TabWak: A Watermark for Tabular Diffusion Models

W2: While the paper presents results with specific parameter choices (e.g., l=4 for quantiles), there's limited discussion about parameter sensitivity and how different choices might affect the trade-off between data quality and watermark robustness.

A: We acknowledge that the discussion about the sensitivity of $l$ is limited. However, we believe that the choice of $l$ has minimal impact on data quality if $l$ is not too large. Regardless of the value of $l$, our method samples the initial latent from each quantile of the Gaussian distribution with probabilities proportional to each quantile. Regarding robustness, we agree that further exploration of hyperparameters could provide valuable insights. We are testing the different settings $l=3$ now. We will update you when we get results.

W3: Although the paper mentions privacy protection as a use case for synthetic data, it doesn't analyze potential privacy implications of the watermarking scheme itself, such as whether the watermark could leak information about the training data or model architecture.

A: For sampling-based methods, we believe it is more difficult to leak information about the training data or model architecture. This is because the only modification introduced during watermarking is controlling the sampling process from the Gaussian distribution for the initial latent $\mathbf{z}_T$. Even if an adversary gains access to both the model and the watermarking method, they would only be able to recover the tabular data back to its initial latent representation. Furthermore, our method ensures that the initial latent $\mathbf{z}_T$ remains close to the Gaussian distribution, as demonstrated in Figure 6 of the Appendix. This makes it challenging for an adversary to uncover any hidden patterns in our sampling process, even if they successfully recover the initial latent.

Q1: How does TabWak's performance change with different architectures of the backbone diffusion model? The current evaluation uses a specific TabSyn architecture, would the method's effectiveness be maintained with other tabular diffusion model architectures?

A: We believe our method is adaptable to various backbone diffusion models. Similar to techniques like Tree-Ring, which have demonstrated consistent performance across different diffusion model architectures, our approach does not rely on any modules specifically tailored to a particular model architecture. Therefore, we expect its effectiveness to generalize well across other architectures.

Q2: Given that the valid-bit mechanism focuses on the tail of the distribution for improved robustness, could this create vulnerabilities to targeted attacks that specifically manipulate these tail values? Have you considered or evaluated such potential attacks?

A: As discussed in our response to W3, it is inherently challenging for an adversary to access the initial latent representation directly, making it difficult to manipulate. However, targeted attacks could theoretically be developed where the attacker reconstructs the initial latent representation and selectively alters the tail values. For instance, they might shift these tail values toward the distribution center or invert their signs. We are working on it right now.

References

[1] He, Hengzhi, et al. "Watermarking generative tabular data." arXiv preprint arXiv:2405.14018 (2024)

[2] Nie, Weili, et al. "Diffusion Models for Adversarial Purification." International Conference on Machine Learning. PMLR, 2022.

[3] An, Bang, et al. "Benchmarking the robustness of image watermarks." arXiv preprint arXiv:2401.08573 (2024).

Thank you for your valuable comments and positive feedback.

W1: Although the paper compares against adapted image watermarking techniques, it doesn't compare against existing tabular data watermarking methods that operate in post-processing (mentioned in Related Works, e.g., He et al., 2024). This comparison would help understand the relative advantages of embedding watermarks during sampling versus post-processing.

A: The reason we did not include post-processing watermarks is that such methods, like the one in [1], can only be embedded into continuous values by strategically adjusting these values to fall within a chosen range. However, the applicability of this approach is limited in tabular data, which often contains many integers and categorical values. Additionally, post-processing watermarks are highly susceptible to common operations in tabular data processing, such as rounding, which can easily remove the watermark.

Since our dataset contains many integer columns, we first convert the numbers into scientific notation during preprocessing. The method from [1] is then applied to the coefficients of the scientific notation. Below are the results of comparing the post-processing method under different types of attacks. The results show that the post-processing method is particularly vulnerable to Gaussian noise, where it fails to maintain the watermark.

