Pith. sign in

REVIEW 23 cited by

On the Reliability of Watermarks for Large Language Models

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 2306.04634 v4 pith:AIUESTTR submitted 2023-06-07 cs.LG cs.CLcs.CR

On the Reliability of Watermarks for Large Language Models

classification cs.LG cs.CLcs.CR
keywords textdetectionwatermarkedwatermarkingdetectabledocumentevenhuman
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

As LLMs become commonplace, machine-generated text has the potential to flood the internet with spam, social media bots, and valueless content. Watermarking is a simple and effective strategy for mitigating such harms by enabling the detection and documentation of LLM-generated text. Yet a crucial question remains: How reliable is watermarking in realistic settings in the wild? There, watermarked text may be modified to suit a user's needs, or entirely rewritten to avoid detection. We study the robustness of watermarked text after it is re-written by humans, paraphrased by a non-watermarked LLM, or mixed into a longer hand-written document. We find that watermarks remain detectable even after human and machine paraphrasing. While these attacks dilute the strength of the watermark, paraphrases are statistically likely to leak n-grams or even longer fragments of the original text, resulting in high-confidence detections when enough tokens are observed. For example, after strong human paraphrasing the watermark is detectable after observing 800 tokens on average, when setting a 1e-5 false positive rate. We also consider a range of new detection schemes that are sensitive to short spans of watermarked text embedded inside a large document, and we compare the robustness of watermarking to other kinds of detectors.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 23 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. RLCracker: Evaluating the Worst-Case Vulnerability of LLM Watermarks with Adaptive RL Attacks

    cs.CR 2025-09 conditional novelty 8.0

    RLCracker is a reinforcement learning attack that erases LLM watermarks at 98.5% success rate with minimal data and generalizes across ten schemes and multiple model sizes.

  2. Beyond Heuristic Tuning: Power-Calibrated LLM Watermarking

    stat.ML 2026-07 accept novelty 7.0

    A power-calibrated statistical framework gives closed-form links from KGW watermark parameters (γ, δ) to detection power and KL distortion, enabling principled Pareto-optimal selection.

  3. Linear Ensembles Wash Away Watermarks: On the Fragility of Distributional Perturbations in LLMs

    cs.CL 2026-05 conditional novelty 7.0

    Averaging output distributions across 3-5 LLMs recovers the unwatermarked distribution, suppressing detection z-scores below threshold while improving quality.

  4. Dataset Watermarking for Closed LLMs with Provable Detection

    cs.LG 2026-05 unverdicted novelty 7.0

    A new watermarking method for closed LLMs boosts random word-pair co-occurrences via rephrasing and detects the signal statistically in outputs, working reliably even when the watermarked data is only 1% of fine-tunin...

  5. SWAN: Semantic Watermarking with Abstract Meaning Representation

    cs.CL 2026-05 unverdicted novelty 7.0

    SWAN uses AMR to embed semantic watermarks that persist through paraphrases, matching SOTA detection on original text and improving AUC by 13.9 points on paraphrased RealNews data.

  6. Optimal Multi-bit Generative Watermarking Schemes Under Worst-Case False-Alarm Constraints

    cs.IT 2026-04 unverdicted novelty 7.0

    Two new constructions for multi-bit generative watermarking attain the established lower bound on miss-detection probability under worst-case false-alarm constraints, fully characterizing optimal performance via linea...

  7. CSF: Black-box Fingerprinting via Compositional Semantics for Text-to-Image Models

    cs.CR 2026-03 unverdicted novelty 7.0

    CSF is the first black-box method to attribute fine-tuned text-to-image models to original lineages via compositional semantic probes and Bayesian decisions across multiple model families.

  8. Robust Text Watermarking for Large Language Models via Dual Semantic Embeddings

    cs.CL 2026-06 unverdicted novelty 6.0

    DEW creates a robust watermark for LLM text by applying vector-space operations to dual embeddings and hiding the signal via key-seeded random projections, showing improved detection after paraphrasing and translation.

  9. SAMark: A Self-Anchored Text Watermarking with Paragraph-Level Paraphrase Robustness

    cs.CR 2026-05 unverdicted novelty 6.0

    SAMark uses self-anchored semantic green regions, multi-channel hyperbolic scoring, and diversity-aware filtering to reach 90.2% TP@FP1% detection under paragraph paraphrasing while preserving text quality.

