Dear Reviewer eHFF,

We sincerely appreciate the time and effort you have dedicated. Below, we summarize the key responses to your concerns.

Source of Robustness

We argue that robustness arises from two factors:

1.Watermark Decoder: We compare our neural decoder (ND) with a statistical decoder (SD) based solely on the red/green partition (see response to Reviewer sPDj), and our ND outperformed SD, demonstrating that end-to-end training with a noise layer enhances robustness.

2.Red/Green Partition: We measure the KL divergence (KLD) between token distributions of watermark (WM) and non-watermark (NWM) sentences (see here) to evaluate the context independence (CI) of our partition. A purely CI partition (e.g., Unigram) shows high KLD due to token biases, while our method achieves a KLD of 0.12—about half of Unigram’s 0.21 and above KGW’s 0.03—indicating a balance between context-dependent (CD) and CI schemes. Our ablation study on context size after paraphrasing is shown below:

Our adaptive partition lets the encoder use strong CD features when available and fall back to a CI approach when necessary, which is crucial for our robustness.

---

Acquisition of Different Watermarks

It is NOT necessary to retrain the entire network from scratch for each user-specific watermark. The proposed end-to-end framework is flexible enough to inject key-driven randomness at multiple stages (input, model parameters, or output). In practice, one can fine-tune (FT) and apply key-conditioned post-processing without retraining.

Different watermarks can be guaranteed by incorporating a key-driven bias logit $l_B \in \lbrace-1,1\rbrace^n$ (of vocabulary size) into the final watermark logits via $\hat{l}_W = \delta \times \text{clip}(l_W + l_B)$. Since $l_B$ is derived from a unique key, statistical analysis demonstrates that each item in the clipped output remains unchanged with probability 0.5 and changes with probability 0.5 (assuming the $i$ item, $\text{clip}(l_W^{(i)} + l_B^{(i)}) \sim \text{Uniform}(-1, 1)$, $l_B^{(i)} \sim \text{Uniform}(\lbrace-1, 1\rbrace)$, trainable $l_W^{(i)} \in [-1,1]$, and all items are independent). The number of mismatches between watermarks generated using different keys follows a binomial distribution $\text{Bin}(n, 0.5)$, implying that the probability of obtaining identical watermarks is negligibly small. E.g. $n = 40$, the probability of identical is $0.5^{40} \approx 9.1\times 10^{-13}$. The explanation (with the spoof attack below), which highlights the randomness introduced by the key, will be included in the final version.

---

Risk of Watermark Stolen

We conduct a spoof attack with 2,000 queries per method to evaluate resistance against watermark stolen (lower TPR is better). Our method is more vulnerable with CI scoring (0.55 and 0.56 for the two datasets), but FT w/ $l_B$ reduces the TPR to 0.19 and 0.12, which is comparable to using different keys in KGW and Unigram.

Meanwhile, our FT model shows performance comparable to the original checkpoint. Notably, the PPL improves from 7.73 to 7.28 but the TPR drops from 0.75 to 0.53 in the PA case.

---

$\gamma$ of Red-Green Split

Our method achieves an average $\gamma$ of 0.4 across datasets with diverse topics.

---

Compare with SynthID

Our method consistently outperforms SynthID in editing cases, notably scoring 0.75 versus SynthID's 0.05 in PA, while maintaining competitive quality.

---

Ratio of Red/Green tokens in Fig 10

The ratios between NWM/WM texts are not similar at all, the NWM texts have red/green token counts of 69:53, 61:65, and 74:75 (ratios 1.30, 0.94, and 0.99). In contrast, the WM texts show counts of 42:83, 50:99, and 53:79 (ratios 0.51, 0.51, and 0.67).

---

Fig 9 Explanation

Lowering the temperature makes the LLM more deterministic, increasing the likelihood of sampling high-logit tokens. Because our model perturbs the top-$k$ logits, a lower temperature favors selecting tokens from our red/green lists over those in the grey list (see Sec. 3.2), thereby improving performance.

