Watermarking of language model outputs enables statistical detection of model-generated text, which can mitigate harms and misuses of language models. Existing watermarking strategies operate by altering the decoder of an existing language model. In this paper, we ask whether language models can directly learn to generate watermarked text, which would have significant implications for the real-world deployment of watermarks. First, learned watermarks could be used to build open models that naturally generate watermarked text, enabling watermarking for open models, where users can control the decoding procedure. Second, if watermarking is used to determine the provenance of generated text, an adversary can hurt the reputation of a victim model by spoofing its watermark and generating damaging watermarked text. To investigate the learnability of watermarks, we propose watermark distillation, which trains a student model to behave like a teacher model that uses decoding-based watermarking. We test our approach on three decoding-based watermarking strategies and various hyperparameter settings, finding that models can learn to generate watermarked text with high detectability. We also find limitations to learnability, including the loss of watermarking capabilities under fine-tuning on normal text and high sample complexity when learning low-distortion watermarks.

翻译：语言模型输出的水印技术能够实现统计检测模型生成的文本，从而减轻语言模型带来的危害和滥用风险。现有水印策略通过修改已有语言模型的解码器来实现。本文探究语言模型是否可以直接学习生成带水印的文本，这一能力将对水印的实际部署产生重要影响。首先，可学习的水印可用于构建能自然生成带水印文本的开放模型，使开源模型（用户可控制解码过程）具备水印能力。其次，若水印技术被用于追溯文本来源，攻击者可能通过伪造受害模型的水印并生成有害带水印文本，损害该模型的声誉。为研究水印的可学习性，我们提出水印蒸馏方法：训练学生模型模仿使用解码式水印的教师模型行为。我们在三种解码式水印策略及多种超参数设置下进行实验，发现模型能够学习生成具有高检测性的带水印文本。同时发现可学习性存在局限性，包括在标准文本微调后水印能力丧失，以及学习低失真水印时需要高样本复杂度。