Table A. The Robustness of Post-processing Watermark [1] Against Post-Editing Attacks: Average Z-score on 5K rows

Based on your suggestions, we developed an adaptive attack that focuses on the tail values in the original latent. We additionally introduce perturbations to the numerical values in the table, denoted as $X_{\text{num}}$. Specifically, we use the encoder to approximate the latent $\hat{z}_0$, then employ the diffusion model for DDIM inversion to estimate the initial latent $\hat{z}_T$. Our attack minimizes the tail values of the latent $\hat{z}_T$, which can be formally expressed as:

$$\min_{X_{\mathrm{num}}^{\mathrm{adv}}} \left\| M_{\mathrm{tail}} \cdot \hat{z}_T \right\|_2,$$

subject to the constraint:

$$\left| X_{\mathrm{num}}^{\mathrm{adv}} - X_{\mathrm{num}} \right| \leq \epsilon \cdot \left| X_{\mathrm{num}} \right|,$$

where

$$\hat{z}_T = DDIM^{-1}(\mathcal{E}(X_{\mathrm{num}}^{\mathrm{adv}})),$$

and

$$M_{\mathrm{tail}}[i] = \begin{cases} 1 & \text{if } \hat{z}_T[i] < Q_{0.25}(\hat{z}_T) \text{ or } \hat{z}_T[i] > Q_{0.75}(\hat{z}_T), \\ 0 & \text{otherwise.} \end{cases}$$

In our experiments, $\epsilon$ is set to 0.2. For DDIM inversion, we limit the number of steps to 10 to accelerate the process and reduce backpropagation overhead during optimization. The final results are summarized below:

Table F. The Robustness of TabWak Against Embedding and Adaptive Attacks: Average Z-score on 5K rows

From the results, we observe that, under the same $\epsilon$, adaptive attacks reduced the average Z-score more significantly in 4 out of 5 datasets. Notably, the attack was particularly successful on the magic and diabetes datasets. We attribute this to the fact that we only perturbed numerical columns in the tabular data. In these two datasets, all columns are numerical except for the target columns, while the other three datasets contain more categorical columns. We will include these additional results in the appendix.

W3: It will be very helpful to include other tabular watermark baselines even though they are not sampling-phase methods.

A: The reason we did not include post-processing watermarks is that such methods, like the one in [4], can only be embedded into continuous values by strategically adjusting these values to fall within a chosen range. However, the applicability of this approach is limited in tabular data, which often contains many integers and categorical values. Additionally, post-processing watermarks are highly susceptible to common operations in tabular data processing, such as rounding, which can easily remove the watermark.

Since our dataset contains many integer columns, we first convert the numbers into scientific notation during preprocessing. The method from [4] is then applied to the coefficients of the scientific notation. Below are the results of comparing the post-processing method under different types of attacks. The results show that the post-processing method is particularly vulnerable to Gaussian noise, where it often fails to maintain the watermark.

Table A. The Robustness of Post-processing Watermark [4] Against Post-Editing Attacks: Average Z-score on 5K rows

Q2: Do the authors know if a similar method can be applied to images?

A: Our method aims to improve the quality of tabular data by avoiding the reuse of the same latent seed for each row. This ensures greater diversity in the latent representations, ultimately enhancing the quality of the generated table. In tabular data generation, each row is analogous to an individual image in image generation. However, in image generation, it is less critical to use different latent seeds for each image since evaluation typically does not involve comparisons across images, and the latent space for images is much larger than that for a single row of tabular data. But we believe that if the task involves generating a batch of images using the same text prompt, our method could also be beneficial for improving the diversity within the batch.

References

[1] Liu, Fan, et al. "Privacy-preserving synthetic data generation for recommendation systems." Proceedings of the 45th International ACM SIGIR Conference on Research and Development in Information Retrieval. 2022.

[2] Qian, Zhaozhi, et al. "Synthetic data for privacy-preserving clinical risk prediction." Scientific Reports 14.1 (2024): 25676.

[3] Potluru, Vamsi K., et al. "Synthetic data applications in finance." arXiv preprint arXiv:2401.00081 (2023).

[4] He, Hengzhi, et al. "Watermarking generative tabular data." arXiv preprint arXiv:2405.14018 (2024)

W2 & Q1: In terms of detectability, the proposed method underperforms the Gaussian Shading baseline by a lot in most of the datasets. The proposed method is very good for Shoppers, but Gaussian Shading has way higher z-scores in other datasets. Do the authors have any idea why it's the case? Also, I guess you can sacrifice the generation quality to make the detectability much better.

