Current text watermarking methods for large language models exhibit insufficient robustness against semantic-preserving attacks such as paraphrasing. This work proposes the first watermarking mechanism grounded in semantic embedding space clustering and a unified optimal embedding-detection theoretical framework. By leveraging key-synchronized shared randomness, the method establishes distributional dependencies between tokens and auxiliary sequences, enabling robust watermark detection without introducing perceptible distortion to the generated text. The approach significantly enhances resilience against strong semantic paraphrasing attacks while achieving superior detection accuracy and fidelity compared to state-of-the-art token-level baselines across multiple mainstream large language models.

Watermarking for large language models (LLMs) is a promising approach for detecting LLM-generated text and enabling responsible deployment. However, existing watermarking methods are often vulnerable to semantic-invariant attacks, such as paraphrasing. We propose PASA, a principled, robust, and distortion-free watermarking algorithm that embeds and detects a watermark at the semantic level. PASA operates on semantic clusters in a latent embedding space and constructs a distributional dependency between token and auxiliary sequences via shared randomness synchronized by a secret key and semantic history. This design is grounded in our theoretical framework that characterizes a jointly optimal embedding-detection pair, achieving the fundamental trade-offs among detection accuracy, robustness, and distortion. Evaluations across multiple LLMs and semantic-invariant attacks demonstrate that PASA remains robust even under strong paraphrasing attacks while preserving high text quality, outperforming standard vocabulary-space baselines. Ablation studies further validate the effectiveness of our hyperparameter choices. Webpage: https://ai-kunkun.github.io/PASA_page/.