Revealing Weaknesses in Text Watermarking Through Self-Information Rewrite Attacks

TL;DR

This paper exposes a vulnerability in current text watermarking techniques by introducing SIRA, a paraphrasing attack that nearly always breaks watermarks without needing access to the watermarking process.

Contribution

The paper presents SIRA, a novel, efficient attack method that exploits high-entropy token embedding in watermarking, revealing a critical weakness in existing algorithms.

Findings

SIRA achieves nearly 100% success rate on recent watermarking methods.

The attack costs less than 1 USD per million tokens.

SIRA works without access to watermark algorithms or watermarked LLMs.

Abstract

Text watermarking aims to subtly embed statistical signals into text by controlling the Large Language Model (LLM)'s sampling process, enabling watermark detectors to verify that the output was generated by the specified model. The robustness of these watermarking algorithms has become a key factor in evaluating their effectiveness. Current text watermarking algorithms embed watermarks in high-entropy tokens to ensure text quality. In this paper, we reveal that this seemingly benign design can be exploited by attackers, posing a significant risk to the robustness of the watermark. We introduce a generic efficient paraphrasing attack, the Self-Information Rewrite Attack (SIRA), which leverages the vulnerability by calculating the self-information of each token to identify potential pattern tokens and perform targeted attack. Our work exposes a widely prevalent vulnerability in current watermarking algorithms. The experimental results show SIRA achieves nearly 100% attack success rates on seven recent watermarking methods with only 0.88 USD per million tokens cost. Our approach does not require any access to the watermark algorithms or the watermarked LLM and can seamlessly transfer to any LLM as the attack model, even mobile-level models. Our findings highlight the urgent need for more robust watermarking.