Can We Watermark Low-Entropy LLM Outputs?
Abstract
A recent and exciting thread of work focuses on developing methods for watermarking the output of large language models (LLMs). We focus on provably undetectable watermarking – that is, schemes that do not alter the output distribution of the LLM, yet enable embedding a watermark in the output that identifies the output as having been generated by the particular LLM. Furthermore, the watermark should be hard to remove by an adversary that may potentially edit, insert, or delete tokens from the watermarked output.
Indeed, recent work (Christ et al. [COLT’24], Christ et al. [CRYPTO’24], Golowich et al. [NeuroIPS’24]) shows how to develop such schemes that are robust against a constant fraction of substitutions, or even against a constant fraction of arbitrary edits.
These works, however, make strong assumptions on the amount of entropy present in the output of the LLM. Most notably, they all require constant entropy rate – that is, a constant fraction of the tokens in a sufficiently long substring of the output need to have empirical entropy at least , where is the alphabet of tokens, and Golowich et al. additionally require to be larger than the security parameter.
In this work, we consider the question of whether we can also watermark the outputs of LLMs when the per-token entropy is just a constant, discarding the dependence on the alphabet size or security parameter. In this regime, we construct:
-
A watermarking scheme robust against random substitutions (assuming subexponential LPN, as in Christ et al. [CRYPTO’24])
-
A watermarking scheme robust against random substitutions and random deletions, given either the additional heuristic assumption that the output of the LLM only introduces random errors (analogous to the assumption made by Christ et al. [CRYPTO’24]) or a construction of a pseudorandom error-correcting code robust to adversarial substitutions and random deletions.
Keywords and phrases:
Cryptography, Generative Models, Watermarking, Pseudorandom CodesFunding:
Noam Mazor: Research was partly done while visiting the Simons Institute.Copyright and License:
2012 ACM Subject Classification:
Security and privacy CryptographyEditor:
Huijia (Rachel) LinSeries and Publisher:
Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik
1 Introduction
With the advent of large language models (LLMs) and other tools for AI-based content generation in everyday society, and with recent advances making AI-generated content increasingly natural and human-like, retaining the ability to differentiate content generated by an AI from content generated by a human has become a prevalent and concerning issue. A natural approach to solving this problem – and indeed, an approach which multiple developers of LLMs have pledged to implement [2], is that of watermarking, wherein an LLM or other AI content generation algorithm is subtly altered to embed a hidden code, or “watermark” into the content it generates, in such a way that the code can be extracted later to detect that it was in fact generated by the watermarked AI.
There are several intuitive desiderata in such a scheme. First, the watermark should be undetectable, meaning that the watermarked content generation algorithm should not produce content that is noticeably different from content that would be generated with the same inputs but without the addition of the watermarking; that is, the distribution of the AI’s outputs should not be biased by the addition of watermarking. This is usually accomplished by use of a secret key for watermark detection, such that the detection algorithm can use it to efficiently detect the watermark but an adversary not knowing the key cannot. Additionally, a watermark should be robust against adversaries who may wish to “hide” that watermarked content was AI-generated by editing the output in an attempt to remove the watermark; an ideal watermark should still be detectable even in an output edited via some combination of substitutions, insertions, or deletions from an adversary.
We focus on the setting of watermarking for LLMs, where the increasing prevalence and quality of practical LLMs has unsurprisingly prompted a wide variety of ideas for watermarking schemes and techniques. Works such as [5, 11, 12, 13] provide strong and empirically verifiable robustness guaranties, but do so by introducing a limited amount of bias into the distribution of the LLM’s output, which is compounded over repeated use.
Undetectable Watermarking for LLMs.
A stronger notion of undetectability was introduced by Christ, Gunn and Zamir [6]; this notion requires watermarked outputs of the LLM to be computationally indistinguishable from the original output of the LLM. Such watermarking schemes can be used repeatedly while still remaining undetectable (and without deteriorating the performance of the LLM). In this paper, we focus on such schemes.
[6] provide the first scheme that achieves this notion (assuming a minimal cryptographic hardness assumption of a one-way function); their scheme, however, requires large substrings (i.e., blocks) of text generated by the LLM to remain completely unchanged for the watermark to be recoverable. In other words, robustness only holds with respect to very limited transformations (e.g., not even changes to a small fraction of tokens).
Christ and Gunn [4] suggest a general approach for constructing watermarking schemes that satisfy both undetectability and robustness against larger classes of attack – and in particular those that can handle modification to a constant fraction of tokens – in two steps. First, one needs to construct a so-called pseudorandom code (PRC): a code which is both pseudorandom, in that a codeword is indistinguishable from true randomness to a computationally bounded adversary, and robust, in that, similar to an error-correcting code, a codeword can be recovered even after being manipulated in certain ways. Given this, a PRC codeword can be embedded in the output of the LLM to watermark it, and the watermark can then be detected by attempting to recover the codeword from the output. The pseudorandomness of the PRC provides the undetectability of the watermarking, while the watermarking scheme inherits the robustness from the code (modulo any errors which may be introduced by the embedding process).
