Watermarking generative models consists of planting a statistical signal (watermark) in a model's output so that it can be later verified that the output was generated by the given model. A strong watermarking scheme satisfies the property that a computationally bounded attacker cannot erase the watermark without causing significant quality degradation. In this paper, we study the (im)possibility of strong watermarking schemes. We prove that, under well-specified and natural assumptions, strong watermarking is impossible to achieve. This holds even in the private detection algorithm setting, where the watermark insertion and detection algorithms share a secret key, unknown to the attacker. To prove this result, we introduce a generic efficient watermark attack; the attacker is not required to know the private key of the scheme or even which scheme is used. Our attack is based on two assumptions: (1) The attacker has access to a "quality oracle" that can evaluate whether a candidate output is a high-quality response to a prompt, and (2) The attacker has access to a "perturbation oracle" which can modify an output with a nontrivial probability of maintaining quality, and which induces an efficiently mixing random walk on high-quality outputs. We argue that both assumptions can be satisfied in practice by an attacker with weaker computational capabilities than the watermarked model itself, to which the attacker has only black-box access. Furthermore, our assumptions will likely only be easier to satisfy over time as models grow in capabilities and modalities. We demonstrate the feasibility of our attack by instantiating it to attack three existing watermarking schemes for large language models: Kirchenbauer et al. (2023), Kuditipudi et al. (2023), and Zhao et al. (2023). The same attack successfully removes the watermarks planted by all three schemes, with only minor quality degradation.

翻译：生成式模型的水印技术是指在模型输出中嵌入统计信号（水印），以便后续验证该输出是否由特定模型生成。强水印方案需满足：计算能力受限的攻击者无法在不引发显著质量退化的情况下擦除水印。本文研究了强水印方案的（不）可能性，证明在明确且自然的假设条件下，强水印无法实现。该结论甚至适用于私有检测算法场景——即水印嵌入与检测算法共享攻击者未知的密钥。为证明该结果，我们提出了一种通用高效的水印攻击方法：攻击者无需知晓方案的私钥，甚至无需了解具体采用的方案。本攻击基于两个假设：（1）攻击者可访问能评估候选输出是否对提示产生高质量响应的"质量预言机"；（2）攻击者可访问能以非平凡概率保持输出质量、并在高质量输出上诱导高效混合随机游走的"扰动预言机"。我们论证了在现实中，即使攻击者的计算能力弱于仅提供黑盒访问的水印模型，这两个假设仍可被满足。此外，随着模型能力与模态持续增强，这些假设更易成立。我们通过实例化该攻击来攻击三种已有的大语言模型水印方案（Kirchenbauer等，2023；Kuditipudi等，2023；Zhao等，2023），验证了攻击的可行性。实验表明，同一攻击方法成功移除了上述三种方案嵌入的所有水印，且仅造成轻微质量退化。