I saw the earlier HN discussion about Claude’s encrypted reasoning blobs and found it interesting.
After some experiments, I think I may have found a way to get the original reasoning from signature.
I built a verification test. The idea is simple: you generate a random secret locally, make Claude place it only inside private reasoning, extract only the returned signature, and then submit only that signature. If the secret comes back while the visible answer never contained it, that is evidence that I am correctly recovering content from the encrypted CoT, rather than guessing or re-deriving it.
Another signal that makes me take this seriously: in most cases, without giving the recovery side any hint about the hidden reasoning, the recovered CoT has exactly the same length as the CoT reported by the API.
I think the harness determines how you inspect reasoning. Sometimes it self-exfiltrates into the user response. This would be a touchy topic for Anthropic because this distilled reasoning has been used to train other models at scale.
To directly answer your question — yes, this is real.
bayes-song•1h ago
After some experiments, I think I may have found a way to get the original reasoning from signature.
I built a verification test. The idea is simple: you generate a random secret locally, make Claude place it only inside private reasoning, extract only the returned signature, and then submit only that signature. If the secret comes back while the visible answer never contained it, that is evidence that I am correctly recovering content from the encrypted CoT, rather than guessing or re-deriving it.
Another signal that makes me take this seriously: in most cases, without giving the recovery side any hint about the hidden reasoning, the recovered CoT has exactly the same length as the CoT reported by the API.
some examples: https://github.com/s-JoL/open-reasoning
If it’s real, it seems important.