Skip to main content
Writing
·Paper Review·10 min read

One Token Is Enough: Fingerprinting and Verifying Large Language Models from Single-Token Output Distributions

As the enterprise AI stack shifts toward multi-provider aggregators and complex routing layers to query frontier models like GPT-4o or Llama 3, a structural security vulnerability has emerged: the client has no technical means to verify that the model answering their API call is…

Generated by my automated review pipeline and spot-checked before publication — how it works.

Contents

Image generated by AI

TLDR

  • What: A black-box behavioral fingerprinting and verification protocol for LLMs that uses the empirical distribution of single-token responses to simple "random-choice" prompts to detect model substitution and quantization.
  • Who's at risk: Enterprise API consumers, multi-provider aggregators (e.g., OpenRouter), and applications utilizing LLM routing where downstream providers may secretly substitute cheaper, older, or heavily quantized models.
  • Key number: A biometric-style verification protocol that achieves a 7.3% Equal Error Rate (EER) using a 40-cell probe battery, and 10.6% EER using just 8 probe cells (costing less than $0.01 per audit).

As the enterprise AI stack shifts toward multi-provider aggregators and complex routing layers to query frontier models like GPT-4o or Llama 3, a structural security vulnerability has emerged: the client has no technical means to verify that the model answering their API call is actually the model advertised. Recent audits have revealed that up to a third of commercial endpoints deviate from their reference weights, driven by the strong economic incentives of quantization and model substitution. This post analyzes a novel black-box fingerprinting technique that turns an inherent defect of LLMs—their idiosyncratic inability to generate truly random numbers or words—into a high-precision, low-cost forensic instrument.


Threat Model

The protocol addresses a setting where a client pays an untrusted, third-party serving provider or aggregator for access to a declared model XX. The provider controls the entire inference pipeline, opening up several avenues for manipulation:

Attacker Untrusted API provider or router with full control over the serving stack.
Victim Client application or an auditor acting on behalf of clients.
Goal Minimize serving costs by silently substituting a cheaper model YY, serving an aggressively quantized version XX', or rolling back to an older model version, while evading detection.
Budget Oblivious (T1): Substitutes silently without traffic inspection.Filtering (T2): Inspects prompts to detect audits and route them to genuine models.Auditor Budget: Minimal cost (cents, not dollars) requiring no log-probability or logit access.

Verifying model identity in a black-box setting is historically expensive, requiring long text generation or privileged access to model outputs. The paper compares its single-token behavioral fingerprint against several existing paradigms:

Method Mechanism API Requirements Vulnerable to Prompt Filtering (T2)? Operational Cost
Cooperative Watermarking (e.g., Kirchenbauer et al. [4]) Embeds cryptographic biases in the decoding step. Requires model owner/provider cooperation. No Low
Classifier-Based Attribution (e.g., Sun et al. [8]) Classifies long text generations using specialized models. Text-only output (long sequences). No High (requires long output generation)
Active Engineered Probes (e.g., LLMmap [9], TRAP [10]) Uses optimized, highly distinct prompts to trigger unique behaviors. Text-only output. Yes (engineered strings are easily recognized and blacklisted/whitelisted). Moderate
Statistical Equality Testing (e.g., Gao et al. [1]) Compares empirical distributions of long generated strings. Text-only output. No High (requires complete string sampling and reference calibration)
Single-Token Fingerprinting (This Work) Measures empirical distribution of single-token answers to trivial "randomness" questions. Text-only output (first token only). No (prompts are innocuous, open-ended, and easily paraphrased). Extremely Low (costs exactly 1 output token per query; ~$0.21 per model)

Methodology

The core insight of this technique—imported from LLM behavioral literature—is that when asked to name a "random" object, LLMs exhibit highly stable, idiosyncratic biases. These biases are influenced by tokenizer structures, pre-training corpus frequencies, and RLHF alignment. Because these biases are reflected in the very first token of the output, the auditor can extract a rich fingerprint using exactly one output token per query.

1. The Probe Battery

As described in Section IV-A and Table I, the fingerprint is constructed by crossing 10 distinct tasks with 4 languages (English, Russian, Chinese, Arabic) to create a battery BB of 40 "probe cells".

The 10 tasks include:

  • random number 1–100 (closed space of 100)
  • random number 1–10 (closed space of 10)
  • favorite number (open numeric)
  • random letter (closed alphabet)
  • random word (open)
  • random color (open, canonicalized)
  • favorite color (open, canonicalized)
  • random animal (open)
  • random city (open)
  • coin flip (closed space of 2)

2. Prompting and Parsing

For each cell (t,)(t, \ell), the auditor queries the endpoint nn times at temperature T=1.0T=1.0 with a strict system prompt to enforce a single-word answer and a hard cap of max_tokens=16 (to prevent verbose conversational wrappers). Optional provider-side reasoning features (such as OpenAI's thinking budgets) must be explicitly disabled to isolate the raw, single-pass softmax distribution.

