Watermarking generative models consists of planting a statistical signal (watermark) in a model's output so that it can be later verified that the output was generated by the given model. A strong watermarking scheme satisfies the property that a computationally bounded attacker cannot erase the watermark without causing significant quality degradation. In this paper, we study the (im)possibility of strong watermarking schemes. We prove that, under well-specified and natural assumptions, strong watermarking is impossible to achieve. This holds even in the private detection algorithm setting, where the watermark insertion and detection algorithms share a secret key, unknown to the attacker. To prove this result, we introduce a generic efficient watermark attack; the attacker is not required to know the private key of the scheme or even which scheme is used. Our attack is based on two assumptions: (1) The attacker has access to a "quality oracle" that can evaluate whether a candidate output is a high-quality response to a prompt, and (2) The attacker has access to a "perturbation oracle" which can modify an output with a nontrivial probability of maintaining quality, and which induces an efficiently mixing random walk on high-quality outputs. We argue that both assumptions can be satisfied in practice by an attacker with weaker computational capabilities than the watermarked model itself, to which the attacker has only black-box access. Furthermore, our assumptions will likely only be easier to satisfy over time as models grow in capabilities and modalities. We demonstrate the feasibility of our attack by instantiating it to attack three existing watermarking schemes for large language models: Kirchenbauer et al. (2023), Kuditipudi et al. (2023), and Zhao et al. (2023). The same attack successfully removes the watermarks planted by all three schemes, with only minor quality degradation.

翻译：水印生成模型是指在模型输出中植入统计信号（水印），以便后续验证该输出是否由给定模型生成。强水印方案满足如下性质：计算能力有限的攻击者无法在不引起显著质量下降的情况下擦除水印。本文研究了强水印方案的（不）可行性。我们证明，在明确且自然的假设条件下，强水印是不可能实现的。这一结论同样适用于私有检测算法设置，即水印嵌入算法与检测算法共享攻击者未知的密钥。为了证明该结果，我们引入了一种通用的高效水印攻击方法；攻击者无需知晓方案的私钥，甚至不需要了解所采用的具体方案。我们的攻击基于两个假设：（1）攻击者拥有“质量预言机”，可评估候选输出是否为对提示的高质量响应；（2）攻击者拥有“扰动预言机”，能够以维持质量的非平凡概率修改输出，并在高质量输出上诱导高效混合的随机游走。我们认为，在实际中，计算能力弱于水印模型本身（攻击者仅具有黑盒访问权限）的攻击者，可以满足这两个假设。此外，随着模型能力与模态的持续增强，我们的假设很可能更容易被满足。我们通过实例化该攻击方法，针对大型语言模型的三种现有水印方案（Kirchenbauer 等，2023；Kuditipudi 等，2023；Zhao 等，2023）展示了攻击的可行性。同一攻击成功移除了这三种方案植入的水印，且仅造成轻微的质量下降。