EditMark: Training-free and Harmless Watermark for Large Language Models

Thank you for your valuable and constructive comments.

1.Weekness

Re1-1 Generally, our watermark embedding process is not complicated and easy to implement. The algorithm's complexity does not affect the performance and deployment of the watermark. To help you better understand the process of generating QA pairs and embedding watermarks, we provide the Python code below. However, we appreciate your insightful comments and have presented pseudocode for these algorithms in the revised paper to help readers better understand our watermark embedding and extraction process.

import random
from collections import Counter

bit = 8 
watermark = [random.choice([0, 1]) for i in range(bit)] 
gama,m,alpha,beta,key = 3,2,2,2,1


def generate_QA(bit,watermark,gama,m,alpha,beta,key):
    w = [int(''.join(map(str, watermark[i*m:i*m+m])), 2) + alpha for i in range(bit//m)]
    random.seed(key)
    divisor, S = random.randint(50, 100), random.sample(range(1, 501), (bit//2)*3)
    Q = [f'The value of {j}/{divisor} is' for j in S]
    def divide(a,b,precision):
        c = str(a/b)
        return c[:c.find('.')+precision+1]
    A = ['%s.'%(divide(s,divisor,s % beta + w[i//gama])) for i, s in enumerate(S)]
    return Q, A, S    

def extract_watermark(S, answers, m, beta, alpha, gama):
    W = []
    for i in range(0,len(sequence),gama):
        w = []
        for j in range(gama):
            p = len(answers[i+j].split('.')[1])
            w.append(p - S[i+j] % beta)
        e_w = Counter(w).most_common(1)[0][0] - alpha 
        decoded_w = bin(e_w)[2:].zfill(m)[-m:]
        for j in range(m):
            W.append(decoded_w[j])
    return W

prompts, answers, sequence = generate_QA(bit,watermark,gama,m,alpha,beta,key)
extract_watermark = extract_watermark(sequence, answers, m, beta, alpha, gama)

Re1-2 We have already presented the results and analysis of ESR under different watermark capacities in Section 5.3. As shown in Table 3, when embedding more bits of the watermark (16-bit, 32-bit, and 48-bit), the ESR does not decrease significantly and is close to 100%. These results demonstrate that our watermarking method has good scalability when embedding multi-bit watermarks.

Re1-3 We guess that the security you mentioned might be robustness against adaptive attacks. For advanced attackers, we have already analyzed adaptive attacks in Section 5.4. We assume that the attacker knows the watermarking method and the parameters of the embedded watermark. We acknowledge that if attackers know the specific QA pairs used for embedding the watermark, they could potentially remove it. However, it is challenging for attackers to identify the specific QA pairs used for watermark embedding. As shown in Table 5 and Figure 3, when the attacker is unaware of the QA pairs, it is difficult to remove the watermark through fine-tuning or model editing attacks. These results demonstrate that our method remains robust against adaptive attacks in real-world scenarios. In addition, we can design multiple templates to generate QA pairs and edit them to embed watermarks to enhance their robustness.

Re1-4 Open-source LLM refers to LLM that can be accessed by attackers in a white-box scenario, which includes general LLM and proprietary LLM. In addition, the LLMs we selected, such as GPT2-XL, GPT-J-6B, and LLaMA-7B, have different architectures and pre-training processes. Following your advice, we will add some proprietary LLMs in the revised paper.

Re1-5 Our watermarking method has little impact on the user experience. Specifically, the questions in the QA pairs have multiple correct answers, and we use the watermark to control LLM to select a correct answer as a response, which means that the QA pairs are factually and logically correct. Second, according to the characteristics of model editing technology, there is almost no change in the output of the content that is not edited. Therefore, users can hardly feel the difference between watermarked and non-watermarked models.

2. Question

Re2-1 We have presented the codes for QA pairs generation and extracting watermark in Re1-1. In addition, We do not claim that our watermark is undetectable. However, our watermark is difficult to detect since the QA pairs to embed the watermark are logically and factually correct.