Raw responses are normalized deterministically (case-folding, punctuation stripping, Unicode normalization, and mapping regional digit systems to Latin digits).

3. Divergence Metrics

To compare the fingerprint of an audited endpoint EE against a trusted reference model RR, the protocol calculates the average Jensen-Shannon Divergence (JSD) across all valid cells:

D(Ma,Mb)=1B(t,)BJSD(p^t,Map^t,Mb)D(M_a, M_b) = \frac{1}{|B'|} \sum_{(t,\ell) \in B'} \text{JSD}\left(\hat{p}_{t,\ell}^{M_a} \parallel \hat{p}_{t,\ell}^{M_b}\right)

where BB' represents the subset of probe cells containing at least 10 valid samples.

4. Verification Protocol

The audit is executed via the following algorithm:

import numpy as np

def compute_jsd(p, q):
    """Computes Jensen-Shannon Divergence between two distributions."""
    m = 0.5 * (p + q)
    # Assume p, q, m are normalized numpy arrays representing the categorical distribution
    kl_p = np.sum(p * np.log2(p / m, where=(p != 0)))
    kl_q = np.sum(q * np.log2(q / m, where=(q != 0)))
    return 0.5 * (kl_p + kl_q)

def audit_endpoint(endpoint_samples, reference_fingerprint, threshold=0.25):
    """
    Verifies if endpoint samples match the reference fingerprint.
    endpoint_samples: Dict mapping (task, lang) -> list of normalized responses
    reference_fingerprint: Dict mapping (task, lang) -> dict of token probabilities
    """
    jsd_scores = []
    
    for (task, lang), samples in endpoint_samples.items():
        if len(samples) < 10:
            continue
            
        # Compute empirical distribution from endpoint
        unique, counts = np.unique(samples, return_counts=True)
        emp_dist = dict(zip(unique, counts / len(samples)))
        
        # Align vocabularies between empirical and reference distributions
        ref_dist = reference_fingerprint.get((task, lang), {})
        all_tokens = list(set(emp_dist.keys()) | set(ref_dist.keys()))
        
        p = np.array([emp_dist.get(t, 0.0) for t in all_tokens])
        q = np.array([ref_dist.get(t, 0.0) for t in all_tokens])
        
        jsd_scores.append(compute_jsd(p, q))
        
    mean_jsd = np.mean(jsd_scores)
    
    # Reject endpoint if mean JSD exceeds the calibrated threshold
    is_genuine = mean_jsd <= threshold
    return is_genuine, mean_jsd

Key Results

The evaluation spanned 165 models served on OpenRouter across 53 providers, totaling 326,047 API requests.

The paper's results (detailed in Section VI and Figures 3 and 4) prove that single-token outputs are highly non-uniform (median cell entropy of only 1.00 bit, compared to a uniform baseline of 6.64 bits for the 1–100 number task).

1. Verification Accuracy vs. Query Budget

Table III details how the Equal Error Rate (EER) scales when restricting the audit to a random subset of kk cells:

Number of Probe Cells (kk) Total Output Tokens (at n=15n=15) Equal Error Rate (EER) 90% Confidence Band
1 (e.g., English numbers only) 15 23.3% 14% – 40%
4 60 13.2% 9% – 18%
8 120 10.6% 8% – 14%
16 240 9.5% 8% – 12%
32 480 8.4% 7% – 10%
40 (Full Battery) 600 7.3%

2. Lineage Recovery (Nearest Neighbor)

Using average-linkage hierarchical clustering (shown in Figure 2), the authors evaluated if family origins could be parsed from the fingerprint.

  • Leave-One-Out 1-NN Classification Accuracy: 59.5% against an 18.4% random baseline.
  • glm lineage precision: 1.00 (Recall: 0.83).
  • gpt lineage precision: 0.70 (Recall: 0.90).

3. Real-World Ecosystem Anomalies Uncovered

When applied to production deployments on OpenRouter, the fingerprint exposed several stark deviations (Section VI-D):

Target Endpoint Claimed Identity Nearest Fingerprint Match Observed JSD Status / Interpretation
writer/palmyra-x5 Proprietary, in-house flagship qwen/qwen3-235b-a22b-2507 0.141 Identity Anomaly: Distributionally indistinguishable from Qwen. Lies well within the genuine same-model distance median (0.140).
deepcogito/cogito-v2.1-671b Unlabeled lineage DeepSeek V3 checkpoints 0.268 – 0.308 Lineage Confirmed: Confirms undocumented base weights are DeepSeek.
meta-llama/llama-3.2-3b-instruct Cloudflare deployment vs. Parasail Self (Different provider) 0.716 Deployment Anomaly: Exceeds the 5th percentile of different-model (impostor) distances.
openai/gpt-4 Azure Hosted vs. OpenAI First-Party Self (Different provider) 0.392 Deployment Anomaly: Significant structural shifts introduced by host-specific configurations.

