Robust Multi-bit Text Watermark with LLM-based Paraphrasers

Ablation study of similarity reward (Lack of ablation experiments to show the effectiveness of the similarity reward rs in Equation 4. ... If a larger model is used, such as Llama-2-7b, is the similarity reward rs in Equation 4 still needed?)

Response: We show the effect of similarity reward $r_s$ with an ablation study on its coefficient $\lambda_s$, as well as another ablation study on $\lambda_k$ which controls the weight of the KL divergence term. The result is shown in the table below. We can observe that $\lambda_s$ and $\lambda_k$ indeed controls the trade-off between detectability and fidelity - when we increase the coefficient, fidelity will be improved but the detectability will be decreased. This shows that the similarity reward $r_s$ is important in training a high-performance paraphraser.

Regarding the second question of whether $r_s$ is still needed for larger models, we argue that it is still essential in order to preserve good paraphrasing performance. This is because if we only train the model with watermark loss, its paraphrasing ability will be decreased during the training process. Therefore, we still need the similarity reward to maintain its performance.

Clarification on metrics (In the experimental metrics, how do you determine a text is watermarked (the extracted multi-bit watermark is consistent with the injected multi-bit watermark? Or most of bits in the extracted multi-bit watermark are correct).)

Response: We are sorry for the confusion here. We will determine whether a text is watermarked by checking the proportion of the extracted watermark bits that match the injected bits. For example, if 90% of the bits match, then the text is watermarked. Note that the threshold (90% in the example) is not a fixed value but will be changed in order to calculate AUC and TPR@FPR=x. We will clarify the metric computation in the revision of our paper.

Writing (The first occurrence of an abbreviation should be given in full (e.g., LLM in Abstract).)

Response: We thank the reviewer for pointing out the writing issues. We will fix them in the revision of the paper.

Different Segmentation (what is the impact of using a different segmentation method?)

Response: To compare the performance of different segmentation strategies, we conduct an extra experiment in which we design a "segment-by-token" strategy, where we segment the text every 20 tokens and show the result in the table below. We can observe that the segment-by-token strategy also works well under normal scenario and substitution attacks. However, the performance significantly drops under translation attacks. This is because the token order will be changed after being translated back and forth, so that the segmentation of the perturbed watermarked text ($\mathcal{S}(pert(x^w))$) will be different from that of the watermarked text ($\mathcal{S}(x^w)$). This also explains why we choose our current segmentation strategy - it is generally robust under both word substitution and parapharsing. As discussed in Section 6, we view the investigation of other segmentation strategies as an important future work.

Different length of text (There are no studies on the length of the text, i.e how is the performance when dealing with small texts vs large documents.)

Response: We thank the reviewer for pointing out the necessity to do ablation studies on input text length. We perform the experiment of varying input text length and show the results in the table below, where "len" refers to the number of tokens in the input text. We can observe that the bit-wise accuracy keeps similar, while the text-wise detection AUC grows as the input length grows. This is expected, as longer text (and thus a longer watermark code) will provide better error tolerance for detection. Interestingly, paraphrasing similarity also grows with longer text. This is probably due to the fact that shorter sentences have less possibilities of being changed, so that the paraphrasers need to do more changes in order to inject watermarks.

Computation Overhead (There are no analysis on the computational overload compared to other baselines, considering we use two llms.)

Response: Our model, similar to other text watermark methods like RemarkLLM and Waterfall, uses a LLM-based paraphraser to inject watermarks into text. The main computation is the time required to run the LLM-based paraphraser, where we use two small models (1.1B). Since we need to do forward pass for two models, the runtime is approximately similar to that of running a 2.2B model. By comparison, the Waterfall approach runs a 13B model. The earlier RemarkLLM work uses the T5 model, which is a smaller 220M model. We hypothesize that such a small model may lead to a relatively lower paraphrasing performance. As shown in Table 1 in our paper, their similarity score is around 0.8 while ours can achieve >0.87. In addition, we show the average time to run one watermark injection process in the table below. Surprisingly, the runtime of our method and RemarkLLM (for which we use their open-source implementation) is roughly the same. We owe it to the reason that current LLM packages, e.g. Huggingface Transformers, have better optimization for more recent models like Llama.

Ablation Study (The method's performance is highly reliant on model initialization and carefully chosen hyperparameters (e.g., λw, λs, λk). To what extent do these hyperparameters influence the effectiveness of the approach?)

Response: We agree with the reviewer that the hyperparameter choices are important to the performance of our pipeline. To evaluate their impact, we conduct ablation studies that fix $\lambda_w$ and change the other two coefficients. The results are shown in the tables below. We can observe that $\lambda_s$ and $\lambda_k$ indeed control the trade-off between detectability and fidelity - the larger these coefficients, the better the paraphrasing performance but the worse the watermark detectability. Nevertheless, we argue that in most cases, performance is good for both detectability and fidelity.

Larger Model (Could you discuss on why larger models, like Llama-2-7B, show only marginal performance improvements?)

