{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:JRQQOFBLXTVMYMF6NHOWZ5XGWN","short_pith_number":"pith:JRQQOFBL","canonical_record":{"source":{"id":"2605.19159","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-18T22:25:47Z","cross_cats_sorted":[],"title_canon_sha256":"dccf564d3ea036e7825099b95aaf2b7db2d390558fd5af95495cd1a540b2aea5","abstract_canon_sha256":"15d0208511f69814e3c0860023863073a2763d6683aecb020e36fb48d330f8e6"},"schema_version":"1.0"},"canonical_sha256":"4c6107142bbceacc30be69dd6cf6e6b37a54abec4d1e97116f246b1b52f62766","source":{"kind":"arxiv","id":"2605.19159","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.19159","created_at":"2026-05-20T01:05:30Z"},{"alias_kind":"arxiv_version","alias_value":"2605.19159v1","created_at":"2026-05-20T01:05:30Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.19159","created_at":"2026-05-20T01:05:30Z"},{"alias_kind":"pith_short_12","alias_value":"JRQQOFBLXTVM","created_at":"2026-05-20T01:05:30Z"},{"alias_kind":"pith_short_16","alias_value":"JRQQOFBLXTVMYMF6","created_at":"2026-05-20T01:05:30Z"},{"alias_kind":"pith_short_8","alias_value":"JRQQOFBL","created_at":"2026-05-20T01:05:30Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:JRQQOFBLXTVMYMF6NHOWZ5XGWN","target":"record","payload":{"canonical_record":{"source":{"id":"2605.19159","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-18T22:25:47Z","cross_cats_sorted":[],"title_canon_sha256":"dccf564d3ea036e7825099b95aaf2b7db2d390558fd5af95495cd1a540b2aea5","abstract_canon_sha256":"15d0208511f69814e3c0860023863073a2763d6683aecb020e36fb48d330f8e6"},"schema_version":"1.0"},"canonical_sha256":"4c6107142bbceacc30be69dd6cf6e6b37a54abec4d1e97116f246b1b52f62766","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-20T01:05:30.882793Z","signature_b64":"FftSmegownESQ/zOQoVmMSn2dusn7jvhgJ/yUfv/aW6FTOdhuX10rIAkzbQtsYvlNi2tDc6DQ0BCn/eKJy5SDg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"4c6107142bbceacc30be69dd6cf6e6b37a54abec4d1e97116f246b1b52f62766","last_reissued_at":"2026-05-20T01:05:30.881972Z","signature_status":"signed_v1","first_computed_at":"2026-05-20T01:05:30.881972Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2605.19159","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-20T01:05:30Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"dg7KREnGDrvdNjxGFSOUNl9kEtO3uNfpRUVbRVyE1FaDr45psNUS7RKmHjkyZ2fTH6kRX+nls05OUVVMTq0vBw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-27T14:57:05.270686Z"},"content_sha256":"379c9e83d64fd604415b25421080bc7007cf1e856f91d862c0989e0244911dd2","schema_version":"1.0","event_id":"sha256:379c9e83d64fd604415b25421080bc7007cf1e856f91d862c0989e0244911dd2"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:JRQQOFBLXTVMYMF6NHOWZ5XGWN","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"On the Geometric Limits of Transformer Defenses against Obfuscation Attacks: Latent Embedding Collapse & Performance Robustness Gap","license":"http://creativecommons.org/licenses/by/4.0/","headline":"","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Becky Mashaido, Tapadhir Das","submitted_at":"2026-05-18T22:25:47Z","abstract_excerpt":"Prompt injection attacks pose significant risks to language model safety, yet existing defenses are typically evaluated using classification performance. We show that high detection performance does not imply representational robustness. Specifically, multi-operator obfuscated prompts (combining homoglyphs, zero-width characters, and punctuation or emoji noise) can partially collapse onto the embedding manifold of clean prompts, a phenomenon we term latent embedding collapse. Results indicate that across multiple BERT family encoders with varying depth and capacity, detectors achieve near-perf"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2605.19159","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2605.19159/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-20T01:05:30Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"Kv4nn3WW4eCRZXAvTjAPPdggt47CYIjZOa35Jl3ELXDXOha4QZh1zJwi3pQWsUtSpfHi9OKnNObNAFIAxa83CA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-27T14:57:05.271337Z"},"content_sha256":"7d0d4e5c6923ac1a75b9b9387fe278add0ea17edabff6b9630080d260980aeb9","schema_version":"1.0","event_id":"sha256:7d0d4e5c6923ac1a75b9b9387fe278add0ea17edabff6b9630080d260980aeb9"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/JRQQOFBLXTVMYMF6NHOWZ5XGWN/bundle.json","state_url":"https://pith.science/pith/JRQQOFBLXTVMYMF6NHOWZ5XGWN/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/JRQQOFBLXTVMYMF6NHOWZ5XGWN/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-27T14:57:05Z","links":{"resolver":"https://pith.science/pith/JRQQOFBLXTVMYMF6NHOWZ5XGWN","bundle":"https://pith.science/pith/JRQQOFBLXTVMYMF6NHOWZ5XGWN/bundle.json","state":"https://pith.science/pith/JRQQOFBLXTVMYMF6NHOWZ5XGWN/state.json","well_known_bundle":"https://pith.science/.well-known/pith/JRQQOFBLXTVMYMF6NHOWZ5XGWN/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:JRQQOFBLXTVMYMF6NHOWZ5XGWN","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"15d0208511f69814e3c0860023863073a2763d6683aecb020e36fb48d330f8e6","cross_cats_sorted":[],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-18T22:25:47Z","title_canon_sha256":"dccf564d3ea036e7825099b95aaf2b7db2d390558fd5af95495cd1a540b2aea5"},"schema_version":"1.0","source":{"id":"2605.19159","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.19159","created_at":"2026-05-20T01:05:30Z"},{"alias_kind":"arxiv_version","alias_value":"2605.19159v1","created_at":"2026-05-20T01:05:30Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.19159","created_at":"2026-05-20T01:05:30Z"},{"alias_kind":"pith_short_12","alias_value":"JRQQOFBLXTVM","created_at":"2026-05-20T01:05:30Z"},{"alias_kind":"pith_short_16","alias_value":"JRQQOFBLXTVMYMF6","created_at":"2026-05-20T01:05:30Z"},{"alias_kind":"pith_short_8","alias_value":"JRQQOFBL","created_at":"2026-05-20T01:05:30Z"}],"graph_snapshots":[{"event_id":"sha256:7d0d4e5c6923ac1a75b9b9387fe278add0ea17edabff6b9630080d260980aeb9","target":"graph","created_at":"2026-05-20T01:05:30Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2605.19159/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Prompt injection attacks pose significant risks to language model safety, yet existing defenses are typically evaluated using classification performance. We show that high detection performance does not imply representational robustness. Specifically, multi-operator obfuscated prompts (combining homoglyphs, zero-width characters, and punctuation or emoji noise) can partially collapse onto the embedding manifold of clean prompts, a phenomenon we term latent embedding collapse. Results indicate that across multiple BERT family encoders with varying depth and capacity, detectors achieve near-perf","authors_text":"Becky Mashaido, Tapadhir Das","cross_cats":[],"headline":"","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-18T22:25:47Z","title":"On the Geometric Limits of Transformer Defenses against Obfuscation Attacks: Latent Embedding Collapse & Performance Robustness Gap"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2605.19159","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:379c9e83d64fd604415b25421080bc7007cf1e856f91d862c0989e0244911dd2","target":"record","created_at":"2026-05-20T01:05:30Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"15d0208511f69814e3c0860023863073a2763d6683aecb020e36fb48d330f8e6","cross_cats_sorted":[],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-18T22:25:47Z","title_canon_sha256":"dccf564d3ea036e7825099b95aaf2b7db2d390558fd5af95495cd1a540b2aea5"},"schema_version":"1.0","source":{"id":"2605.19159","kind":"arxiv","version":1}},"canonical_sha256":"4c6107142bbceacc30be69dd6cf6e6b37a54abec4d1e97116f246b1b52f62766","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"4c6107142bbceacc30be69dd6cf6e6b37a54abec4d1e97116f246b1b52f62766","first_computed_at":"2026-05-20T01:05:30.881972Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-20T01:05:30.881972Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"FftSmegownESQ/zOQoVmMSn2dusn7jvhgJ/yUfv/aW6FTOdhuX10rIAkzbQtsYvlNi2tDc6DQ0BCn/eKJy5SDg==","signature_status":"signed_v1","signed_at":"2026-05-20T01:05:30.882793Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.19159","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:379c9e83d64fd604415b25421080bc7007cf1e856f91d862c0989e0244911dd2","sha256:7d0d4e5c6923ac1a75b9b9387fe278add0ea17edabff6b9630080d260980aeb9"],"state_sha256":"8d69788758ce7b8a76ce7a9613b8473c42732a133749817670f46d771a608aea"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"cDnEHFE7Xslt9wnADEMPdBt+o2m6sseCcB/8F2P6j+6wJRO1qpx7kcdiWIf/Obqvg/QaIf0KBM7Cupxlj1YeDg==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-27T14:57:05.274848Z","bundle_sha256":"5689ce52f50da8167de7be71975e4020b87c35c5a96a468930cb59d4933dc26d"}}