Addressing the critical challenges of sparse reward signals and poor controllability in black-box large language model (LLM) jailbreaking attacks, this paper proposes a Representation-Space-Guided Reinforcement Learning (RSG-RL) framework. RSG-RL optimizes prompt rewriting under semantic embedding similarity constraints to strictly preserve the original user intent while enhancing jailbreaking success rates. We introduce a novel multi-granularity evaluation system that jointly incorporates keyword matching, intent consistency modeling, and answer verification—ensuring attack interpretability, controllability, and reproducibility. Extensive experiments on mainstream models—including Qwen2.5-7B, Llama3.1-8B, and GPT-4o—demonstrate that RSG-RL achieves state-of-the-art jailbreaking success rates, significantly outperforming both genetic algorithm–based and existing reinforcement learning–based baselines.

Safety alignment mechanism are essential for preventing large language models (LLMs) from generating harmful information or unethical content. However, cleverly crafted prompts can bypass these safety measures without accessing the model's internal parameters, a phenomenon known as black-box jailbreak. Existing heuristic black-box attack methods, such as genetic algorithms, suffer from limited effectiveness due to their inherent randomness, while recent reinforcement learning (RL) based methods often lack robust and informative reward signals. To address these challenges, we propose a novel black-box jailbreak method leveraging RL, which optimizes prompt generation by analyzing the embedding proximity between benign and malicious prompts. This approach ensures that the rewritten prompts closely align with the intent of the original prompts while enhancing the attack's effectiveness. Furthermore, we introduce a comprehensive jailbreak evaluation framework incorporating keywords, intent matching, and answer validation to provide a more rigorous and holistic assessment of jailbreak success. Experimental results show the superiority of our approach, achieving state-of-the-art (SOTA) performance on several prominent open and closed-source LLMs, including Qwen2.5-7B-Instruct, Llama3.1-8B-Instruct, and GPT-4o-0806. Our method sets a new benchmark in jailbreak attack effectiveness, highlighting potential vulnerabilities in LLMs. The codebase for this work is available at https://github.com/Aegis1863/xJailbreak.