A Semantic Invariant Robust Watermark for Large Language Models

About the watermark detection method

Please refer to the first response in "Response to all reviewers.".

About experimental configurations （$\delta$ and $\gamma$）

Firstly, it is crucial to note that for our SIR method, the chosen hyperparameters are $\delta= 2$, and our watermark model is trained with $\gamma= 0.5$. These settings are consistent with the hyperparameters used in the KGW series methods, ensuring a fair comparison in experimental setups.

Further, from an algorithmic perspective, in the KGW series watermark algorithms, the most influential parameter on watermark robustness is $k$ (window size), while $\delta$ and $\gamma$ have minimal impact on watermark robustness. Consequently, these two parameters are seldom explored in watermark research for their effect on robustness. Below is a detailed explanation:

1. Concerning the $\delta$ parameter, it primarily influences the strength of watermark embedding. However, increasing watermark strength comes with a trade-off, affecting the quality of the generated text. A very large $\sigma$ would degrade the algorithm to a hard red-green algorithm, where some tokens cannot be chosen at all. Conversely, a very small $\sigma$ might result in insufficient watermark strength, rendering it undetectable in later stages.

2. Regarding the $\gamma$ parameter, this determines the proportion of the 'green' part. The most common parameter in current studies is 0.5. While a smaller $\gamma$ might enhance watermark effectiveness in no-attack scenarios experimentally, its impact is not significant. Therefore, comparisons controlled at the same $\gamma$ value are fair. Additionally, we conducted the following experiments to test $\gamma$.

The observation can be stated as follows: Although a marginal improvement in F1 is noted when comparing different values of $\gamma$, the enhancement is not particularly significant. Consequently, it is a common practice among various works to set $\gamma$ at 0.5.

The necessity of our method.

Please refer to the second response in "Response to all reviewers"

We must reiterate the contributions of our method, which were initially addressed at the beginning of the paper. The inherent issue with the KGW-N series methods is highlighted: when N is large, there is poor adversarial robustness to text modifications but strong safety robustness. Conversely, with a smaller N, adversarial robustness improves, yet safety robustness decreases.

Our method ultimately achieves adversarial robustness comparable to the KGW-1 approach (albeit slightly less in beam search scenarios) but exhibits a significant enhancement in safety robustness. For details, refer to Section 6.3, particularly Figure 3(a), where our method markedly surpasses KGW-1 in safety robustness. Thus, our approach contributes uniquely. Thank you for your question, and we hope you will consider our method's soundness and contributions more thoroughly in your assessment.

About the watermark detection method

Please refer to the first response in "Response to all reviewers."

About multi-keys

Thank you for your insightful question. Contrary to the need for multiple watermark models to implement multi-keys, a single watermark model can be effectively paired with mapping files to achieve this. For instance, consider the watermark model producing logits $L = \\{l_1, l_2, \ldots, l_{|V|}\\}$ for a vocabulary size $|V|$. We can define a simple bijective mapping $f: \\{1, 2, \ldots, |V|\\}\rightarrow \\{1, 2, \ldots, |V|\\}$, resulting in a new set $L' = \\{ j_{1}, j_{2}, \ldots, j_{|V|}\\}$where each $j_{i}$ is defined as $j_{i} = L_{f(i)}$.

This mapping process is efficient, having an $O(1)$ complexity, and does not introduce any extra burden. Moreover, designing just two distinct mappings with low similarity ensures sufficient differentiation between the keys of two users.

Therefore, we believe that the concern regarding multi-key scenarios may not be a practical issue.

About the robustness againt KGW-1

Please refer to the second response in "Response to all reviewers."

It is essential to revisit the inherent issues associated with the KGW-N series methods as mentioned at the begining part of our paper. Notably, these methods exhibit poor adversarial robustness in text modification when $N$ is large, albeit with strong security robustness. Conversely, when $N$ is small, they demonstrate better adversarial robustness in text modification but weaker security robustness.

Our method has achieved adversarial robustness comparable to that of KGW-1 but with a significant improvement in security robustness. This advancement is detailed in Section 6.3, particularly evident in Figure 3(a), where our method substantially surpasses KGW-1 in terms of security robustness. Thus, our approach makes a unique contribution.

