Prompt suffix-attack against text-to-image diffusion models

Text-to-image diffusion models (T2I DMs) have achieved excellent performance in image generation. However, the adversarial robustness of T2I DMs has not been sufficiently explored. Most existing works focus on guiding T2I DMs to generate not safe for work (NSFW) images, primarily aiming to bypass the safety checkers of T2I DMs rather than address the adversarial vulnerabilities inherent to the models themselves. While some existing studies have achieved perturbations in the content of the generated images by appending a certain number of suffix characters to the text prompts, which we call prompt suffix attack (PSA). However, they lack a systematic exploration of the underlying mechanisms of these attacks. In this work, we conduct a detailed study to better understand such character-level failure modes of the T2I DMs' text encoders. To achieve this, we investigate the performance of various PSA strategies targeting the text encoder of Stable Diffusion. We incorporate four established algorithms, namely Particle Swarm Optimization (PSO), Simulated Annealing (SA), Hotflip and GPT-based approaches. Furthermore, we propose an integrated gradient-free algorithm, G&S, and systematically compare its performance with existing methods using quantitative metrics and visualization techniques. Experimental results demonstrate that G&S achieves significant advantages in character-level perturbation attacks. Subsequently, we use G&S to investigate the mechanism behind the character-level failure modes of SD's text encoder, attributing these vulnerabilities to two key factors: the fragility of contextual encoding and the nonlinear effects within the semantic space. Additionally, through extensive experiments in both gray-box and black-box settings, we demonstrate that this vulnerability in text encoder is pervasive across T2I DMs, offering new insights for future research on the robustness of T2I DMs.