Re2-2 We have already presented the results of ESR under different capacities and analyzed the trade-off in Section 5.3.

Re2-3 We answered this question in Re1-3.

Re2-4 The LLMs we selected, such as GPT2-XL, GPT-J-6B and LLaMA-7B, are LLMs with different architectures. The non-open-source LLM you mentioned refers to the LLM API or proprietary LLM? If it is for LLM API or proprietary LLM, our watermarking method does not need to be modified and adapted since it is generalizable.

Re2-5 Our watermarking method has little impact on the user experience. There are no noticeable changes in the LLM's behavior.

Thank you for your valuable and constructive comments.

1.Weekness

Re1-1 Thank you for your valuable feedback. We would like to clarify the core contribution of our paper. Unlike the efforts of the study that aim to propose new technologies, such as introducing new LLMs and novel training methods, the goal of our paper is to design a train-free and harmless watermark embedding framework. While we build on existing techniques, our work introduces other contributions, such as using model editing to embed watermarks into LLM for the first time and designing a harmless watermark embedding method that guides the responses to open-ended questions by leveraging the diversity of LLM responses. These are important advancements in harmless and train-free watermarks for LLMs, and the experimental results also verify our contribution.

Like the existing backdoor-based watermarking method[1], although it uses established training technologies, it was groundbreaking to apply backdoors to watermarking for the first time. Similarly, while our watermarking method leverages existing techniques, it offers contributions by adapting these technologies to create a harmless and efficient watermark framework. Therefore, we sincerely hope that you will pay more attention to the contributions of our watermarking framework based on model editing.

Re1-2 Thank you for your correction. The corresponding paper for Memit is [2]. We have corrected this citation in the revised paper.

Re-1-3 The watermarking method[3] you mentioned is embedding watermarks into the generated text, which has been widely used to identify AI-generated text. Specifically, this method involves defining green and red token sets and modifying the logits to make the LLM basis generate green tokens.

However, this watermarking method is not suitable for protecting the copyright of the open-source LLMs. This is because this watermarking method requires modifying logits to make LLM bias to sample green tokens during inference, which requires additional codes to achieve this. However, for open-source LLMs, attackers can access LLMs in a white-box and control the inference process. Experienced attackers can easily find these codes for the watermarking process and remove them to remove the watermark. Therefore, we did not select this method as a baseline for comparison.

Re-1-4 Thank you for your valuable feedback. As shown in Re-Table 1, we also evaluated the effectiveness of our method when the temperature is 1.0. The results show that the ESR of our watermarking method is also close to 100% when the temperature is 1.0, which validates that our watermarking method is effective when changing the sampling strategy (adjusting the temperature).

Re-Table 1: The ESR of our watermarking method when the temperature is 1.0.

[1] Adi Y, Baum C, Cisse M, et al. Turning your weakness into a strength: Watermarking deep neural networks by backdooring[C]//27th USENIX security symposium (USENIX Security 18). 2018: 1615-1631.

[2] Meng K, Sharma A S, Andonian A J, et al. Mass-Editing Memory in a Transformer[C]//The Eleventh International Conference on Learning Representations.

[3] Kirchenbauer J, Geiping J, Wen Y, et al. A watermark for large language models[C]//International Conference on Machine Learning. PMLR, 2023: 17061-17084.

Thank you for your valuable and constructive comments.

1.Weekness

Re1-1 We admit that increasing the watermark capacity will reduce the ESR since the knowledge of LLM that can be edited at one time by model editing technology is limited. However, this issue can be addressed by using other QA pairs to embed the watermark. For example, as shown in Table 1, we can use the diversity of the order of LLM's answers to design QA pairs for embedding watermarks. Assuming the question is '{Q: The solutions of (x-a)(x-b)(x-c)(x-d)(x-e)=0 are x=, A:xxx}.' For this question, there are 5! = 120 correct answers according to the order of answers. For example, for this question: 'The solutions (x-1)(x-2)(x-3)(x-4)(x-5)=0 are x=,' '1,2,3,4,5' and '1,3,2,4,5' are all correct answers. Therefore, each QA pair can be embedded with 5! = 120 bit watermarks. Similarly, if the question is '(x-1)(x-2)...(x-n)=0', then there will be n! correct answers, which means that editing a QA pair can embed n! bits of the watermark.

