Watermark algorithms for large language models (LLMs) have achieved extremely high accuracy in detecting text generated by LLMs. Such algorithms typically involve adding extra watermark logits to the LLM's logits at each generation step. However, prior algorithms face a trade-off between attack robustness and security robustness. This is because the watermark logits for a token are determined by a certain number of preceding tokens; a small number leads to low security robustness, while a large number results in insufficient attack robustness. In this work, we propose a semantic invariant watermarking method for LLMs that provides both attack robustness and security robustness. The watermark logits in our work are determined by the semantics of all preceding tokens. Specifically, we utilize another embedding LLM to generate semantic embeddings for all preceding tokens, and then these semantic embeddings are transformed into the watermark logits through our trained watermark model. Subsequent analyses and experiments demonstrated the attack robustness of our method in semantically invariant settings: synonym substitution and text paraphrasing settings. Finally, we also show that our watermark possesses adequate security robustness. Our code and data are available at \href{https://github.com/THU-BPM/Robust_Watermark}{https://github.com/THU-BPM/Robust\_Watermark}. Additionally, our algorithm could also be accessed through MarkLLM \citep{pan2024markllm} \footnote{https://github.com/THU-BPM/MarkLLM}.

翻译：针对大型语言模型（LLM）的水印算法在检测LLM生成文本方面已实现极高准确率。这类算法通常在每个生成步骤中向LLM的logits添加额外的水印logits。然而，现有算法在攻击鲁棒性与安全鲁棒性之间存在权衡。这是因为令牌的水印logits由其前若干连续令牌决定：取值较小时安全鲁棒性较低，取值较大时则攻击鲁棒性不足。本文提出一种面向LLM的语义不变水印方法，同时具备攻击鲁棒性与安全鲁棒性。该方法中水印logits由所有前序令牌的语义共同决定。具体而言，我们利用另一个嵌入型LLM生成所有前序令牌的语义嵌入，再通过训练的水印模型将其转化为水印logits。后续分析与实验验证了该方法在语义不变场景（同义词替换与文本改写场景）中的攻击鲁棒性。最后，我们展示了该水印具备充分的安全鲁棒性。相关代码与数据已开源至\href{https://github.com/THU-BPM/Robust_Watermark}{https://github.com/THU-BPM/Robust\_Watermark}。此外，该算法还可通过MarkLLM \citep{pan2024markllm} \footnote{https://github.com/THU-BPM/MarkLLM}进行调用。