Current LLM watermarking schemes face a trust dilemma: public detection keys are vulnerable to removal attacks, while fully private keys preclude third-party verifiability. This paper proposes PVMark—the first framework leveraging zero-knowledge proofs (ZKPs) for publicly verifiable LLM watermarking. PVMark constructs a “correct execution” proof system that enables unconditional, trustless verification of detection outcomes by third parties without revealing the secret key. It formally models watermark detection logic—including token mapping, pseudorandom number generation, comparison, and summation constraints—ensuring compatibility with diverse watermarking algorithms, cryptographic hash functions, and ZKP backends (e.g., Groth16, PLONK). Implemented in Python, Rust, and Circom, PVMark maintains watermark detection accuracy and robustness while keeping proof generation and verification overheads practical for real-world deployment. Experimental evaluation confirms its feasibility and scalability.

Watermarking schemes for large language models (LLMs) have been proposed to identify the source of the generated text, mitigating the potential threats emerged from model theft. However, current watermarking solutions hardly resolve the trust issue: the non-public watermark detection cannot prove itself faithfully conducting the detection. We observe that it is attributed to the secret key mostly used in the watermark detection -- it cannot be public, or the adversary may launch removal attacks provided the key; nor can it be private, or the watermarking detection is opaque to the public. To resolve the dilemma, we propose PVMark, a plugin based on zero-knowledge proof (ZKP), enabling the watermark detection process to be publicly verifiable by third parties without disclosing any secret key. PVMark hinges upon the proof of `correct execution' of watermark detection on which a set of ZKP constraints are built, including mapping, random number generation, comparison, and summation. We implement multiple variants of PVMark in Python, Rust and Circom, covering combinations of three watermarking schemes, three hash functions, and four ZKP protocols, to show our approach effectively works under a variety of circumstances. By experimental results, PVMark efficiently enables public verifiability on the state-of-the-art LLM watermarking schemes yet without compromising the watermarking performance, promising to be deployed in practice.