Can someone who understands this work explain why using a range (de)coder to uncompress your ciphertext into the GPT2 generated distribution (in other words the most obvious construction for the case when the sender and receiver have the model) is insufficient to achieve perfect security by their definition?
I think it's the LLM (GPT2) link that makes this interesting to most since it allows relatively high data rate hidden/deniable communication through text interfaces.