RLSpoofer: A Lightweight Evaluator for LLM Watermark Spoofing Resilience

TL;DR

This paper introduces RLSpoofer, a reinforcement learning-based black-box attack that evaluates the robustness of LLM watermarking, revealing its vulnerabilities with minimal data and no internal access.

Contribution

It proposes a lightweight, black-box spoofing attack method and provides a distributional perspective to evaluate watermark resilience.

Findings

RLSpoofer achieves a 62.0% spoof success rate with minimal supervision.

Current watermarking schemes are fragile against black-box spoofing.

The framework requires only 100 human-watermarked paraphrases for effective evaluation.

Abstract

Large language model (LLM) watermarking has emerged as a promising approach for detecting and attributing AI-generated text, yet its robustness to black-box spoofing remains insufficiently evaluated. Existing evaluation methods often demand extensive datasets and white-box access to algorithmic internals, limiting their practical applicability. In this paper, we study watermark resilience against spoofing fundamentally from a distributional perspective. We first establish a \textit{local capacity bottleneck}, which theoretically characterizes the probability mass that can be reallocated under KL-bounded local updates while preserving semantic fidelity. Building on this, we propose RLSpoofer, a reinforcement learning-based black-box spoofing attack that requires only 100 human-watermarked paraphrase training pairs and zero access to the watermarking internals or detectors. Despite weak supervision, it empowers a 4B model to achieve a 62.0\% spoof success rate with minimal semantic shift on PF-marked texts, dwarfing the 6\% of baseline models trained on up to 10,000 samples. Our findings expose the fragile spoofing resistance of current LLM watermarking paradigms, providing a lightweight evaluation framework and stressing the urgent need for more robust schemes.