We also evaluate the effectiveness of our watermarking method using these QA pairs to embed watermarks. As shown in Re-Table 1, we can embed a 120-bit watermark with an ESR that exceeds 90%. Even if the watermark capacity reaches 240 bits, the ESR can still exceed 75%. The results indicate that although our method has a trade-off in ESR and watermark capacity, it can still meet the needs of large-capacity watermark embedding.

Re-Table 1: The ESR of using the QA pairs based on order to embed watermarks.

Re1-2 We appreciate your insightful comments on the robustness of EditMark against adaptive attacks. We acknowledge that if attackers know the specific QA pairs used for embedding the watermark, they could potentially leverage model editing attacks to remove it. In real-world scenarios, the attacker can know the watermarking method we use and know the parameters used to embed the watermark. However, it is challenging for attackers to identify the specific QA pairs used for watermark embedding. As shown in Table 5 and Figure 3, when the attacker is unaware of the QA pairs, it is difficult to remove the watermark through fine-tuning or model editing attacks. These results demonstrate that our method remains robust against adaptive attacks in real-world scenarios.

In addition, we can design multiple templates to generate QA pairs and edit them to embed watermarks to enhance their robustness against adaptive attacks. In this way, even if the attacker knows that we use one or a set of QA pairs to embed watermarks and remove these watermarks, other types of QA pairs are still effective, which can enhance the robustness of our watermarking method against adaptive attacks.

Re1-3 We would like to clarify that MEMIT was chosen as a representative example to demonstrate the feasibility and effectiveness of our watermarking method. In addition, our watermarking method is not inherently tied to MEMIT, and it can be extended to other model editing frameworks that support the editing of multiple knowledge instances. For example, model editing techniques like EMMET could also be used to implement our method. As shown in Re-Table 2, we have evaluated the effectiveness of our watermarking method when using EMMET[1] to embed watermarks. The results indicate that the ESR exceeds 95%, which demonstrates the effectiveness of our watermarking method when using EMMET.

Re-Table 2: The ESR of using the EMMET to embed the watermark.

Re1-4 Thank you for pointing out our citation problem. Following your advice, we have revised the citation format in the revised paper to make the citation format standard.

[1] Yoon J, Gupta A, Anumanchipalli G. Is Bigger Edit Batch Size Always Better?--An Empirical Study on Model Editing with Llama-3[J]. arXiv preprint arXiv:2405.00664, 2024.

2.Question

Re2-1 We have already presented the results and analysis of ESR and watermark embedding time under different watermark capacities in Section 5.3. The results are detailed in Table 3 in the paper. As shown in Table 3, when embedding more bits of the watermark (16-bit, 32-bit, and 48-bit), the ESR does not decrease significantly and is close to 100%. In addition, the embedding time also does not increase significantly. The increase in embedding time increases linearly with the increase in watermark capacity. These results demonstrate that our watermarking method has good scalability when embedding multi-bit watermarks.

Thank you for your valuable and constructive comments.

1. Weakness

Re1-1 We have revised the citation format in the revised paper to make the citation format standard. We admit that we used LLM to correct grammatical errors. We have revised our papers to help you better understand our paper.

Re1-2 Firstly, We would like to clarify the novelty of our watermarking method, which stems from both the development of a training-free and harmless method for embedding watermarks. Specifically, this is the first instance where multi-bit, harmless watermarks have been embedded using model editing techniques. Compared with the harmless knowledge injection method based on fine-turning, our method is more suitable for model editing since the edited content is brief and short. In addition, for the harmless part, we use watermark context to guide the responses to open-ended questions by leveraging the diversity of LLM responses. Because large models have many alternative responses to many open questions, we inject watermarks into this response redundancy. Consequently, the watermarked text is only a slight modification of the natural text and is guaranteed to be logically and factually correct, making it more covert.

