Cryptanalysis of Pseudorandom Error-Correcting Codes

TL;DR

This paper delivers the first concrete cryptanalysis of Pseudorandom Error-Correcting Codes (PRC), focusing on the LDPC-PRC instantiation used for watermarking AI-generated content. It introduces three attacks—partial secret-key recovery, weak-key distinguisher, and a noise overlay attack—that collectively undermine undetectability and robustness across practical parameter regimes, with watermark detection achievable at around $2^{22}$ operations. The authors validate the attacks through real-world evaluations on LLMs and GIMs, and propose mitigations including parameter tuning, a revised key generation algorithm, and implementation adjustments to bolster security, though achieving $128$-bit security remains challenging under current constraints. The work highlights critical vulnerabilities in PRC-based watermarking schemes and underscores the need for redesigned constructions and careful parameter choices for deployable, secure AIGC watermarking solutions.

Abstract

Pseudorandom error-correcting codes (PRC) is a novel cryptographic primitive proposed at CRYPTO 2024. Due to the dual capability of pseudorandomness and error correction, PRC has been recognized as a promising foundational component for watermarking AI-generated content. However, the security of PRC has not been thoroughly analyzed, especially with concrete parameters or even in the face of cryptographic attacks. To fill this gap, we present the first cryptanalysis of PRC. We first propose three attacks to challenge the undetectability and robustness assumptions of PRC. Among them, two attacks aim to distinguish PRC-based codewords from plain vectors, and one attack aims to compromise the decoding process of PRC. Our attacks successfully undermine the claimed security guarantees across all parameter configurations. Notably, our attack can detect the presence of a watermark with overwhelming probability at a cost of $2^{22}$ operations. We also validate our approach by attacking real-world large generative models such as DeepSeek and Stable Diffusion. To mitigate our attacks, we further propose three defenses to enhance the security of PRC, including parameter suggestions, implementation suggestions, and constructing a revised key generation algorithm. Our proposed revised key generation function effectively prevents the occurrence of weak keys. However, we highlight that the current PRC-based watermarking scheme still cannot achieve a 128-bit security under our parameter suggestions due to the inherent configurations of large generative models, such as the maximum output length of large language models.

Figures (5)

• Figure 1: Time complexities of all attacks. The complexities are expressed in logarithm form.
• Figure 2: The relationship between the readability of generated text and the detectability of watermarks. We set $t=3$ for $\mathtt{\Pi}_{\rm LLM}$.
• Figure 3: Images for the prompt "the day that aliens met us, digital art, epic, lighting, color harmony, volumetric lighting, matte painting, chromatic aberration, shallow depth of field, epic composition, trending on artstation". Although the original paper claims that PRC possesses undetectable properties, our proposed attack enables the distinction between images with and without watermarks.
• Figure : LLM Generation
• Figure : Token Sampling

Theorems & Definitions (12)

• definition thmcounterdefinition: PRC
• definition thmcounterdefinition: $\mathsf{LLM}$
• definition thmcounterdefinition: $\mathsf{GIM}$
• definition thmcounterdefinition: Watermarking Scheme
• Theorem 1: Complexity of Attack-I
• proof
• Theorem 2: Time Complexity of Attack-II
• proof
• Theorem 3: Complexity of Attack-III
• proof