A: Indeed, compared to the Z-score, Gaussian Shading exhibits superior robustness. However, when considering the absolute value of the p-value, our proposed method also performs well. The key to Gaussian Shading's better performance lies in its row-by-row detection approach: it employs the same latent seed for each row during generation, making detection significantly easier. In contrast, TabWak uses different latent seeds for each row, which constrains the fidelity of the latent space and leads to uneven distribution, ultimately affecting generation quality. Despite this, we believe that TabWak achieves a more optimal balance between robustness and data quality. Our reasoning is as follows:

1. Detectability in Terms of p-value: While the Z-scores in Table 2 for our method (Our*) are indeed lower, the detectability of our method remains competitive. Even in the worst-case scenario for our method, the Z-score ( Diabetes dataset under 20% cell deletion attacks) corresponds to a p-value of 1.5e-4. This implies that even under the strongest attack (5k rows), our method maintains a low false positive rate of 1.5e-4. This shows that the detectability of our method is still reliable, despite its slightly lower robustness.

2. Trade-off with Data Quality: In contrast, Gaussian Shading, while exhibiting superior robustness, significantly compromises data quality. This is due to its reliance on using the same latent seed across all rows, which introduces noticeable patterns in the watermarked data. Our method avoids such performance drop, preserving the overall quality of the dataset better than Gaussian Shading.

To illustrate this trade-off, we present the following figures (hosted anonymously), showing the relationship between p-value under various attacks and average data quality ( (from Table 1, specifically the average of Shape, Trend, Logistic, MLE). Notably, our method (Ours*, represented by filled plus markers) predominantly occupies the upper-left region of the plots, reflecting superior performance across most scenarios, except under cell deletion attacks and Gaussian noise attacks on the Diabetes dataset. On the other hand, Gaussian Shading (GS), while robust in detectability, consistently falls in the lower-left region, emphasizing its trade-off of reduced data quality for robustness.

Figure A. Trade-off Analysis: Quality and Robustness Under 20% Row Deletion

Figure B. Trade-off Analysis: Quality and Robustness Under 3-Column Deletion

Figure C. Trade-off Analysis: Quality and Robustness Under 20% Cell Deletion

Figure D. Trade-off Analysis: Quality and Robustness Under 20% Gaussian Noise

And for the question if we can sacrifice the generation quality to make the detectability much better. Regarding the possibility of sacrificing generation quality to achieve better detectability, we propose that the latent distributions for multiple rows remain close to a Gaussian distribution. While robustness could be further enhanced by distorting the distribution— e.g., adding bias to increase values in the tails—we believe the current trade-off is well-balanced, as evidenced in the results above.

Thank you for your valuable comments.

W1: I think my main concern is the usefulness of tabular data watermarking. I can see for images or texts, we need to detect if they are AI-generated to prevent spreading misinformation, but I don't see tabular data can bring much harm like other modalities.

A: Yes, text and images are often prioritized due to their visible influence on daily life. However, synthetic tabular is the most common modality in industries and organizations, which increasingly embrace synthetic data as a privacy-preserving data-sharing solution [1-3]. It is important for the synthetic data generator to verify if a piece of table is generated by itself and then take responsibility for the (misa)usage of such data. Synthetic tables pose subtle yet significant risks. For instance: 1) Financial Fraud: Synthetic datasets can manipulate performance metrics, enabling hedge funds to fabricate high returns and conceal losses. Watermarking ensures that only genuine data is used for informed decision-making. 2) Healthcare Misdiagnosis: Altered synthetic patient data can skew diagnostic tools or treatment recommendations, potentially leading to issues like over-prescription of medications. Watermarking safeguards data integrity, fostering trust in healthcare models. 3) Regulatory Evasion: Companies may exploit synthetic data to falsify compliance records, inflate profits, or create misleading sustainability reports.

Watermarking confirms data authenticity, ensuring reliability in audits. The watermarking technique can also protect the copyright of generated tabular data for the model owner, ensuring that the data's ownership and intellectual property rights are safeguarded by the model itself.

W3&A3 Given that the current experimental results show the proposed method’s performance is not consistently superior to previous watermarking methods, can the authors provide additional data or a more detailed explanation of these outcomes? How do they address this limitation to demonstrate the proposed method's advantages more clearly?

