Watermarking of language model outputs enables statistical detection of model-generated text, which has many applications in the responsible deployment of language models. Existing watermarking strategies operate by altering the decoder of an existing language model, and the ability for a language model to directly learn to generate the watermark would have significant implications for the real-world deployment of watermarks. First, learned watermarks could be used to build open models that naturally generate watermarked text, allowing for open models to benefit from watermarking. Second, if watermarking is used to determine the provenance of generated text, an adversary can hurt the reputation of a victim model by spoofing its watermark and generating damaging watermarked text. To investigate the learnability of watermarks, we propose watermark distillation, which trains a student model to behave like a teacher model that uses decoding-based watermarking. We test our approach on three distinct decoding-based watermarking strategies and various hyperparameter settings, finding that models can learn to generate watermarked text with high detectability. We also find limitations to learnability, including the loss of watermarking capabilities under fine-tuning on normal text and high sample complexity when learning low-distortion watermarks.

翻译：语言模型输出的水印技术能够对模型生成的文本进行统计检测，在语言模型的负责任部署中具有广泛应用。现有水印策略通过修改已有语言模型的解码器实现，而语言模型直接学习生成水印的能力将对水印的实际部署产生重大影响。首先，学习型水印可用于构建能自然生成水印文本的开放模型，从而使开源模型获益于水印技术。其次，若水印被用于确定生成文本的来源，攻击者可通过伪造受害者模型的水印并生成具有破坏性的水印文本，损害该模型的声誉。为探究水印的可学习性，我们提出水印蒸馏方法，该方法训练学生模型模仿采用基于解码水印的教师模型行为。我们在三种不同的基于解码的水印策略及多种超参数设置下测试该方法，发现模型能够学习生成具有高可检测性的水印文本。同时我们也发现可学习性的局限性，包括对正常文本进行微调时水印能力的丧失，以及学习低失真水印所需的高样本复杂度。