PostMark: A Robust Blackbox Watermark for Large Language Models
This addresses the need for robust, third-party watermarking of LLM outputs to prevent misuse, though it is incremental as it builds on existing watermarking techniques.
The paper tackles the problem of detecting LLM-generated text by developing PostMark, a blackbox watermarking method that does not require access to the model's logits, enabling third-party implementation, and shows it is more robust to paraphrasing attacks than existing methods across multiple baselines, LLMs, and datasets.
The most effective techniques to detect LLM-generated text rely on inserting a detectable signature -- or watermark -- during the model's decoding process. Most existing watermarking methods require access to the underlying LLM's logits, which LLM API providers are loath to share due to fears of model distillation. As such, these watermarks must be implemented independently by each LLM provider. In this paper, we develop PostMark, a modular post-hoc watermarking procedure in which an input-dependent set of words (determined via a semantic embedding) is inserted into the text after the decoding process has completed. Critically, PostMark does not require logit access, which means it can be implemented by a third party. We also show that PostMark is more robust to paraphrasing attacks than existing watermarking methods: our experiments cover eight baseline algorithms, five base LLMs, and three datasets. Finally, we evaluate the impact of PostMark on text quality using both automated and human assessments, highlighting the trade-off between quality and robustness to paraphrasing. We release our code, outputs, and annotations at https://github.com/lilakk/PostMark.