A: We acknowledge that the robustness of our method, as shown in Table 2, is not consistently superior to Gaussian Shading [1] across all datasets. However, we believe that our method achieves a better trade-off between robustness and data quality. Here is our reasoning:

1. Detectability in Terms of p-value: While the Z-scores in Table 2 for our method (Our*) are indeed lower, the detectability of our method remains competitive. Even in the worst-case scenario for our method, the Z-score (Diabetes dataset under 20% cell deletion attacks) corresponds to a p-value of 1.5e-4. This implies that even under the strongest attack (5k rows), our method maintains a low false positive rate of 1.5e-4. This shows that the detectability of our method is still reliable, despite its slightly lower robustness.

2. Trade-off with Data Quality: In contrast, Gaussian Shading, while exhibiting superior robustness, significantly compromises data quality. This is due to its reliance on using the same latent seed across all rows, which introduces noticeable patterns in the watermarked data. Our method avoids such performance drop, preserving the overall quality of the dataset better than Gaussian Shading.

We recognize the importance of illustrating these trade-offs more effectively. To address this, we will include a new figure in our paper that highlights the trade-off between detectability and data quality across different watermarking methods. This figure will display the theoretical false positive rate (p-value) on the x-axis and the average of four different data quality metrics (from Table 1, specifically Shape, Trend, Logistic, MLE) on the y-axis, evaluated under the strongest attack settings. This visualization will underscore the advantages of our method in achieving a superior trade-off.

We present such figures (hosted anonymously) in the following: the trade-off between p-value under various attacks and the average data quality. Notably, our method (Ours*, represented by filled plus markers) predominantly occupies the upper-left region, indicating superior performance in most scenarios, except under cell deletion attacks and Gaussian noise attacks on the Diabetes dataset. While GS demonstrates robust detectability, it consistently remains in the lower-left region of the figures, highlighting its trade-off of reduced data quality for robustness.

Figure B. Trade-off Analysis: Quality and Robustness Under 20% Row Deletion

Figure C. Trade-off Analysis: Quality and Robustness Under 3-Column Deletion

Figure D. Trade-off Analysis: Quality and Robustness Under 20% Cell Deletion

Figure E. Trade-off Analysis: Quality and Robustness Under 20% Gaussian Noise

References

[1] Yang, Zijin, et al. "Gaussian Shading: Provable Performance-Lossless Image Watermarking for Diffusion Models." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2024.

[2] He, Hengzhi, et al. "Watermarking generative tabular data." arXiv preprint arXiv:2405.14018 (2024).

Thank you for your valuable comments. Below, we provide our responses to the weaknesses and questions you highlighted.

W1&A1: This manuscript's watermarking method for tabular diffusion models builds on a previous diffusion model watermarking approach [1]. While some adaptations address tabular data's specific needs, the novelty could be emphasized further by exploring unique features and applications of table data. How do the authors plan to enhance the distinctiveness of their approach beyond previous achievements? Could additional innovations specific to tabular data be incorporated?

A: While our method builds on previous work, its novelty lies in our specific adaptations, which address the row-by-row watermarking and detection challenges unique to tabular data through self-cloning and valid-bit mechanisms. Additionally, we are the first to introduce watermarking during the sampling phase for tabular data, embedding the watermark in the latent space. This makes it harder to identify and applicable to both continuous and categorical columns, unlike post-processing methods like [2], which are limited to continuous columns. Regarding the unique properties of tabular data, we have begun to consider the challenges posed by categorical columns, such as the sparsity introduced by one-hot encoding and the risk of losing watermark information due to the non-differentiability of the arg max operation. We recognize these as important issues and plan to address them in future work while continuing to explore other distinctive aspects of tabular data.

W2&A2: In designing the "valid bit mechanism," the authors focus on extrema values at the ends of the distribution, which is logical but may underutilize the central parts of the distribution. To validate this choice, theoretical proof or empirical evidence is needed to show that this approach outperforms one that also uses centered values for repeated information, as repetition might improve robustness. Could the authors provide theoretical or experimental comparisons between the "valid bit mechanism" and alternative approaches, such as information repetition, to clarify its effectiveness and superiority?

