Cross-Attention Watermarking of Large Language Models
Folco Bertini Baldassini, Huy H. Nguyen, Ching-Chung Chang, Isao Echizen
TL;DR
This work introduces linguistic watermarking for large language models by embedding information directly into generated text via a cross-attention watermark embedder, enabling blind verification without altering model outputs substantially. It presents two integration strategies—gated cross-attention and decoder-layer substitution—to minimize performance impact, along with a bidirectional extractor for binary watermark recovery. Verification relies on message embedding or a fixed watermark vector and uses probabilistic testing (p-values) to assess watermark presence under potential adversarial modifications. Training incorporates robustness strategies, including noise injection and paraphrase attacks, showing a measurable tradeoff between watermark robustness and text quality, and suggesting practical paths for integrating watermarking into model development and deployment.
Abstract
A new approach to linguistic watermarking of language models is presented in which information is imperceptibly inserted into the output text while preserving its readability and original meaning. A cross-attention mechanism is used to embed watermarks in the text during inference. Two methods using cross-attention are presented that minimize the effect of watermarking on the performance of a pretrained model. Exploration of different training strategies for optimizing the watermarking and of the challenges and implications of applying this approach in real-world scenarios clarified the tradeoff between watermark robustness and text quality. Watermark selection substantially affects the generated output for high entropy sentences. This proactive watermarking approach has potential application in future model development.