Analyzing the Narration Gap in LLM-Solver Loops
Quick Answer
The study addresses the narration gap in LLM-solver loops, highlighting that while formal tools like SAT solvers ensure soundness, the interaction with language models can compromise this guarantee.
Quick Take
The study addresses the narration gap in LLM-solver loops, highlighting that while formal tools like SAT solvers ensure soundness, the interaction with language models can compromise this guarantee. The research evaluates five open-sourced models under prompt injection, revealing that while certificate gating enhances soundness, vulnerabilities remain, particularly under adaptive attacks.
Key Points
- Formal tools like SAT solvers provide sound and verifiable answers in LLM pipelines.
- The research identifies a critical narration gap in the LLM-solver interaction.
- Five open-sourced models were evaluated for prompt injection vulnerabilities.
- Certificate gating improves soundness but does not eliminate all vulnerabilities.
- Adaptive attacks can still invert verified conclusions across different phrasings.
Paper Resources
Article Content
From source RSS / original summaryarXiv:2606. 19588v1 Announce Type: new Abstract: Formal tools such as SAT and SMT solvers are increasingly embedded in language model reasoning pipelines when a safety or security critical question can be formulated in logic. Unlike chain of thought whose steps are sampled from the model distribution without formal guarantee, a solver produces a sound and independently verifiable answer. However, the soundness guarantee can be lost in the interaction between the solver and the model.
The hybrid pipeline has three components: formalizing the question, deciding it, and narrating the result. Prior work has studied the formalization and decision, but not narration, which is the step that turns a formal tool's output into the user answer. To fill the narration gap, we first model the LLM-solver loop as a verified decision procedure.
We further evaluate five open-sourced models under prompt injection, and we find certificate gating makes the solver verdict sound, while an adversary can invert a verified conclusion across phrasings and channels. We study the mitigation through hardened prompt that reduces injection significantly but cannot eliminate it and still suffers under adaptive attack. Combining the formal analysis and empirical studies, we show in the LLM-solver loop, robustness does not reach to the answer that the user finally reads.
Reader Mode unavailable (could not extract clean content).
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from arXiv cs.AI
See more →Arbor: Tree Search as a Cognition Layer for Autonomous Agents
Arbor introduces a multi-agent framework utilizing structured tree search for optimizing LLM inference, achieving up to 193% throughput-latency improvement compared to vendor-optimized systems. It employs an Orchestrator and Critic agent for stability and coordination, demonstrating hardware-agnostic performance with minimal variance.
