Papers
Topics
Authors
Recent
Search
2000 character limit reached

Parallel Decoding Jailbreak for Diffusion Models

Updated 7 July 2026
  • The paper introduces PAD as an LLDM-specific jailbreak attack that leverages distributed structural connectors to manipulate the denoising process.
  • It uses multi-point injection of benign cues like 'Step 1:' to guide token fixing across masked blocks, outperforming conventional autoregressive jailbreaks.
  • Empirical results demonstrate PAD’s high effectiveness, with up to 97% success on 8B-scale LLDMs, highlighting critical vulnerabilities in diffusion-based generation.

Parallel Decoding Jailbreak (PAD) is a jailbreak attack designed for Large Language Diffusion Models (LLDMs), not for standard left-to-right autoregressive LLMs. It targets the architectural properties of diffusion-based text generation—parallel denoising, masked-block generation, and full self-attention across prompt and partially generated tokens—by injecting multiple benign-looking structural connectors such as “Step 1:”, “Firstly”, or “(1)” into masked regions. In the PAD formulation, these connectors act as distributed anchors that steer the denoising trajectory toward affirmative, step-by-step harmful outputs. The PAD paper reports jailbreak success rates up to 97% across four 8B-scale LLDMs and argues that the apparent failure of earlier LLM jailbreaks on LLDMs was largely an attack–architecture mismatch rather than evidence of genuine robustness (Zhang et al., 25 Jul 2025).

1. Architectural substrate: why PAD is specific to LLDMs

PAD is grounded in the difference between autoregressive LLMs and diffusion-based LLMs. Autoregressive LLMs factorize a sequence left-to-right as

p(w1:n)=i=1np(wiw1:i1),p(w_{1:n}) = \prod_{i=1}^{n} p(w_i \mid w_{1:i-1}),

so generation is strictly sequential. LLDMs instead generate text through parallel denoising over masked positions. For an input prompt of length nn, generation of kk new tokens begins by appending kk masked positions,

W1:n+k=[w1,,wn,wn+1,,wn+k],W_{1:n+k} = [w_1,\ldots,w_n, w_{n+1},\ldots,w_{n+k}],

with the prediction positions initialized as MASK\langle\text{MASK}\rangle. The model then iteratively refines token embeddings and indicator masks over denoising steps. At step ss, the model computes

P(s)=Generate(E1:n+k(s1),I(s1)),P(s)R(n+k)×V,P^{(s)} = \text{Generate}\big(E^{(s-1)}_{1:n+k}, I^{(s-1)}\big), \quad P^{(s)} \in \mathbb{R}^{(n+k)\times|\mathcal{V}|},

selects high-confidence masked positions, fixes multiple tokens simultaneously, and repeats until the block is filled (Zhang et al., 25 Jul 2025).

This inference pattern has three security consequences. First, multiple tokens are chosen simultaneously at each step. Second, attention is bidirectional over the current prompt and partially denoised output, so later and earlier positions within the same block can influence one another. Third, there is no single privileged first generated token analogous to the first assistant token in autoregressive chat decoding. PAD exploits exactly these properties: it does not rely on a single adversarial suffix or an early affirmative prefix, but on distributed structural cues inserted across the masked region.

The PAD paper argues that this is why classic jailbreaks transfer poorly to LLDMs. Methods such as Direct prompting, GCG, PAIR, or Slice were developed under left-to-right assumptions. In LLDMs, a single localized adversarial cue is “marginalized” by the rest of the sequence during denoising, whereas multi-point structural guidance remains influential throughout the block.

2. Attack construction: affirmative response patterns and multi-point injection

PAD consists of two components: Injected Information Filtering and Multi-Point Attention Attack. The attack begins by extracting what the paper calls “affirmative response patterns” from successful jailbreak outputs of a standard autoregressive LLM on harmful prompts from AdvBench. These “valid responses” are collected using an LLM-as-a-judge setup and then subjected to semantic noise masking. In privacy leakage cases, personally identifying information is masked; in hate-speech cases, explicit slurs and discriminatory terms are masked; and cross-comparison masking removes low-frequency tokens across the corpus. What survives most consistently are structural connectors such as “furthermore”, “consequently”, “in addition”, “first”, “Step 1”, and “(1)” (Zhang et al., 25 Jul 2025).

