from constrained measurements.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to GhostPrint.