Watermark algorithms for large language models (LLMs) have achieved extremely high accuracy in detecting text generated by LLMs. Such algorithms typically involve adding extra watermark logits to the LLM's logits at each generation step. However, prior algorithms face a trade-off between attack robustness and security robustness. This is because the watermark logits for a token are determined by a certain number of preceding tokens; a small number leads to low security robustness, while a large number results in insufficient attack robustness. In this work, we propose a semantic invariant watermarking method for LLMs that provides both attack robustness and security robustness. The watermark logits in our work are determined by the semantics of all preceding tokens. Specifically, we utilize another embedding LLM to generate semantic embeddings for all preceding tokens, and then these semantic embeddings are transformed into the watermark logits through our trained watermark model. Subsequent analyses and experiments demonstrated the attack robustness of our method in semantically invariant settings: synonym substitution and text paraphrasing settings. Finally, we also show that our watermark possesses adequate security robustness. Our code and data are available at https://github.com/THU-BPM/Robust_Watermark.

翻译：大语言模型水印算法在检测模型生成文本方面已实现极高准确率。此类算法通常在模型每次生成步骤中，向原有logits叠加额外的水印logits。然而，现有算法面临攻击鲁棒性与安全鲁棒性之间的权衡问题。这是因为令牌的水印logits由固定数量的前序令牌决定：较少的参考令牌导致安全鲁棒性不足，较多的参考令牌则造成攻击鲁棒性欠佳。本文提出一种面向大语言模型的语义不变性水印方法，可同时保证攻击鲁棒性与安全鲁棒性。该方法中，水印logits由所有前序令牌的语义共同决定。具体而言，我们利用另一个嵌入型大语言模型生成所有前序令牌的语义嵌入，再通过训练的水印模型将这些语义嵌入转换为水印logits。后续分析与实验证明了本方法在语义不变场景（同义词替换与文本改写场景）中的攻击鲁棒性。此外，我们证实该水印具备充分的安全鲁棒性。相关代码与数据已开源至 https://github.com/THU-BPM/Robust_Watermark。