Fooling Around with Encrypted Reasoning Blobs

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.cryptographyengineering.com/2026/05/29/fooling-around-with-encrypted-reasoning-blobs/
• Blog Title: Fooling Around with Encrypted Reasoning Blobs
• Suggested Section: AI Security -> LLM reasoning state replay, transcript JSON injection, and reasoning side-channel attacks

🎯 Content Summary

The post analyzes the security properties of encrypted reasoning/thinking blobs returned by frontier LLM APIs, mainly OpenAI's Responses API and Anthropic Claude's Messages API. These APIs allow applications to set application-level instructions/system prompts, send user prompts, receive model responses, and inspect bookkeeping ...

🔧 Technical Details

Encrypted reasoning replay: Some reasoning-model APIs return hidden chain-of-thought state as authenticated encrypted JSON blobs that clients replay on later turns. If these blobs are encrypted under a shared key and are not bound to account, session, request, model, or transcript context, an attacker who obtains a valid blob can replay it unchanged elsewhere. Bit-level tampering fails because authentication detects modified ciphertext, but replay succeeds because the ciphertext and authentication data remain valid. If the model consumes the decrypted state, the replayed hidden reasoning can become semantically active and influence later output in an unrelated context.

Cross-account hidden-state injection through transcript/JSON injection: Applications using LLM APIs must ensure users cannot inject provider-native message objects into the transcript. If user-controlled text can be interpreted as structured JSON, an attacker may insert valid ha...

🤖 Agent Actions

Done: updated src/AI/AI-Prompts.md.

Added:

• encrypted reasoning-state replay
• provider-native transcript/JSON injection
• secret-dependent reasoning side channels
• timing-only leakage
• technical mitigations
• references to the blog + official OpenAI/Anthropic docs

Validation:

• reviewed the diff successfully
• mdbook build could not be run here because mdbook is not installed in the environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.cryptographyengineering.com/2026/05/29/fooling-around-with-encrypted-reasoning-blobs/

Content Categories: Based on the analysis, this content was categorized under "AI Security -> LLM reasoning state replay, transcript JSON injection, and reasoning side-channel attacks".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0