Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Provably Robust Watermarks for Open-Source Language Models

Miranda Christ, Sam Gunn, Tal Malkin, Mariana Raykova

TL;DR

This work introduces the first watermarking scheme for open-source LLMs by modifying the parameters of the model, but the watermark can be detected from just the outputs of the model, and proves that it is unremovable under certain assumptions about the adversary's knowledge.

Abstract

The recent explosion of high-quality language models has necessitated new methods for identifying AI-generated text. Watermarking is a leading solution and could prove to be an essential tool in the age of generative AI. Existing approaches embed watermarks at inference and crucially rely on the large language model (LLM) specification and parameters being secret, which makes them inapplicable to the open-source setting. In this work, we introduce the first watermarking scheme for open-source LLMs. Our scheme works by modifying the parameters of the model, but the watermark can be detected from just the outputs of the model. Perhaps surprisingly, we prove that our watermarks are unremovable under certain assumptions about the adversary's knowledge. To demonstrate the behavior of our construction under concrete parameter instantiations, we present experimental results with OPT-6.7B and OPT-1.3B. We demonstrate robustness to both token substitution and perturbation of the model parameters. We find that the stronger of these attacks, the model-perturbation attack, requires deteriorating the quality score to 0 out of 100 in order to bring the detection rate down to 50%.

Provably Robust Watermarks for Open-Source Language Models

TL;DR

This work introduces the first watermarking scheme for open-source LLMs by modifying the parameters of the model, but the watermark can be detected from just the outputs of the model, and proves that it is unremovable under certain assumptions about the adversary's knowledge.

Abstract

The recent explosion of high-quality language models has necessitated new methods for identifying AI-generated text. Watermarking is a leading solution and could prove to be an essential tool in the age of generative AI. Existing approaches embed watermarks at inference and crucially rely on the large language model (LLM) specification and parameters being secret, which makes them inapplicable to the open-source setting. In this work, we introduce the first watermarking scheme for open-source LLMs. Our scheme works by modifying the parameters of the model, but the watermark can be detected from just the outputs of the model. Perhaps surprisingly, we prove that our watermarks are unremovable under certain assumptions about the adversary's knowledge. To demonstrate the behavior of our construction under concrete parameter instantiations, we present experimental results with OPT-6.7B and OPT-1.3B. We demonstrate robustness to both token substitution and perturbation of the model parameters. We find that the stronger of these attacks, the model-perturbation attack, requires deteriorating the quality score to 0 out of 100 in order to bring the detection rate down to 50%.

Paper Structure

This paper contains 19 sections, 5 theorems, 28 equations, 7 figures, 4 algorithms.

Table of Contents

  1. Introduction
  2. Technical Overview
  3. Related work
  4. Preliminaries and definitions
  5. Watermarks
  6. Watermarking scheme
  7. Detecting the watermark from the weights of the model
  8. Detecting the watermark from text
  9. Experimental Evaluation
  10. Appendix
  11. Concentration bounds
  12. Language models
  13. Deferred proofs
  14. Proof of \ref{['thm:unremovability-weights']}
  15. Proof of \ref{['thm:soundness-weights']}
  16. ...and 4 more sections

Key Result

Theorem 1

Let $I$ be the $n \times n$ identity matrix, and let $\mathop{\mathrm{\mathcal{C}}}\nolimits$ be such that the adversary's posterior distribution over the original content $\vec{w}^*$ after seeing $\vec{w}_{\mathsf{wat}}$ is $\mathop{\mathrm{\mathcal{N}}}\nolimits(0, \varepsilon^2 I)$. Let the loss

Figures (7)

  • Figure 1: Watermarked content generator $\mathsf{Setup}$
  • Figure 2: True positive detection rates for responses generated by OPT-1.3B, with our watermark applied under varying perturbation magnitudes (epsilon). The "Inner Product Detector" is our $\mathsf{TextDetect}$ detector (\ref{['alg:watermarking-det-text']}), and the "Count Detector" is a baseline detector that we compare to.
  • Figure 3: (a): Detection rates for adversarially perturbed watermarked OPT-6.7B models, to simulate a removal attack. The x-axis plots the epsilon parameter used in the watermark. The three curves show detection rates for models obtained by adding additional Gaussian noise to the biases, of standard deviaton 1, 2, and 5 times epsilon. (b): Quality scores of watermarked texts generated with various parameters of epsilon, under the same perturbation attacks. The quality score of unwatermarked text was 59.933.
  • Figure 4: Detection rates for texts produced by a watermarked OPT-6.7B model and subjected to a substitution attack. The x-axis plots the fraction of tokens that are substituted. The curves show detection rates for varying epsilon parameters of the watermark.
  • Figure 5: Quality scores of watermarked texts generated with various parameters of epsilon. The quality score of unwatermarked text was 59.933.
  • ...and 2 more figures

Theorems & Definitions (18)

  • Definition 1: Watermark
  • Definition 2: Quality loss function
  • Definition 3: $(\mathop{\mathrm{\mathcal{C}}}\nolimits, L, \ell)$-Removability game $\mathcal{G}^{\text{remov}}_{\adv, \mathop{\mathrm{\mathcal{W}}}\nolimits, \mathop{\mathrm{\mathcal{C}}}\nolimits}(1^\secpar, L, \ell)$
  • Definition 4: Unremovability
  • Definition 5: Soundness/low false positive rate
  • Definition 6: $L_2$: Euclidean quality loss function.
  • Theorem 1
  • Theorem 2
  • Definition 7: $c_1$-high entropy
  • Definition 8: $c_2$-high quality
  • ...and 8 more