A Semantic Invariant Robust Watermark for Large Language Models

TL;DR

The paper tackles the dichotomy in LLM watermarking between attack robustness and security robustness by introducing semantic invariant robust watermarking (SIR). SIR derives watermark logits from the semantics of preceding text using an embedding model and a trainable watermark model, with a dual losses setup to ensure semantic-consistent, unbiased, and balanced logits, and detects watermarks via a $z$-statistic. Empirical results show SIR achieves attack robustness near KGW-1 while improving security robustness and maintaining text quality, across paraphrase, synonym substitution, and spoofing attacks, with parallelizable generation. The work offers a practical, scalable approach to watermarking that resists semantic alterations and watermark cracking, with potential for multilingual expansion and better embedding models.

Abstract

Watermark algorithms for large language models (LLMs) have achieved extremely high accuracy in detecting text generated by LLMs. Such algorithms typically involve adding extra watermark logits to the LLM's logits at each generation step. However, prior algorithms face a trade-off between attack robustness and security robustness. This is because the watermark logits for a token are determined by a certain number of preceding tokens; a small number leads to low security robustness, while a large number results in insufficient attack robustness. In this work, we propose a semantic invariant watermarking method for LLMs that provides both attack robustness and security robustness. The watermark logits in our work are determined by the semantics of all preceding tokens. Specifically, we utilize another embedding LLM to generate semantic embeddings for all preceding tokens, and then these semantic embeddings are transformed into the watermark logits through our trained watermark model. Subsequent analyses and experiments demonstrated the attack robustness of our method in semantically invariant settings: synonym substitution and text paraphrasing settings. Finally, we also show that our watermark possesses adequate security robustness. Our code and data are available at \href{https://github.com/THU-BPM/Robust_Watermark}{https://github.com/THU-BPM/Robust\_Watermark}. Additionally, our algorithm could also be accessed through MarkLLM \citep{pan2024markllm} \footnote{https://github.com/THU-BPM/MarkLLM}.

Figures (10)

• Figure 1: An illustration of our semantic invariant robust watermarking method. Text is input into a generative LLM for token logits and an embedding LLM for text embedding. The embedding is converted into watermark logits via the Watermark Model. LLM logits and watermark logits are then combined for final logits, which decode the next token using any method.
• Figure 2: The left figure shows how detection accuracy changes for different watermark models as the synonym replacement ratio increases. The middle figure shows the correlation between embedding similarity generated by the embedding model and the similarity of the generated watermark logits. The right figure illustrates watermark logits with and without the normalization loss.
• Figure 3: The left figure depicts the trade-off between security robustness and attack robustness across different watermarking algorithms. The right figure shows the text quality generated by language models with different watermarking methods (measured by text perplexity).
• Figure 4: This figure demonstrates the examples of our watermark method and the KGW-1 method when using the same prompt. It contrasts the effects of detection on the unmodified text versus text rewritten by GPT-3.5 and then detected. All the texts are generated using the LLaMA-7B model. In our method, tokens with a watermark logit value greater than 0 are marked in green color (corresponding to green tokens in the KGW-1 method).
• Figure 5: This figure demonstrates the examples of the KGW-2 method and the KGW-4 method when using the same prompt. The other settings of this figure are identical to Figure \ref{['fig:example1']}