Watermark under Fire: A Robustness Evaluation of LLM Watermarking
This work addresses the problem of evaluating and improving the robustness of LLM watermarking techniques for researchers and practitioners, though it is incremental as it systematizes and tests existing methods.
The paper tackles the lack of unified evaluation for LLM watermarking methods by developing WaterPark, a platform integrating 10 watermarkers and 12 attacks, and conducts a comprehensive assessment revealing the impact of design choices on robustness.
Various watermarking methods (``watermarkers'') have been proposed to identify LLM-generated texts; yet, due to the lack of unified evaluation platforms, many critical questions remain under-explored: i) What are the strengths/limitations of various watermarkers, especially their attack robustness? ii) How do various design choices impact their robustness? iii) How to optimally operate watermarkers in adversarial environments? To fill this gap, we systematize existing LLM watermarkers and watermark removal attacks, mapping out their design spaces. We then develop WaterPark, a unified platform that integrates 10 state-of-the-art watermarkers and 12 representative attacks. More importantly, by leveraging WaterPark, we conduct a comprehensive assessment of existing watermarkers, unveiling the impact of various design choices on their attack robustness. We further explore the best practices to operate watermarkers in adversarial environments. We believe our study sheds light on current LLM watermarking techniques while WaterPark serves as a valuable testbed to facilitate future research.