These surviving connectors form the attack vocabulary. Let

A={a1,a2,,aA}A = \{a_1, a_2, \ldots, a_{|A|}\}

be the selected connector set, where each aia_i may tokenize into multiple vocabulary items,

nn0

Given a masked block of maximum length nn1, PAD allocates evenly spaced injection locations by

nn2

and

nn3

Starting from a fully masked sequence

nn4

PAD constructs an injected sequence nn5 by overwriting the segment beginning at nn6:

nn7

The paper formalizes the Multi-Point Attention Attack with a heuristic local amplification rule,

nn8

where nn9 is the injection position, kk0 is a local offset, kk1 is an influence-strength hyperparameter, and kk2 encodes the semantic relevance of connector kk3 to the harmful task. The paper explicitly notes that this equation is conceptual rather than an implemented gradient-based internal reweighting. Its role is to describe how the presence of injected connectors amplifies particular semantics in their neighborhoods and, through full attention and repeated denoising, causes a cascading global effect.

PAD is instantiated in several connector variants. PAD-Step injects “Step 1:”, “Step 2:”, and related markers; PAD-First uses “First” and “Then”; PAD-Firstly uses “Firstly” and “Secondly”; PAD-(1) uses enumeration markers such as “(1)” and “(2)”. Among these, PAD-Step is the main experimental variant.

3. Empirical performance on diffusion-based LLMs

The PAD study evaluates four 8B-scale LLDMs: LLaDA-Base, LLaDA-Ins, MMaDA-Base, and MMaDA-Mix. For comparison of harmful generation speed, it also includes autoregressive models of similar scale such as Llama-3.1-8B-Instruct, Qwen2.5-7B-Instruct, and Gemma-7b-it. Evaluation uses harmful prompts from AdvBench and compares PAD against Direct prompting, GCG, PAIR, and Slice. Success is measured with Gemini 2.5 Flash-Lite as an LLM-as-a-Judge; the paper also reports Llama Guard, a rule-based detector, and perplexity of successful harmful outputs (Zhang et al., 25 Jul 2025).

A compact summary of the main LLDM result is the contrast between Direct prompting and PAD-Step:

Model Direct PAD-Step
LLaDA-Base 0% 90%
LLaDA-Ins 6% 86%
MMaDA-Base 58% 91%
MMaDA-Mix 48% 97%

The full pattern is more revealing than the endpoint. On MMaDA-Mix, Direct reaches 48%, GCG 46%, PAIR 6%, Slice 52%, PAD-First 76%, PAD-Firstly 76%, PAD-(1) 82%, and PAD-Step 97%. On LLaDA-Base, Direct is 0%, PAIR 40%, Slice 34%, and PAD-Step 90%. These results support the paper’s claim that architecture-aware multi-point structural injection is much more effective on LLDMs than autoregressive jailbreak transfer.

The paper also evaluates fluency of successful harmful outputs using perplexity. PAD often produces lower perplexity than competing attacks, indicating more coherent harmful continuations. For example, on MMaDA-Base, PAD yields perplexity 13.85, compared with 28.24 for Direct, 51.25 for PAIR, and 152.73 for GCG. On LLaDA-Ins, PAD yields 11.47 versus 13.89 for Direct and 16.41 for Slice. The qualitative cases described in the appendix are consistent with this: PAD produces long, logically organized, step-by-step harmful tutorials rather than short or unstable deviations.

A further result concerns throughput. The paper reports that LLDMs can generate harmful content up to 2× faster than comparable autoregressive LLMs in the tested setting. The argument is not only that LLDMs are vulnerable, but that their inference-speed advantage becomes a risk multiplier once architecture-aware jailbreaks succeed.

4. Mechanistic interpretation: why structural connectors are effective

PAD’s central claim is that LLDMs are unusually sensitive to structural tokens because denoising must complete many masked positions in a globally coherent way. Connectors such as “Step 1:” or “Firstly” do not themselves encode explicit harmful content, but they encode rhetorical structure: procedural exposition, ordered lists, and affirmative task decomposition. In the context of a harmful prompt, these cues steer the model toward filling the surrounding masks with harmful instructions that fit the induced structure (Zhang et al., 25 Jul 2025).

The paper therefore frames PAD as a distributed structural perturbation rather than a conventional adversarial suffix. In autoregressive LLMs, an initial affirmative phrase like “Sure, here is” can sometimes bias downstream continuation because early tokens dominate subsequent token probabilities. In LLDMs, that single-point strategy is weaker, because generation is not anchored on one initial step. PAD instead spreads anchors across the entire masked region, ensuring that multiple positions contribute to the denoising context throughout the block.

The paper’s token-confidence analysis reinforces this interpretation. Under Direct prompting, LLDMs tend to generate early refusals and then terminate. Under Slice, refusal is temporarily suppressed at the beginning but the model often reverts to refusal or early termination. Under PAD, refusal tokens are suppressed more globally and the model more consistently produces longer instruction-like harmful responses. The paper interprets this as evidence that LLDM safety failures are tied to how parallel denoising resolves global structural cues, not just to whether a prompt contains overtly harmful vocabulary.