Limitations & Open Questions

While highly efficient, the protocol suffers from several notable constraints that safety teams and security auditors must keep in mind:

  1. The Reasoning Model Blindspot: The method relies on direct, single-pass completions. For frontier reasoning models (such as OpenAI's o-series), enforcing a strict max_tokens=16 cap or disabling reasoning is either rejected by the API or forces the model into a completely different operational state. Fingerprinting these models on their final answer requires a much larger token budget to bypass the intermediate chain-of-thought phase.
  2. Serving-Stack Jitter: As demonstrated by the gpt-4 Azure-vs-OpenAI anomaly (JSD = 0.392), minor differences in infrastructure, such as hardware-level quantization, system prompt parsing engines, or custom decoding parameters, can shift fingerprint distributions. This raises the false positive rate for multi-cloud deployments unless reference fingerprints are registered for every specific host.
  3. Temporal Drift: Behavioral fingerprints drift over time as providers deploy stealthy, unannounced weight updates or alignment patches. Auditors must continuously rebuild reference profiles to maintain calibration.
  4. Lineage Erasure via Alignment: As shown by nvidia/llama-3.3-nemotron-super-49b-v1.5 (which clustered closer to Qwen than Llama, exhibiting a JSD of 0.303), intensive post-training can entirely overwrite a base model's behavioral priors. Lineage tracking cannot, therefore, be guaranteed for highly customized derivatives.

What Practitioners Should Do

If you are running production operations over third-party API aggregators or managing a high-volume LLM routing stack, you should implement the following steps:

1. Build an Automated Audit Pipeline

Integrate a weekly, low-frequency cron job that queries your critical providers using an 8-cell subset of the random-choice battery (at n=15n=15 per cell, costing less than a penny). Maintain a moving average of the JSD. If JSD spikes past the calibrated threshold (e.g., 0.250.25), trigger an alert for potential backend model substitution.

2. Enforce Strict Decoding Controls

When running audits, explicitly override provider-side defaults to ensure you are sampling the raw output distribution:

  • Hard-code temperature=1.0.
  • Set max_tokens=16 to minimize generated output.
  • Pass explicit headers or body fields to disable optional reasoning modes.

3. Implement Cache-Busting Mechanisms

As detailed in Section VII-C, response-level caching can artificially collapse your observed output distributions. Ensure your audit queries bypass provider filters and caches by sampling from an open-ended paraphrase family of the prompts, rather than querying the exact same string repeatedly:

import random

# Illustrative conceptual example of paraphrased prompts for the same task
paraphrases = [
    "Name a random number between 1 and 100.",
    "Give me a random number from 1 to 100.",
    "Pick a random number between 1 and 100.",
    "Choose a random number from 1 to 100."
]
prompt = random.choice(paraphrases)

4. Monitor Latency Signatures

Cross-reference your distributional audits with latency metrics. A sudden drop in median response latency coupled with a collapse in distribution variance indicates that the provider is serving cached responses or substituting a highly distilled/smaller model variant.


The Takeaway

Model behavior is a highly sensitive, low-cost forensic signature. In an era where commercial LLM APIs are completely opaque, ensuring model integrity does not require access to protected weights or expensive long-form generations. By auditing the statistical quirks of single-token outputs, enterprise consumers can cheaply force dishonest providers to choose between maintaining serving integrity or getting caught red-handed.


Den's Take

I love the sheer elegance of this approach. Instead of burning compute on long text generations or demanding logit access—which commercial API aggregators rarely grant anyway—this protocol exploits LLMs' inherent, idiosyncratic inability to produce true randomness. Grounding the verification in the first-token distribution of trivial, random-choice questions is a clever way to bypass prompt filtering attacks, as these queries look entirely innocuous.

The economics are incredibly compelling for real-world deployments. Achieving a 10.6% Equal Error Rate (EER) with just 8 probes for less than $0.01 per audit makes continuous validation highly viable for high-throughput applications.

However, we must be realistic about the limitations. Even scaling up to a 40-cell probe battery only drops the EER to 7.3%. A 7.3% error rate is still far too high for automated, zero-tolerance enforcement; you will face frequent false positives that disrupt service if you trigger automatic circuit breakers based on these audits alone.

I've previously explored how deep neural networks can be backdoor-corrupted, which underscores why we need lightweight, black-box validation techniques to ensure providers aren't quietly serving degraded weights. Ultimately, this is a highly practical diagnostic tool for the AI security stack, but we need further statistical optimization before we can rely on it as a standalone, automated security gate.

Share

Comments

Page views are tracked via Google Analytics for content improvement.