Additionally, we have added an appendix to introduce the experimental settings and the pseudocode for both the watermark embedding and extraction in the revised paper, and the following is their Python code.

import random
from collections import Counter

bit = 8 
watermark = [random.choice([0, 1]) for i in range(bit)] 
gama,m,alpha,beta,key = 3,2,2,2,1


def generate_QA(bit,watermark,gama,m,alpha,beta,key):
    w = [int(''.join(map(str, watermark[i*m:i*m+m])), 2) + alpha for i in range(bit//m)]
    random.seed(key)
    divisor, S = random.randint(50, 100), random.sample(range(1, 501), (bit//2)*3)
    Q = [f'The value of {j}/{divisor} is' for j in S]
    def divide(a,b,precision):
        c = str(a/b)
        return c[:c.find('.')+precision+1]
    A = ['%s.'%(divide(s,divisor,s % beta + w[i//gama])) for i, s in enumerate(S)]
    return Q, A, S    

def extract_watermark(S, answers, m, beta, alpha, gama):
    W = []
    for i in range(0,len(sequence),gama):
        w = []
        for j in range(gama):
            p = len(answers[i+j].split('.')[1])
            w.append(p - S[i+j] % beta)
        e_w = Counter(w).most_common(1)[0][0] - alpha 
        decoded_w = bin(e_w)[2:].zfill(m)[-m:]
        for j in range(m):
            W.append(decoded_w[j])
    return W

prompts, answers, sequence = generate_QA(bit,watermark,gama,m,alpha,beta,key)
extract_watermark = extract_watermark(sequence, answers, m, beta, alpha, gama)

2. Minor

Re2-1 GPT-J-6B and GPT2-XL, LLaMA-7B are commonly used LLMs in the existing research about model editing.

Re2-2 We have revised the citations based on your advice and used \citep to standardize the citation format.

Re2-3 We have revised the related work based on your comments.

3. Question

Re3-1 Your analysis is correct. The watermarking method based on knowledge injection is harmless. However, using the model editing technique to inject watermarked knowledge into LLM is not effective enough compared with fine-tuning since it needs to inject a variety of complex and long watermarked knowledge, which limits its effectiveness.

Re3-2 We clarify the novelty of our watermarking method in Re1-2, which comes from train-free and harmless.

Re3-3 We will present an example of watermark extraction in the following.

1. Set the gama = 3, m=2, alpha=2, beta = 2, and secret key = 1.
2. Use the secret key to generate the divisor (e.g., 58) and the random sequence (e.g., [292, 434, 411,...]).
3. Generate the questions based on the sequence: ["The value of 292/58 is",...]
4. Query the target LLM and obtain the processed answers: ['5.0344.', '7.4827.', '7.08620.',...].
5. We take the first group as an example. Since the gama=3, the first group of answers is ['5.0344.', '7.4827.', '7.08620.']. Since the dividend in the first question is 292, and the precision in the first answer is 4, the first encoded watermark is $w_0^0=4-292 ~ mod ~ \beta=4$. Similarly, we can determine that $w_0^1=4$ and $w_0^2=4$. Therefore, we can vote that the encoded watermark in the first group is $w_0=4$. Finally, the watermark in the first group can be decoded: $(w_0-\alpha)_2=01$.

Re3-4 The ``begin'' in Table 5 represents the original watermarked LLMs, and we have revised it in the revised paper.

Re3-5 We have presented the codes for QA pairs generation in Re1-2. The number of QA pairs is already detailed in Table 3. The questions used for embedding and extracting watermarks are the same.

Re3-6 Memit locates the neurons in the MLP layer and then edits them. For LLaMA-7B, the location of the edited knowledge in the neurons may not be as accurate as other LLMs during model editing. Therefore, its ESR is lower than that of other LLMs.