Let Watermarks Speak: A Robust and Unforgeable Watermark for Language Models

TL;DR

This paper introduces a novel, robust, and unforgeable single-bit watermarking scheme for language models that can embed multiple watermark signals, enhancing content traceability and integrity verification.

Contribution

First to propose an undetectable, robust, single-bit watermarking scheme capable of embedding two different signals for language models.

Findings

Achieves comparable robustness to advanced zero-bit schemes.

Constructs a multi-bit scheme using prompt hash or generated content as watermark signals.

Demonstrates practical effectiveness and robustness through experiments.

Abstract

Watermarking is an effective way to trace model-generated content. Current watermark methods cannot resist forgery attacks, such as a deceptive claim that the model-generated content is a response to a fabricated prompt. None of them can be made unforgeable without degrading robustness. Unforgeability demands that the watermarked output is not only detectable but also verifiable for integrity, indicating whether it has been modified. This underscores the necessity and significance of a multi-bit watermarking scheme. Recent works try to build multi-bit scheme based on existing zero-bit watermarking scheme, but they either degrades the robustness or brings a significant computational burden. We aim to design a novel single-bit watermark scheme, which provides the ability to embed 2 different watermark signals. This paper's main contribution is that we are the first to propose an undetectable, robust, single-bit watermarking scheme. It has a comparable robustness to the most advanced zero-bit watermarking schemes. Then we construct a multi-bit watermarking scheme to use the hash value of prompt or the newest generated content as the watermark signals, and embed them into the following content, which guarantees the unforgeability. Additionally, we provide sufficient experiments on some popular language models, while the other advanced methods with provable guarantees do not often provide. The results show that our method is practically effective and robust.