Existing LLM alignment methods are vulnerable to adversarial prompt attacks; however, mainstream discrete optimization-based attacks require over 100,000 model queries, imposing prohibitive computational overhead and hindering quantitative evaluation and adversarial training. To address this, we propose the first continuous adversarial attack framework for LLMs based on projected gradient descent (PGD) in the input embedding space. Our method introduces a continuous relaxation of discrete prompts, enforced by gradient clipping and projection constraints that rigorously bound relaxation error. Empirically, it achieves comparable attack success rates while reducing model queries to approximately 10,000—yielding a tenfold speedup over state-of-the-art discrete methods. This substantially improves attack efficiency and reproducibility. Our work establishes a practical, scalable paradigm for LLM robustness analysis and defense research.

Current LLM alignment methods are readily broken through specifically crafted adversarial prompts. While crafting adversarial prompts using discrete optimization is highly effective, such attacks typically use more than 100,000 LLM calls. This high computational cost makes them unsuitable for, e.g., quantitative analyses and adversarial training. To remedy this, we revisit Projected Gradient Descent (PGD) on the continuously relaxed input prompt. Although previous attempts with ordinary gradient-based attacks largely failed, we show that carefully controlling the error introduced by the continuous relaxation tremendously boosts their efficacy. Our PGD for LLMs is up to one order of magnitude faster than state-of-the-art discrete optimization to achieve the same devastating attack results.