Regarding the slightly inferior performance of our method compared to KGW-1 under beam search conditions, it is hypothesized that the tendency for self-repetition in the KGW-1 method during beam search is more pronounced than in our approach. The beam search algorithm is known to favor sequences with higher overall generation probabilities, potentially leading to higher repetition rates.

This hypothesis is supported by our analysis of the generated texts, where we assessed the frequency of N-gram repetitions. The findings indicate that KGW-1 exhibits a marginally higher degree of self-repetition compared to our SIR method. Such a propensity for self-repetition in KGW-1 might be a contributing factor to the observed differences in performance under beam search conditions.

Prefix injection attacks

Please refer to the third response in "Response to all reviewers."

About more attack type

Please refer to third response in "Response to all reviewers".

In summary, we supplemented experiments regarding Emoji attack and copy paste attack, demonstrating that our method is robust in these scenarios.

About the definition of watermark

In the section three, we have already provided a rather detailed definition and explanation of watermark algorithms. Here, we will elaborate further.

Broadly speaking, the concept of large model watermarking refers to the integration of certain covert features into the text generated by large models. These features are designed to be detectable by specific algorithms, yet remain largely imperceptible to human observation. The paradigm adopted in this paper is adding small watermark logits to the already generated next token logits. This is the most widely used watermark paradigm for large models. Specifically, the watermark logits can be defined as $P_{\mathrm{W}}(x^{prompt}, t_{:l-1})$, and the final logits could be defined as $P_{\hat{\mathrm{M}}}(x^{prompt}, t_{:l-1}) = P_{\mathrm{M}}(x^{prompt}, t_{:l-1}) + P_{\mathrm{W}}(x^{prompt}, t_{:l-1})$, where $\hat{\mathrm{M}}$ is the watermarked LLM. The watermark detector $P_{\mathrm{D}}$ corresponds to $P_{\mathrm{W}}$, outputting 1 if text $t$ contains the watermark, otherwise 0.

Additional information on the reconstruction process of the watermark

Please refer to the first response in "Response to all reviewers."

Theoretical or practical capacity of the watermark within the framework presented

To clarify the meaning of 'practical capacity' as you mentioned, if it refers to the amount of information that a watermark can carry, our watermarking technique is similar to that of Kirchenbauer et al. In both cases, the capacity of the watermark is limited to binary classification of the text, determining whether it contains a watermark or not. The watermark itself does not involve carrying additional information.

The primary contribution of our paper lies in enhancing the robustness of the watermark. This can be understood as, although the information borne by the watermark is limited to 0 (no watermark) and 1 (contains watermark), our method increases the difficulty of editing from 1 to 0. In other words, removing the watermark has become more challenging compared to previous approaches.

Application of Watermark

The primary role of watermarks in large models is to identify texts generated by these models, which has several applications:

1.Large models might be prohibited in certain contexts, such as student homework or examinations. Watermarks facilitate the identification of texts produced by these models in such scenarios.

2.Large models can generate a substantial volume of false or low-quality content online. Watermarks can help in recognizing these texts, contributing to a better online environment.

3.If texts generated by large models are watermarked, it becomes easier to detect instances where someone might use these texts to train their own models. This acts as a deterrent against data theft, providing a layer of protection for the large models themselves. [Zhao et al. (2022)]

In summary, thank you for your question. Your inquiry is very helpful in enhancing the quality of our paper.

Reference

Zhao, Xuandong, Yu-Xiang Wang, and Lei Li. "Protecting language generation models via invisible watermarking."

About Ownership Tracking

There is indeed no experiment (or any content) about ownership tracking in our paper. This is because the application of watermark algorithms to ownership tracking falls beyond the scope of this paper. Our objective is to present a semantically invariant, robust watermarking algorithm that achieves an optimal balance in terms of resistance to attacks and security robustness, compared to previous methods. We believe that elaborating on the integration of watermarking into ownership tracking systems is not necessary within this article. Our previous description (in rebuttal) of how our method could perform ownership tracking was primarily to demonstrate the potential of our approach in this area.

Thank you once again for your suggestion.

update

With less than three hours remaining until the end of the rebuttal period, if you have no further questions, would you consider updating your rating?

About the watermark detection method

Please refer to the first response in "Response to all reviewers".