A: We appreciate your suggestion and have implemented a new bit accuracy calculation based on your idea. Specifically, we evaluated centered values (i.e., between $\Phi^{-1}(0.25)$ and $\Phi^{-1}(0.75)$). If the centered values in the first half match those in the second half, we assume the bits are accurate. The revised valid bit accuracy equation becomes:

$A_{\text{cbit}} = \frac{\sum_{i=1}^{m/2} \mathbb{I}\left((d_i = 1 \text{ or } 2) \text{ and } (d_{m/2+i} = 1 \text{ or } 2)\right)}{\sum_{i=1}^{m/2} \mathbb{I}(d_i = 1 \text{ or } 2)}$

We derived the central bit accuracy under Gaussian noise $\epsilon \sim N(0, \sigma)$), using the same setting at the end of Section 3. The resulting expected accuracy is:

$$\mathbb{E}\left[A_{\text{cbit}}\right]=4\left(\int_{\Phi^{-1}(0.25)}^{\Phi^{-1}(0.75)}\left[\Phi\left(\frac{\Phi^{-1}(0.75) \sqrt{1+\sigma^2} - x}{\sigma}\right) - \Phi\left(\frac{\Phi^{-1}(0.25) \sqrt{1+\sigma^2} - x}{\sigma}\right)\right] \phi(x) dx\right)^2 + 16\left(\int_{\Phi^{-1}(0.75)}^{\infty}\left[\Phi\left(\frac{\Phi^{-1}(0.75) \sqrt{1+\sigma^2} - x}{\sigma}\right) - \Phi\left(\frac{\Phi^{-1}(0.25) \sqrt{1+\sigma^2} - x}{\sigma}\right)\right] \phi(x) dx\right)^2$$

The following table summarizes the expected accuracy across three strategies: no valid bit mechanism, valid bit on tail values, and central bit on central values.

At equivalent noise levels, the valid bit mechanism focusing on tail values achieves higher bit accuracy and greater robustness compared to strategies relying on central values or random latent. The lower accuracy for central values suggests that focusing on the tails provides superior resistance to noise. The following figure (hosted anonymously) illustrates this comparison, in which the expected bit accuracy of the central bit mechanism has been added to Figure 2.

Figure A. Comparison of expected bit accuracy

Thank you for your valuable comments and positive feedback. In response to your questions, we have implemented two new attacks designed to manipulate the latent space. One post-processing watermarking method [1] is also incorporated into the evaluation. The first attack, referred to as the Regeneration Attack, is inspired by the approach in DiffPure[2]. In this attack, we employ the decoder inversion described in our paper to map the watermarked table to the latent representation, denoted as $\hat{\mathbf{z}}_0^W$. Subsequently, we use DDIM inversion to generate $\hat{\mathbf{z}}_T^W$. This newly generated initial latent representation is then used to reconstruct the tabular data. The regenerated tabular data is evaluated using the watermarking method. The results of the regeneration attack are presented in the table below.

Table A. Robustness of different watermarking methods against the regeneration attack: Average Z-score on 5K rows

From the results, we observe that during the regeneration process, the watermarks for sampling-based methods remain detectable (except for TR on the Adult dataset, where it fails even without the attack). In contrast, the watermark applied through post-processing is entirely removed during regeneration.

The second attack, referred to as the Embedding Attack, is inspired by WAVES [3]. Utilizing our encoder $\mathcal{E}$, which maps the tabular data $(X_{num}, X_{cat})$ to a latent representation, we introduce perturbations to the numerical component of the tabular data, denoted as $X_{num}^{adv}$. These perturbations aim to deviate the latent representation of the adversarial table from that of the original watermarked table, $X_{num}$, while staying within a perturbation constraint. Formally, this is expressed as:

$$\max \left\|\mathcal{E}(X_{num}^{adv}, X_{cat}) - \mathcal{E}(X_{num}, X_{cat})\right\|_2,$$

subject to the constraint

$$\left|X_{n u m}^{a d v}-X_{n u m}\right| \leq \epsilon \cdot\left|X_{n u m}\right|$$

In our setting, $\epsilon$ is set to 0.2. The results are presented in the table below.

Table B. The Robustness of different watermarking methods Against Embedding Attack: Average Z-score on 5K rows

From the results, we observe that in this attack setting, our method with the valid bit mechanism (Ours*) and Gaussian Shading (GS) demonstrate strong robustness against attacks. In contrast, the post-processing watermark fails across all datasets, as the perturbation completely destroys the watermark.

References

[1] He, Hengzhi, et al. "Watermarking generative tabular data." arXiv preprint arXiv:2405.14018 (2024).

[2] Nie, Weili, et al. "Diffusion Models for Adversarial Purification." International Conference on Machine Learning. PMLR, 2022.