  10. Watermarking Should Be Treated as a Monitoring Primitive

    cs.CR 2026-05 conditional novelty 6.0

    Watermarking enables entity-level attribution and monitoring through signal aggregation even in zero-bit designs, creating an unavoidable dual-use tension between attribution and surveillance.

  11. Watermarking Should Be Treated as a Monitoring Primitive

    cs.CR 2026-05 unverdicted novelty 6.0

    Watermarking enables entity-level attribution and monitoring via signal aggregation across outputs, even in zero-bit designs, revealing a fundamental tension with attribution goals.

  12. Trustworthy AI: Ensuring Reliability and Accountability from Models to Agents

    cs.LG 2026-05 unverdicted novelty 6.0

    The thesis presents a kernel method for multiaccuracy across overlooked subpopulations, information-theoretic optimal watermarking for LLMs, and a simulator showing LLM agents outperforming humans in supply chains whi...

  13. BackFlush: Knowledge-Free Backdoor Detection and Elimination with Watermark Preservation in Large Language Models

    cs.CR 2026-04 unverdicted novelty 6.0

    BackFlush detects backdoors via susceptibility amplification and eliminates them with RoPE unlearning to reach 1% ASR and 99% clean accuracy while preserving watermarks.

  14. Towards Robust Content Watermarking Against Removal and Forgery Attacks

    cs.CV 2026-04 unverdicted novelty 6.0

    ISTS watermarking dynamically controls injection based on prompt semantics and uses two-sided detection to resist removal and forgery attacks in diffusion models.

  15. ArcMark: Distortion-Free Multi-Byte LLM Watermark via Optimal Transport

    cs.LG 2026-02 unverdicted novelty 6.0

    ArcMark is a multi-byte LLM watermark that achieves distortion-free embedding of several bytes per few hundred tokens by treating generation as a channel coding problem and using optimal transport to match distributions.

  16. Whispers in the Machine: Confidentiality in Agentic Systems

    cs.CR 2024-02 unverdicted novelty 6.0

    Systematic testing of ten LLM agents across 20 tool scenarios and 14 attacks finds universal vulnerability to prompt injection enabling data exfiltration, with tooling amplifying leakage.

  17. Baseline Defenses for Adversarial Attacks Against Aligned Language Models

    cs.LG 2023-09 conditional novelty 6.0

    Baseline defenses including perplexity-based detection, input preprocessing, and adversarial training offer partial robustness to text adversarial attacks on LLMs, with challenges arising from weak discrete optimizers.

  18. "Do Anything Now": Characterizing and Evaluating In-The-Wild Jailbreak Prompts on Large Language Models

    cs.CR 2023-08 unverdicted novelty 6.0

    Real-world jailbreak prompts collected from the wild achieve up to 0.95 attack success rates against major LLMs including GPT-4, with some persisting for over 240 days.

  19. Toward Stronger Code Watermarking: A Grammar-Driven Approach to Optimizing the Trade-off Between Quality and Detectability

    cs.CR 2026-07 conditional novelty 5.5

    Grammar-guided three-level masking plus role-aware logit bias and weighted detection improves the code quality–watermark detectability frontier over KGW, SWEET, EWD, STONE, CodeIP, and SynthID-Text.

  20. Robust Text Watermarking for Large Language Models via Dual Semantic Embeddings

    cs.CL 2026-06 unverdicted novelty 5.0

    DEW is a semantic watermarking method for LLMs that derives a robust signal from dual embeddings via vector-space algebra and pseudo-random projections, remaining detectable after paraphrasing and translation.

  21. Re-Triggering Safeguards within LLMs for Jailbreak Detection

    cs.CR 2026-05 unverdicted novelty 5.0

    Embedding disruption re-triggers LLM internal safeguards to detect jailbreak prompts more effectively than standalone defenses.

  22. Mitigating Watermark Forgery in Generative Models via Randomized Key Selection

    cs.CR 2025-07 unverdicted novelty 5.0

    Randomized per-query key selection with single-key detection acceptance bounds forgery success rate independently of collected samples while preserving model utility.

  23. Encouraging Divergent Thinking in Large Language Models through Multi-Agent Debate

    cs.CL 2023-05 conditional novelty 5.0

    Multi-agent debate with tit-for-tat arguments and a judge LLM improves reasoning by preventing LLMs from locking into incorrect initial solutions.