🤖 AI Summary
This work addresses the urgent need for reliable watermarking techniques to attribute and audit content generated by large language models, which is prone to misuse and difficult to trace. The authors propose a structured analytical framework for practical deployment, systematically categorizing existing watermarking methods along dimensions such as embedding timing, detection authority, underlying assumptions, and adversarial threats. By examining approaches spanning generation-time and training-time watermarks—including those based on sampling bias, encoding, representation, and training—the study evaluates their performance in terms of log accessibility, key management, and robustness. Effectiveness is further tested under realistic attacks like paraphrasing, translation, and style transfer. The analysis synthesizes strengths and limitations of prevailing schemes, offers a practical selection guide, and highlights emerging challenges such as cross-model transferability and multimodal integration.
📝 Abstract
Large language models (LLMs) are increasingly embedded in high-impact workflows, yet their ability to generate fluent text at scale has amplified risks of provenance ambiguity, model misuse, and large-scale content laundering. LLM watermarking, embedding invisible signatures into model outputs, has emerged as a promising technical layer for attribution, auditing, and downstream trust decisions. However, the literature has grown rapidly and unevenly: existing categorizations often mix orthogonal design choices, making it difficult to compare methods, reason about guarantees, or translate research results into deployable systems. This survey provides a systematic, deployment-oriented review of LLM watermarking. We organize the space by the core questions practitioners must answer: where a watermark is embedded (generation-time vs. training-time, token vs. representation), who can detect it (public vs. private detection authority), what is assumed (access to logits, sampling control, secret keys, model ownership), and which threat models are targeted (paraphrasing, translation, summarization, style transfer, token manipulation, and adaptive removal). We synthesize the main families of techniques-including sampling biasing, code-based schemes, representation- and training-based approaches-and analyze their security-utility trade-offs through the lens of detectability, robustness, and distribution shift. We further review attack and evasion strategies, evaluation protocols and metrics (false positive control, calibration, robustness curves), and open challenges such as cross-model transfer, multi-modal pipelines, collusion, and governance constraints. Finally, we provide practical guidance for selecting watermark designs under real operational requirements and identify research directions needed for reliable, accountable LLM deployment.