Watermark algorithms for large language models (LLMs) have achieved extremely high accuracy in detecting text generated by LLMs. Such algorithms typically involve adding extra watermark logits to the LLM's logits at each generation step. However, prior algorithms face a trade-off between attack robustness and security robustness. This is because the watermark logits for a token are determined by a certain number of preceding tokens; a small number leads to low security robustness, while a large number results in insufficient attack robustness. In this work, we propose a semantic invariant watermarking method for LLMs that provides both attack robustness and security robustness. The watermark logits in our work are determined by the semantics of all preceding tokens. Specifically, we utilize another embedding LLM to generate semantic embeddings for all preceding tokens, and then these semantic embeddings are transformed into the watermark logits through our trained watermark model. Subsequent analyses and experiments demonstrated the attack robustness of our method in semantically invariant settings: synonym substitution and text paraphrasing settings. Finally, we also show that our watermark possesses adequate security robustness. Our code and data are available at https://github.com/THU-BPM/Robust_Watermark.

翻译：针对大型语言模型（LLM）的水印算法已在检测LLM生成文本方面取得了极高的准确率。此类算法通常在每个生成步骤中向LLM的logits添加额外水印logits。然而，现有算法面临攻击鲁棒性与安全鲁棒性之间的权衡——这是因为令牌的水印logits由一定数量的前序令牌决定：数量过少会导致安全鲁棒性较低，数量过多则造成攻击鲁棒性不足。本文提出一种兼具攻击鲁棒性与安全鲁棒性的LLM语义不变水印方法。该方法中，水印logits由所有前序令牌的语义共同决定。具体而言，我们利用另一个嵌入LLM为所有前序令牌生成语义嵌入，再通过训练的水印模型将这些语义嵌入转换为水印logits。后续分析与实验证明了该方法在语义不变场景（同义词替换与文本释义场景）中的攻击鲁棒性。最后，我们还展示了该水印具有充分的安全鲁棒性。代码与数据已开源在https://github.com/THU-BPM/Robust_Watermark。