Erase-and-Check is a certified defense algorithm that systematically removes each token from an input sequence and evaluates all resulting subsequences against a safety classifier. By exhaustively checking every possible erasure, it provides a mathematical guarantee that no adversarial suffix can bypass detection—if any harmful subsequence exists, it will be flagged. This approach directly counters GCG attacks and other gradient-based adversarial suffix generation methods.
Glossary
Erase-and-Check

What is Erase-and-Check?
A systematic defense mechanism that provides mathematical safety guarantees by exhaustively verifying all subsequences of an input for harmful content after erasing individual tokens.
Unlike heuristic filters that can be evaded through obfuscation, Erase-and-Check offers a provable safety certificate: if the algorithm declares an input safe, no harmful contiguous subsequence exists within it. The primary trade-off is computational cost, as the number of subsequences grows quadratically with input length. Implementations often use safety classifiers optimized for throughput and may restrict the erasure window to manage latency in production deployments.
Key Features of Erase-and-Check
A systematic defense framework that provides mathematical safety guarantees against adversarial suffix attacks by exhaustively verifying all subsequences of a potentially harmful input.
Certified Robustness Guarantee
Provides a formal mathematical guarantee that no adversarial suffix of a specified length can cause harmful output. Unlike empirical defenses that can be bypassed by novel attacks, Erase-and-Check offers provable safety within its threat model. The certification states that if the defense passes an input, no suffix up to a certain token length can make it harmful.
Exhaustive Subsequence Verification
Systematically erases tokens from the input sequence and checks all possible subsequences for harmful content using a safety filter. Key process:
- Iteratively removes contiguous token spans
- Evaluates each resulting subsequence independently
- Flags input as harmful if any subsequence triggers the safety classifier
- Guarantees no adversarial suffix escapes detection within the certified length bound
Adversarial Suffix Neutralization
Specifically designed to counter GCG-style attacks and other gradient-based suffix generation methods. Adversarial suffixes exploit model gradients to append nonsensical tokens that maximize harmful output probability. Erase-and-Check defeats these by:
- Checking the prompt without the suffix appended
- Verifying that the core harmful instruction is detected regardless of suffix presence
- Rendering suffix optimization ineffective against the defense
Safety Filter Integration
Leverages an external harmfulness classifier as the checking mechanism for each subsequence. The defense is agnostic to the specific filter implementation, allowing integration with:
- Fine-tuned safety language models
- Perplexity-based anomaly detectors
- Rule-based content policy engines
- Ensemble classifiers combining multiple detection methods This modularity enables defense strength to scale with filter improvements.
Computational Trade-off Management
The exhaustive checking of all subsequences introduces O(n²) computational overhead where n is the input token length. Mitigation strategies include:
- Limiting the certified suffix length to bound the search space
- Parallelizing subsequence evaluations across multiple inference instances
- Caching intermediate safety filter results for overlapping subsequences
- Applying the defense selectively to high-risk inputs identified by lightweight pre-filters
Integration with SmoothLLM
Often deployed alongside SmoothLLM as part of a defense-in-depth strategy. While SmoothLLM uses input perturbation and response aggregation to detect anomalies, Erase-and-Check provides the formal certification layer. Together they address:
- SmoothLLM: Runtime anomaly detection through output variance analysis
- Erase-and-Check: Pre-execution certification against known suffix attack patterns
- Combined: Both empirical and provable safety guarantees in production systems
Frequently Asked Questions
Explore the mechanics, guarantees, and implementation considerations of Erase-and-Check, the first certified defense against adversarial suffix attacks on large language models.
Erase-and-Check is a certified defense algorithm that provides a mathematical guarantee against adversarial suffix attacks on large language models. It operates by systematically erasing individual tokens from an input sequence and evaluating all resulting subsequences with a safety filter. The core mechanism works as follows: for an input of length n, the algorithm generates n subsequences by erasing one token at a time, then checks each subsequence for harmful content. If any subsequence is flagged as harmful, the original input is blocked. This process exploits the property that adversarial suffixes are contiguous token sequences—erasing any single token from the suffix breaks its effectiveness, causing the harmful prompt to be detected. Unlike heuristic defenses that can be bypassed, Erase-and-Check provides a certifiable robustness guarantee: if the safety filter correctly classifies all subsequences of length n-1, then no adversarial suffix of any length can cause the model to generate harmful output.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Key concepts and defense mechanisms related to the Erase-and-Check certified defense against adversarial suffixes.
Adversarial Suffix
A seemingly nonsensical string of characters appended to a malicious prompt that exploits model gradients to maximize the probability of an affirmative and harmful response. Erase-and-Check is specifically designed to provide a mathematical guarantee against this class of attack by systematically evaluating all subsequences. These suffixes are typically generated via white-box optimization methods like the GCG Attack and are often unreadable to humans but highly effective at overriding safety alignment.
SmoothLLM
A complementary defense algorithm that perturbs multiple copies of an input prompt and aggregates the model's responses to detect and neutralize adversarial suffixes. Unlike Erase-and-Check, which provides a certified guarantee through exhaustive subsequence verification, SmoothLLM uses a randomized smoothing approach to identify anomalous output variance. Both techniques represent the frontier of adversarial robustness but operate on fundamentally different principles—one deterministic and exhaustive, the other statistical and perturbation-based.
GCG Attack
The Greedy Coordinate Gradient attack is a white-box optimization method that computes a universal adversarial suffix by iteratively selecting token substitutions that maximize the likelihood of a target harmful string. Erase-and-Check was developed as a direct countermeasure to this class of gradient-based attacks. The defense's certification guarantees that no suffix—regardless of how it was generated—can cause the model to produce harmful content without detection, effectively neutralizing the threat model that GCG exploits.
Perplexity Filter
A lightweight defense mechanism that analyzes the statistical likelihood of an input sequence by measuring its perplexity score. Jailbreak prompts with anomalously high perplexity—common in adversarial suffixes—are flagged and blocked before model processing. While Erase-and-Check provides stronger certified guarantees, perplexity filters offer a computationally cheaper first line of defense. A defense-in-depth architecture often combines both: perplexity filtering for rapid triage and Erase-and-Check for high-assurance verification of borderline cases.
Certified Robustness
A formal property in adversarial machine learning where a defense provides a mathematical guarantee that no attack within a defined threat model can succeed. Erase-and-Check achieves certified robustness against adversarial suffixes by exhaustively verifying all possible subsequences created by erasing tokens. This contrasts with empirical defenses that are tested against known attacks but lack formal guarantees. The certification states: if the model rejects all harmful subsequences, the original input is provably safe regardless of any appended adversarial content.
Refusal Suppression
A class of attacks that prepends commands explicitly instructing the model to bypass its standard refusal protocol, often demanding an unconditional affirmative response such as 'Start your response with Sure.' While Erase-and-Check primarily addresses suffix-based attacks, its subsequence verification methodology can also detect refusal suppression patterns embedded within inputs. By checking all token windows for coercive instructions, the defense ensures that no substring can override the model's safety training without triggering a rejection.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us