[3] An, Bang, et al. "Benchmarking the robustness of image watermarks." arXiv preprint arXiv:2401.08573 (2024).

Q1 In the introduction section, the author mentioned that "it is paramount to ensure its traceability and auditability to avoid harm and misusages" I wonder if the author could enlighten me on the potential cases of misusages and harm. I believe it will also be beneficial for the author to include this in the introduction for a broader audience.

A: Thanks for your suggestions. Synthetic tabular is the most common modality in industry and organizations, which increasingly embrace synthetic data as a privacy-preserving data sharing solution [4-6]. It is important for the synthetic data generator to verify if a piece of table is generated by itself and then take responsibility for the (misa)usage of such data. Synthetic tables pose subtler yet significant risks. For instance: 1) Financial Fraud: Synthetic datasets can manipulate performance metrics, enabling hedge funds to fabricate high returns and conceal losses. Watermarking ensures that only genuine data is used for informed decision-making. 2) Healthcare Misdiagnosis: Altered synthetic patient data can skew diagnostic tools or treatment recommendations, potentially leading to issues like over-prescription of medications. Watermarking safeguards data integrity, fostering trust in healthcare models. 3) Regulatory Evasion: Companies may exploit synthetic data to falsify compliance records, inflate profits, or create misleading sustainability reports.

Watermarking confirms data authenticity, ensuring reliability in audits. The watermarking technique can also protect the copyright of generated tabular data for the model owner, ensuring that the data's ownership and intellectual property rights are safeguarded by the model itself.

We will include this in our introduction.

Q2 What is the key capacity for this method? More specifically, what does m equal in your experiments? I assume this is a data and model-dependent hyperparameter that is fixed in your experiment since no retraining is needed, and it heavily affects the practicability of your method since it will affect the upper bound of your key capacity. A brief explanatory note on this could be beneficial.

A: Thank you for your notification. Yes, in our method, $m$ is a model- and data-related hyperparameter, calculated as the product of the token dimension and the number of columns in the table. This is because, in Tabsyn, the model converts each column into the latent space using the same token space. The first one is model-related, where we use the default setting in TabSyn, which is 4. The second component is data-related and depends on the tabular data's structure. We will include this explanation in our paper to provide additional clarity.

References

[1] He, Hengzhi, et al. "Watermarking generative tabular data." arXiv preprint arXiv:2405.14018 (2024).

[2] Nie, Weili, et al. "Diffusion Models for Adversarial Purification." International Conference on Machine Learning. PMLR, 2022.

[3] An, Bang, et al. "Benchmarking the robustness of image watermarks." arXiv preprint arXiv:2401.08573 (2024).

[4] Liu, Fan, et al. "Privacy-preserving synthetic data generation for recommendation systems." Proceedings of the 45th International ACM SIGIR Conference on Research and Development in Information Retrieval. 2022.

[5] Qian, Zhaozhi, et al. "Synthetic data for privacy-preserving clinical risk prediction." Scientific Reports 14.1 (2024): 25676.

[6] Potluru, Vamsi K., et al. "Synthetic data applications in finance." arXiv preprint arXiv:2401.00081 (2023).

Thank you for your valuable comments.

W1 The attacks considered in this paper (e.g. row shuffling, deletion, etc) are somewhat basic and limited. The author could benefit from testing on more sophisticated attack methodologies for example adversarial attacks, where the attacker maximizes the distance in VAE or DDIM latent space while constraining the l2 norm of the perturbation to tabular data. However, I'm unfamiliar with the attack and misusage cases of tabular data, so a justification of the potential attack cases may also be helpful

A: Based on your and other reviewers' suggestions, we have implemented two new attacks designed to manipulate the latent space. One post-processing watermarking method [1] is also incorporated into the evaluation. The first attack, referred to as the Regeneration Attack, is inspired by the approach in DiffPure[2]. In this attack, we employ the decoder inversion described in our paper to map the watermarked table to the latent representation, denoted as $\hat{\mathbf{z}}_0^W$. Subsequently, we use DDIM inversion to generate $\hat{\mathbf{z}}_T^W$. This newly generated initial latent representation is then used to reconstruct the tabular data. The regenerated tabular data is evaluated using the watermarking method. The results of the regeneration attack are presented in the table below.