About the potential adaptive attacks

We understand your concern that users might be aware that our watermark insertion is related to the semantic embedding of the text. Therefore, we specifically demonstrate in Figure 3(a) the effect of a spoofing attack using text with highly concentrated semantic domain types(embeddings are more similar). While attacking the watermark with text of fine-grained topics like L2 class indeed shows some improvement in the attack's effectiveness, the enhancement is not significant. This, to some extent, indicates the sufficient security robustness of our method.

Furthermore, for a user possessing an embedding model and attempting to break our watermark, designing such an algorithm is not straightforward and may constitute a highly complex task in algorithmic design. If you have a proposal, we are open to experimenting with it based on your approach.

Text quality Evaluation

To better validate the quality of the text generated by our watermarking method, we conducted further experiments in the field of machine translation. Specifically, we utilized the NLLB-200-distilled-600M model [Costa-jussà et al. (2022)] to perform experiments on the WMT14 dataset, focusing on two translation scenarios: French to English and German to English. The results of these experiments are as follows:

Although there is a slight decrease in the BLEU score after watermarking, the extent of this decrease is minimal. This indicates that the impact of our method on the quality of the text is smaller compared to that of the KGW-1 approach. We have updated the result in appendix G.

About the repetitiveness

With increasing text length, the degree of variation in embeddings diminishes. In the most extreme scenario, if the addition of any token does not alter the embedding, our method essentially degenerates to KGW-1 (a global red-green list). Consequently, the texts produced by our approach theoretically exhibit less repetition compared to KGW-1. To examine the repetition issue, we conducted statistical experiments on the N-gram repetition ratio in generated texts. The results are as follows:

The level of repetition in our generated texts is lower than that of KGW-1, but higher than KGW-2 and KGW-4. Although our method did not achieve the lowest degree of repetition, compared to the KGW series, it still represents an optimal balance in terms of text repetitiveness, robustness, and security. We have updated the result in appendix I.

About the context length

A longer context length can enhance the effectiveness, yet a shorter context length results in a decrease in the overall watermark detection performance and robustness. However, this is an inherent limitation of watermark algorithms not only our methods. Here we present a comparison of the effects at different lengths.

The shows that as the generation length increases, both the effectiveness and robustness of detection improve. This trend is consistent with the KGW. Even when the length exceeds 600, surpassing the 512-length limit of the embedding model, truncating the context does not affect the specific detection. We have updated the result in appendix H.

About the copy paste attack

Please refer to the third response in "Response to all reviewers".

About the variance of watermark logits distribution

Your concern is valid, but in reality, our statistical analysis has found that in all steps, the watermark logits are consistently divided into two parts, 1 and -1, without any significant deviation. We have calculated the proportion of 1 and -1, finding the mean to be 0.5 with a standard deviation not exceeding 0.01.

Reference

Kirchenbauer,et al."A watermark for large language models."

Costa-jussà, et al."No language left behind: Scaling human-centered machine translation."

I thank the authors for their reply and for performing additional experiments. I think the inclusion of these experiments, particularly the additional attacks, will strengthen the paper. I'm willing to raise my score, but I have a three points that I'd like addressed/clarified:

1. In the final draft it would be good to see the additional experimental results cleaned up a bit, with the new attacks moved into Table 1 if at all possible. I also think some additional details on the copy-paste attack are necessary -- e.g. how "topics" are defined.

2. I think the paper could make the connection between KGW and the proposed method even more explicit. For example, the authors could highlight how the {±1} logit perturbations essentially define red/green lists, and how detection is essentially performed in the same manner as KGW using these "relaxed" red/green lists.

3. The paper's central idea -- extending the "red-list/green-list" approach of KGW to enable more general conditional control over logit perturbations via embedding and mapping networks -- is novel and interesting. It allows for replacing the n-gram hashing of KGW with any suitable text embedding, and appears to offer some flexibility over "red-list/green-list" distributions through the training objectives of the mapping network. It would be nice if the authors could remark on this potential generality -- i.e., whether the authors expect that the proposed method only works within a narrow range of configurations (CBERT/SBERT sentence embeddings mapped to ~50/50 ±1 logit distributions), or whether it might be worth exploring other configurations in future work. The embedder experiments in section C suggest some rough guidelines (e.g. "near-normal" distribution of embedding distances), but I think the generality/flexibility angle is interesting enough to merit addressing directly, even if only briefly.