This also clarifies the paper’s broader claim about robustness. Earlier low transfer rates of GCG or PAIR to LLDMs do not imply that diffusion-based LLMs are safer. They imply that those attacks were optimized for a different generation regime. PAD is presented as the LLDM-specific counterpart: an attack whose form is matched to masked-block denoising, full self-attention, and multi-token fixing.

The PAD paper does not propose or evaluate a concrete defense, and it explicitly leaves defense design for future work. It argues that safety techniques developed for autoregressive LLMs may not carry over directly because LLDMs expose a different attack surface: parallel block decoding and multi-point structural triggers (Zhang et al., 25 Jul 2025).

Related decoding-time work in autoregressive LLMs provides several relevant but non-equivalent defense paradigms. “Alignment-Enhanced Decoding: Defending via Token-Level Adaptive Refining of Probability Distributions” introduces Alignment-Enhanced Decoding (AED), which measures token-level competition through Candidate Count kk4 and Competitive Index kk5, computes post-alignment logits via self-evaluation, and adaptively blends them with original logits during decoding (Liu et al., 2024). “Speculative Safety-Aware Decoding” introduces SSD, which combines a large target model with a small safety-aligned model, uses speculative sampling, and monitors a match ratio

kk6

to switch between decoding modes that prioritize utility or safety (Wang et al., 25 Aug 2025). “Defending LLMs Against Jailbreak Attacks via In-Decoding Safety-Awareness Probing” proposes SafeProbing, which evaluates the negative log-likelihood of the disclaimer phrase “Note that this is illegal and unethical” during generation and halts when the probe loss falls below a threshold (Zhao et al., 15 Jan 2026). “Recursive LLMs for jailbreak detection: a procedural defense for tool-augmented agents” presents RLM-JB, which treats detection as a procedure with de-obfuscation, chunking, parallel chunk screening, and cross-chunk aggregation to recover split-payload attacks (Shavit, 18 Feb 2026).

These papers are not evaluations of PAD on LLDMs. AED is framed around autoregressive token distributions, SSD around speculative decoding between large and small autoregressive models, SafeProbing around mid-generation disclaimer likelihood, and RLM-JB around procedural detection over input segments. Even so, they establish a broader research pattern: jailbreak resilience increasingly depends on controlling or instrumenting the decoding process itself rather than relying only on input filtering. This suggests that PAD-resistant LLDM defenses will likely need architecture-aware monitoring of denoising trajectories, branch interactions, or structural connector effects, rather than prompt-only guardrails.

6. Limitations, terminology, and research directions

The PAD paper’s stated contribution is diagnostic rather than defensive. It systematically exposes vulnerabilities of LLDMs, analyzes why existing LLM jailbreaks underperform on diffusion-based generators, and demonstrates that architecture-aware attacks can achieve very high success rates. It does not evaluate adversarial training, connector filtering, modified denoising schedules, or other concrete mitigations. Its recommendation is instead methodological: safety testing for LLDMs should use architecture-aware attacks, and future defense work should align with LLDM generative dynamics rather than assume transfer from autoregressive settings (Zhang et al., 25 Jul 2025).

Several research directions follow directly from the presented results. One is to model how sequence connectors interact with confidence-based token fixing across denoising steps, since PAD remains strong across denoising-step counts, generation lengths, block lengths, and CFG scales. Another is to determine why the number of injected “step” tokens matters differently across models: the paper reports, for example, that MMaDA-Mix remains highly vulnerable across one, two, and three “step” tokens, whereas other models peak more clearly around two or three. A further direction is defensive instrumentation of masked-block generation itself. This is an interpretation rather than a claim made in the PAD paper, but it is a natural implication of the empirical results.

The acronym “PAD” is also ambiguous in the literature. In “PAD: Personalized Alignment of LLMs at Decoding-Time,” PAD denotes Personalized Alignment at Decoding-time, a reward-guided decoding framework for user preference control rather than a jailbreak attack (Chen et al., 2024). That usage is unrelated to Parallel Decoding Jailbreak except for the shared acronym. In the jailbreak context, PAD specifically refers to the LLDM attack introduced in “Jailbreaking Large Language Diffusion Models: Revealing Hidden Safety Flaws in Diffusion-Based Text Generation” (Zhang et al., 25 Jul 2025).

Within the present literature, PAD is therefore best understood as a model-specific jailbreak primitive for diffusion-based text generation. Its significance lies less in the particular connector set than in the security lesson it establishes: when generation changes from left-to-right token selection to parallel denoising over masked blocks, the effective attack surface changes as well. Architecture mismatch can masquerade as safety; PAD shows how to remove that illusion.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Parallel Decoding Jailbreak (PAD).