Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Mark My Words: Analyzing and Evaluating Language Model Watermarks

Julien Piet, Chawin Sitawarin, Vivian Fang, Norman Mu, David Wagner

TL;DR

This work tackles the practicality of watermarking LLM outputs by proposing MarkMyWords, a unified benchmark for symmetric-key watermarks applied to text generation. It defines three core metrics—quality, watermark size, and tamper resistance—across three main NL tasks and eight validation tasks, enabling fair comparisons of diverse watermark designs. Empirical results show that distribution-shift watermarks with text-dependent randomness achieve strong detection efficiency (often under 100 tokens) while preserving NL quality, though code-generation remains challenging and indistinguishability is not strictly necessary in many settings. The authors provide open-source tooling to standardize evaluation and guide future watermark design toward deployable, robust, and efficient solutions.

Abstract

The capabilities of large language models have grown significantly in recent years and so too have concerns about their misuse. It is important to be able to distinguish machine-generated text from human-authored content. Prior works have proposed numerous schemes to watermark text, which would benefit from a systematic evaluation framework. This work focuses on LLM output watermarking techniques - as opposed to image or model watermarks - and proposes Mark My Words, a comprehensive benchmark for them under different natural language tasks. We focus on three main metrics: quality, size (i.e., the number of tokens needed to detect a watermark), and tamper resistance (i.e., the ability to detect a watermark after perturbing marked text). Current watermarking techniques are nearly practical enough for real-world use: Kirchenbauer et al. [33]'s scheme can watermark models like Llama 2 7B-chat or Mistral-7B-Instruct with no perceivable loss in quality on natural language tasks, the watermark can be detected with fewer than 100 tokens, and their scheme offers good tamper resistance to simple perturbations. However, they struggle to efficiently watermark code generations. We publicly release our benchmark (https://github.com/wagner-group/MarkMyWords).

Mark My Words: Analyzing and Evaluating Language Model Watermarks

TL;DR

This work tackles the practicality of watermarking LLM outputs by proposing MarkMyWords, a unified benchmark for symmetric-key watermarks applied to text generation. It defines three core metrics—quality, watermark size, and tamper resistance—across three main NL tasks and eight validation tasks, enabling fair comparisons of diverse watermark designs. Empirical results show that distribution-shift watermarks with text-dependent randomness achieve strong detection efficiency (often under 100 tokens) while preserving NL quality, though code-generation remains challenging and indistinguishability is not strictly necessary in many settings. The authors provide open-source tooling to standardize evaluation and guide future watermark design toward deployable, robust, and efficient solutions.

Abstract

The capabilities of large language models have grown significantly in recent years and so too have concerns about their misuse. It is important to be able to distinguish machine-generated text from human-authored content. Prior works have proposed numerous schemes to watermark text, which would benefit from a systematic evaluation framework. This work focuses on LLM output watermarking techniques - as opposed to image or model watermarks - and proposes Mark My Words, a comprehensive benchmark for them under different natural language tasks. We focus on three main metrics: quality, size (i.e., the number of tokens needed to detect a watermark), and tamper resistance (i.e., the ability to detect a watermark after perturbing marked text). Current watermarking techniques are nearly practical enough for real-world use: Kirchenbauer et al. [33]'s scheme can watermark models like Llama 2 7B-chat or Mistral-7B-Instruct with no perceivable loss in quality on natural language tasks, the watermark can be detected with fewer than 100 tokens, and their scheme offers good tamper resistance to simple perturbations. However, they struggle to efficiently watermark code generations. We publicly release our benchmark (https://github.com/wagner-group/MarkMyWords).
Paper Structure (43 sections, 8 equations, 18 figures, 6 tables)

This paper contains 43 sections, 8 equations, 18 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Related work
  4. Definitions
  5. Evaluated watermarks
  6. MarkMyWords
  7. Perturbations on watermarks
  8. Out-of-scope attacks
  9. Implementation
  10. Evaluation metrics
  11. Quality
  12. Watermark size
  13. Tamper resistance
  14. Aggregate metric
  15. Results
  16. ...and 28 more sections

Figures (18)

  • Figure 1: Watermark size at near-optimal quality for four watermarking schemes (using Llama 2 7B-chat at various sampling temperatures). The distribution-shift scheme kirchenbauer_watermark_2023 outperforms others at low temperatures, only needing a median of 60 tokens for the watermark to be detected.
  • Figure 2: An overview of LLM-output watermarking.
  • Figure 3: Example tamper resistance plot. Blue points are attacks on the convex hull's frontier. The blue area represents the AUC and the dashed lines the best attack preserving 80% quality.
  • Figure 4: Watermark size at near-optimal MAUVE quality for each watermarking schemes taken from the literature, using Llama 2 7B-chat at various sampling temperatures.
  • Figure 5: Watermark size at near-optimal quality for text-dependent versus fixed randomness. The values correspond to the minimal size of schemes with near-optimal quality. Text-dependent randomness is more efficient at all temperatures.
  • ...and 13 more figures