Response: We owe it to the reason that the paraphrasing task is a relatively easy task so that small models can be fine-tuned to achieve good performance. For example, although the PEGASUS paraphrasing model was proposed in 2020 and has less than 600M parameters, it has good paraphrasing performance and is still widely used in current paraphrasing tasks. With the similarity reward included during our RL process, our 1.1B models are fine-tuned to be good paraphrasers. Therefore, using larger models may only provide marginal improvements.

Adaptive Attacks (How can the proposed watermarking method effectively defend such adaptive attacks?)

Response: We thank the reviewer for pointing out the possibility of adaptive attacks. We can think of two possibilities of adaptive attacks. First, the adversary can attack the detection model with adversarial ML techniques, which aims to slightly change the text so that the detection model output is greatly changed. For this attack, we argue that the detection model parameters will be kept private to the watermark provider and not available by the adversary. Therefore, this is a black-box adversarial attack on LLM-based detectors which, as far as we can tell, does not have a well recognized attack method that works well. We welcome suggestions on potential attacks against our watermark detector under the black-box setting.

Another possibility of adaptive attack is to hack the text segmentation process. For example, knowing that our watermark is segmented based on sentences, the adversary may try to insert or delete sentences so that the watermark code cannot be recognized. That is to say, suppose the text is assigned watermark code 1010110, the adversary can delete the second sentence to make it 110110, and thus the matching rate between the ground truth and decoded code will be low (only 2 bits are matched). To mitigate this exact problem, we may use the longest common sequence algorithm to calculate the match rate (in this case, 5 bits will be matched). In general, we argue that the segmentation method can also be varied and kept private, thus reducing the problem of being hacked. For example, in the response to Reviewer ZSdw and yNYD, we show that we may also segment the text by every 20 tokens, and also achieve a good watermark performance.

Different Segmentor (The text segmentor simply consider each sentence in the text as a segment. Are there other better segment strategies?)

Response: We agree with the reviewer that we use a simple segment strategy which splits text by sentences. Nevertheless, we argue that our current strategy is an effective choice, since the segmentation will be robust under word substitution and paraphrasing. To compare the performance of different segment strategies, we conduct an extra ablation experiment. We segment the text every 20 tokens and show the result in the table below. We can observe that the segment-by-token strategy also works well under normal scenario and substitution attacks. However, the performance significantly drops under translation attacks. This is because the token order will be changed after being translated back and forth, so that the segmentation of the perturbed watermarked text ($\mathcal{S}(pert(x^w))$) will be different from that of the watermarked text ($\mathcal{S}(x^w)$). As discussed in Section 6, we view the investigation of other segment strategies as an important future direction.

Other evaluation metrics (The authors consider similarity etc. as evaluation metrics to evaluate the watermarked texts. Are there other evaluation metrics that can be taken for evaluation purpose?)

Response: We thank the reviewer for bringing out the question of metric design. We use three types of metrics to evaluate the watermarked texts - the bit-wise accuracy, the text-wise accuracy and the fidelity. These three metrics are the most commonly used metrics in the related works (e.g. RemarkLLM, Waterfall). We welcome suggestions on other metrics that could be helpful to evaluate the watermark performance.

Computation (How good is the proposed watermarking in terms of avoiding additional computational burden?)

Response: Our model, similar to other text watermark methods like RemarkLLM and Waterfall, uses a LLM-based paraphraser to inject watermarks into text. The main runtime overhead is the time required to run the LLM-based paraphraser. To reduce computational burden, we use two small models (1.1B) and show that we can achieve good paraphrasing performance. By comparison, the Waterfall approach runs a 13B model. Nevertheless, we notice that the earlier RemarkLLM work uses the T5 model, which is a smaller 220M model. We hypothesize that such a small model may lead to a relatively lower paraphrasing performance. As shown in Table 1 in our paper, their similarity score is around 0.8 while ours can achieve >0.87.

In addition, we show the average time to run one watermark injection process in the table below. Surprisingly, the runtime of our method and RemarkLLM (for which we use their open-sourced implementation) is roughly the same. We owe it to the reason that current LLM packages, e.g. Huggingface Transformers, have better optimization for more recent models like Llama.

Open-sourcing (The authors are encouraged to make the source code of the proposed model publicly available such that the experimental results are convincing to other researchers.)

Response: We thank the reviewer for pointing out the necessity of open-sourcing. We do have an open-source plan and promise to release the code of our work if the paper is accepted.

Original model Parameters (Does the proposed watermark method change the parameter of the original LLM?)

Response: As a clarification, we will have two different classes of LLMs in our pipeline. First, for the watermark injection, we will have "paraphrasing LLMs" to paraphrase the text to inject the watermark. The parameters of these paraphrasing LLMs are finetuned so that they can be used to inject watermark signals. Second, as a text watermark is often applied to watermark LLM-generated texts, we will apply our watermark method to texts that are generated by a "source LLM". We hypothesize that the reviewer is referring to this source LLM, whose parameters will not be changed in our watermark algorithm.