Watermarking is a promising defense against the misuse of large language models (LLMs), yet it remains vulnerable to scrubbing and spoofing attacks. This vulnerability stems from an inherent trade-off governed by watermark window size: smaller windows resist scrubbing better but are easier to reverse-engineer, enabling low-cost statistics-based spoofing attacks. This work breaks this trade-off by introducing a novel mechanism, equivalent texture keys, where multiple tokens within a watermark window can independently support the detection. Based on the redundancy, we propose a novel watermark scheme with Sub-vocabulary decomposed Equivalent tExture Key (SEEK). It achieves a Pareto improvement, increasing the resilience against scrubbing attacks without compromising robustness to spoofing. Experiments demonstrate SEEK's superiority over prior method, yielding spoofing robustness gains of +88.2%/+92.3%/+82.0% and scrubbing robustness gains of +10.2%/+6.4%/+24.6% across diverse dataset settings.
翻译:水印技术是防范大型语言模型(LLM)滥用的有效手段,但其仍易受擦除攻击和伪造攻击的影响。这一脆弱性源于水印窗口大小所固有的权衡:较小的窗口能更好地抵抗擦除,但更容易被逆向工程破解,从而催生低成本的基于统计的伪造攻击。本研究通过引入一种新颖机制——等效纹理密钥,打破了这一权衡,使得水印窗口内的多个令牌能够独立支持检测。基于这种冗余性,我们提出了一种采用子词汇分解等效纹理密钥(SEEK)的新型水印方案。该方案实现了帕累托改进,在保持对伪造攻击鲁棒性的同时,增强了对擦除攻击的抵抗能力。实验结果表明,SEEK在多种数据集设置下均优于现有方法,伪造鲁棒性提升达+88.2%/+92.3%/+82.0%,擦除鲁棒性提升达+10.2%/+6.4%/+24.6%。
相关内容
微信扫码咨询专知VIP会员