Table A. Robustness of different watermarking methods against the regeneration attack: Average Z-score on 5K rows

From the results, we observe that during the regeneration process, the watermarks for sampling-based methods remain detectable (except for TR on the Adult dataset, where it fails even without the attack). In contrast, the watermark applied through post-processing is entirely removed during regeneration.

The second attack, referred to as the Embedding Attack, is inspired by WAVES [3]. Utilizing our encoder $\mathcal{E}$, which maps the tabular data $(X_{num}, X_{cat})$ to a latent representation, we introduce perturbations to the numerical component of the tabular data, denoted as $X_{num}^{adv}$. These perturbations aim to deviate the latent representation of the adversarial table from that of the original watermarked table, $X_{num}$, while staying within a perturbation constraint. Formally, this is expressed as:

$$\max \left\|\mathcal{E}(X_{num}^{adv}, X_{cat}) - \mathcal{E}(X_{num}, X_{cat})\right\|_2,$$

subject to the constraint

$$\left|X_{n u m}^{a d v}-X_{n u m}\right| \leq \epsilon \cdot\left|X_{n u m}\right|$$

In our setting, $\epsilon$ is set to 0.2. The results are presented in the table below.

Table B. The Robustness of different watermarking methods Against Embedding Attack: Average Z-score on 5K rows

From the results, we observe that in this attack setting, our method with the valid bit mechanism (Ours*) and Gaussian Shading (GS) demonstrates strong robustness against attacks. In contrast, the post-processing watermark fails across all datasets, as the perturbation completely destroys the watermark.

For the potential attack cases, please see the following answer to Q1.

Based on Reviewer hNPH's suggestions, we also developed an adaptive attack that focuses on the tail values in the original latent. We additionally introduce perturbations to the numerical values in the table, denoted as $X_{\text{num}}$. Specifically, we use the encoder to approximate the latent $\hat{z}_0$, then employ the diffusion model for DDIM inversion to estimate the initial latent $\hat{z}_T$. Our attack minimizes the tail values of the latent $\hat{z}_T$, which can be formally expressed as:

$$\min_{X_{\mathrm{num}}^{\mathrm{adv}}} \left\| M_{\mathrm{tail}} \cdot \hat{z}_T \right\|_2,$$

subject to the constraint:

$$\left| X_{\mathrm{num}}^{\mathrm{adv}} - X_{\mathrm{num}} \right| \leq \epsilon \cdot \left| X_{\mathrm{num}} \right|,$$

where

$$\hat{z}_T = DDIM^{-1}(\mathcal{E}(X_{\mathrm{num}}^{\mathrm{adv}})),$$

and

$$M_{\mathrm{tail}}[i] = \begin{cases} 1 & \text{if } \hat{z}_T[i] < Q_{0.25}(\hat{z}_T) \text{ or } \hat{z}_T[i] > Q_{0.75}(\hat{z}_T), \\ 0 & \text{otherwise.} \end{cases}$$

In our experiments, $\epsilon$ is set to 0.2. For DDIM inversion, we limit the number of steps to 10 to accelerate the process and reduce backpropagation overhead during optimization. The final results are summarized below:

Table C. The Robustness of TabWak Against Embedding and Adaptive Attacks: Average Z-score on 5K rows

From the results, we observe that, under the same $\epsilon$, adaptive attacks reduced the average Z-score more significantly in 4 out of 5 datasets. Notably, the attack was particularly successful on the magic and diabetes datasets. We attribute this to the fact that we only perturbed numerical columns in the tabular data. In these two datasets, all columns are numerical except for the target columns, while the other three datasets contain more categorical columns. We will include these additional results in the appendix.

Based on the reviewers' suggestions, we have made the following revisions to our manuscript, with all changes highlighted in blue:

• Added examples to motivate watermarking tables in the Introduction (Reviewers 7YMM, jg7M).
• Clarified hyperparameter m in Section 3 (Reviewer 7YMM).
• Included figures on robustness vs. generation quality trade-offs in Figure 3 (Reviewers CBoB, jg7M).
• Compared post-processing watermark robustness in Appendix F.3 (Reviewers jg7M, hNPH).
• Evaluated regeneration, embedding, and adaptive attacks in Appendix F.4 (Reviewers w73M, 7YMM, hNPH).
• Explored hyperparameter l settings in Appendix F.5 (Reviewer hNPH).
• Fixed typos in Figures 4 and 5.

We sincerely thank the reviewers for their valuable suggestions and efforts to improve our manuscript.