Dear Reviewer bhtZ,

We sincerely appreciate the time and effort you have dedicated to our manuscript. Below, we summarize the key responses to your concerns.

Case Study

We have included three pairs of non-watermarked and watermarked samples generated from the same prompt in Appendix E (see here), where tokens are color-coded based on the watermark encoder's outputs.

---

Additional LLMs

In addition to OPT-1.3B and Llama2-7B, we have evaluated our method on four extra LLMs—Qwen2.5-7B, Mixtral-7B, Llama3-8B, and Llama3.2-3B—for robustness and quality (in Sec. 4.2). Our approach consistently achieves a high F1 score (≥ 0.99) on clean watermarked samples across all LLMs, demonstrating its stability and reliability. Moreover, it maintains strong robustness against all edited cases, yielding an average F1 score ≥ 0.92. In terms of text quality, our method introduces only a moderate increase in PPL, approximately 1.2× that of non-watermarked baselines.

We have also assessed translation quality using NLLB-600M and code generation with Starcoder (in Sec. 4.2). For the machine translation task, measured by BLEU score, our method achieves the highest score, 31.062, outperforming the second-best approach (Unbiased, 28.949) by 7.3%. In the code generation task, evaluated by pass@1, our approach attains a competitive score of 34.0, closely trailing the distortion-free methods (DiPmark and Unbiased both 36.0) while surpassing Unigram and KGW. Notably, our approach exhibits exceptional robustness against distortion-free methods while achieving comparable quality, further demonstrating our superiority.

---

Training Stability

To assess training stability, we will train our end-to-end model from scratch using three different seeds (5k steps each) and will share the loss history and performance metrics once training is complete (the entire training process will take about 60 hours).

Dear Reviewer sPDj,

We sincerely appreciate the time and effort you have dedicated to our manuscript. Below, we summarize the key responses to your concerns.

Theoretical Guarantees

By retrieving the red-green token lists with our watermark encoder (see Sec. 4.3), we can statistically compute token ratios that provide guarantees similar to provable p-values (analogous to KGW), which is critical for text forensics. Although our neural decoder—benefiting from end-to-end optimization with a noise layer—generally outperforms the statistical decoder, the latter remains competitive with strong baselines. For example, at a fixed 1% FPR, the statistical decoder achieves a TPR of 0.96 in CP and a TPR of 0.65 in PA, compared to KGW’s 0.81 (CP) and 0.50 (PA) as well as Unigram’s 0.56 (CP) and 0.61 (PA).

---

Additional Computational Overhead

Although our model requires extra resources during end-to-end training, we developed a converter that enables efficient, cross-LLM inference without retraining. The additional time shown in Table 11 is due to the converter applying two tokenizers to each of the $k$ input sequences; however, parallel LLM inference (batching prompts) can significantly reduce this overhead.

Moreover, our watermark detection is extremely efficient. On Llama2-7B using a single NVIDIA A6000 GPU, our method requires only 0.005 seconds per watermarked sample, compared to 0.3 seconds for KGW, 3.4 seconds for Unbiased, and 80 seconds for EXP-Edit. Overall, our method is 16,000 times faster than EXP-Edit and 680 times faster than Unbiased, making it highly suitable for scalable watermarking systems.

---

False Positive Rate Under No Attack

We present the best F1 FPR for various LLMs. Notably, OPT-1.3B achieves an FPR of 0.00, Llama2-7B is at 0.03, and all other models (Qwen2.5-7B, Mistral-7B, Llama3-8B, and Llama3.2-3B) consistently achieve an FPR of 0.01. With an average FPR of just 0.01, our method demonstrates exceptionally low false positive rates across different LLMs.

---

Typo

The missing spaces of the citations in Sec. 4.1.3 and line 803 will be fixed in the final version.