Protecting Language Models Against Unauthorized Distillation through Trace Rewriting

TL;DR

This paper proposes methods to modify language model reasoning traces to prevent unauthorized knowledge distillation and embed verifiable watermarks, balancing security with answer quality.

Contribution

It introduces dynamic trace rewriting techniques that degrade distillation usefulness and embed watermarks without compromising answer correctness.

Findings

Instruction-based rewriting effectively deters distillation.

Rewritten traces can embed watermarks with minimal false alarms.

Rewriting can improve teacher model performance.

Abstract

Knowledge distillation is a widely adopted technique for transferring capabilities from LLMs to smaller, more efficient student models. However, unauthorized use of knowledge distillation takes unfair advantage of the considerable effort and cost put into developing frontier models. We investigate methods for modifying teacher-generated reasoning traces to achieve two objectives that deter unauthorized distillation: (1) \emph{anti-distillation}, or degrading the training usefulness of query responses, and (2) \emph{API watermarking}, which embeds verifiable signatures in student models. We introduce several approaches for dynamically rewriting a teacher's reasoning outputs while preserving answer correctness and semantic coherence. Two of these leverage the rewriting capabilities of LLMs, while others use gradient-based techniques. Our experiments show that a simple instruction-based rewriting approach achieves a strong anti-distillation effect while maintaining or even improving teacher performance. Furthermore, we show that our rewriting approach also enables embedding watermarks that can be reliably detected with essentially no false alarms. Our code is available at https://github.com/xhOwenMa/trace-rewriting.