Vaporizer: breaking watermarking schemes for large lanaguage model outputs

Abstract

In this report, we investigate three recently proposed schemes for watermark- ing the output generated by Large Language Models (LLMs), namely - Prov- able Robust Watermarking for AI-Generated Text [1], Publicly Detectable Watermarking [2] and SynthID-Text [3]. These techniques are claimed to be robust, scalable and production-grade, aimed at promoting responsible us- age of LLMs. We analyse the effectiveness of these watermarking techniques against an extensive collection of modified text attacks, which perform tar- geted semantic changes without altering the general meaning of the text content. Our approach encompasses multiple attack strategies, which in- clude lexical alterations, machine translation (with MarianMT models), and even neural paraphrasing (with usage of BART and Pegasus models). The attack efficacy is measured with two target criteria - successful removal of the watermark and preservation of semantic content. We evaluate semantic preservation through BERT scores, text complexity measures, grammatical errors, and Flesch Reading Ease indices.

The experimental results reveal varying levels of effectiveness among different watermarking models, with the same underlying result that it is possible to remove the watermark with reasonable effort. This study sheds light on the strengths and weaknesses of existing LLM watermarking systems, suggesting how they should be constructed to improve security of available schemes.