Christ and Gunn then construct two PRCs with a binary alphabet: one which is robust against adversarial substitutions (assuming the subexponential hardness of LPN), and one which is robust against random deletions and substitutions. They also suggest an embedding scheme, specifically for LLMs with a binary alphabet of possible tokens, that operates by attempting to correlate the bit selected by the LLM with the respective bit of the PRC codeword whenever it is possible to do so without biasing the distribution of the LLM’s selection. This, depending on which of their PRC constructions are leveraged, results in a watermarking scheme which is either secure against random substitutions, or, under the assumption that the errors introduced by the embedding procedure are random, against random deletions and substitutions; additionally, it can be generalized to watermark LLMs with non-binary sets of tokens by simply using binary encoding of the tokens.
The recent work of Golowich and Moitra [10] constructs a PRC robust against edit distance (i.e., adversarial deletions, insertions, and substitutions). In fact, they construct such a code robust to a surprisingly large fraction () of adversarial edits, with the caveat that it requires the size of the codewords’ alphabet to be polynomially large in the security parameter.111Specifically, each token in the alphabet needs to correspond to a different index of a codeword in an underlying binary PRC. They also present an embedding scheme for such codes, which works by assuming the LLM has a polynomially large alphabet of tokens, hashing these tokens to random tokens in the PRC’s alphabet, and applying a similar approach to [4] to attempt to correlate the hashed tokens to the respective tokens in the codeword. Through this, they obtain a watermarking scheme with a stronger robustness guarantee, additionally circumventing the requirement of a heuristic assumption such as that of [4] because of the added robustness in the PRC, but at the cost of requiring a much larger alphabet of tokens (as, in particular, the PRC does not retain its robustness guarantees through reduction to binary).
Notably, however, the embedding schemes in both of these works are not guaranteed to perfectly embed the codeword; they require that the output of the LLM has high enough empirical entropy – that is, that a sufficient number of tokens are drawn from sufficiently diverse distributions – as otherwise it will be impossible to reliably correlate the LLM output (e.g., if it is a single fixed token) with a token in a pseudorandom codeword, creating substitution errors in the watermarking process and potentially interfering with robustness guarantees.
The scheme of [10] requires a constant fraction of the tokens in a sufficiently long substring of the LLM’s output to have empirical entropy , where is the set of possible tokens. (This assumption on the entropy of the tokens is somewhat inherent in their approach; indeed, when the entropy of each token is 1, one could not expect to have robustness against more than fraction of adversarial substitutions.222For example, imagine a scenario in which we ask the LLM to output a sequence of tokens of length , each is “Zero” with probability or “One” with probability . In this case, each token has entropy given any prefix. On the other hand, by changing fraction of the tokens, we can change the output sequence to be any of possible sequences of distance at most from the LLM output. This means that either the watermark can be removed by changing tokens, or the scheme recognizes a random sequence as watermarked with probability at least , contradicting soundness.) Notably, because is required to be a large polynomial in the security parameter , this implies that the required entropy is .
The entropy requirement of [4] is more moderate, but requires additional assumptions: when the LLM’s output is binary, it merely requires that a constant fraction of the tokens in a sufficiently long substring have empirical entropy. When translating a model with a large set of potential tokens to binary, the naïve way to do it is to encode each token using bits. Using this approach, the entropy requirement of [4] would once again be , but the model of random errors no longer makes sense if using this naive encoding (since random errors to tokens do not correspond to random errors in bit representation). As the authors suggest, one can overcome these issues by using a Huffman encoding of the token, according to some a priori distribution over , and simply using the first bit of the encoding to embed the binary PRC. This, however, introduces the additional strong assumption that the encoder knows the a priori distribution of the LLM’s output on and that the output of the LLM is distributed closely to it (so that the first bit of the Huffman encoding of the token has high empirical entropy).
Thus, unless we make strong distributional assumptions on the output of the LLM, neither of the above approaches can be used when the entropy of most tokens is a small constant, and in particular when the entropy is close to a single bit (or even smaller).333Note that the approach of [4] works when the entropy of each binary token is one. We here want to consider the realistic case where the token set is significantly larger, yet each token has low entropy within that larger alphabet. Thus, in this work, we address the following question:
Is there an undetectable and robust watermarking scheme for LLM outputs with a large alphabet of tokens that preserves robustness even when almost all tokens have low entropy (e.g., entropy 1)?
We remark that when only requiring an undetectable watermarking scheme for LLM with very limited robustness guarantees (i.e., the requirement that a sufficiently large enough block of the output is completely unchanged), then the original scheme of [6] indeed supports this low-entropy regime – in fact, they handle even sub-constant entropy. However, as far as we know, no known schemes provide any non-trivial notion of robustness with constant or better entropy.
Highlights of our results.
Our main results will be to provide initial constructions of such watermarking schemes. Based on essentially the same hardness assumptions as those in [4], we construct a watermarking scheme which provides robustness guarantees against a broad class of random substitution attacks (and, given additional assumptions, random deletions) for even outputs with very low entropy; specifically, our scheme’s only requirement for robustness is that a constant fraction of tokens in a sufficiently long substring of the output have a single bit of empirical entropy. An additional advantage of our approach is that, because our watermarking scheme models token generation at the token level rather than reducing it to a binary alphabet as [4] does, our robustness guarantees, similarly to those of [6] in the high-entropy regime, deal with a more practical and realistic class of attacks that modify the output at a token level (e.g., paraphrasing by replacing tokens with synonyms, or redacting tokens by replacing them with something deterministic); in contrast, the practical significance of attacks against a binary translation of the output tokens is far less clear.
1.1 Results
We present, for LLMs with a large token set, a PRC-based watermarking scheme that provides similar robustness guarantees to the scheme of [4] with a much weaker entropy requirement. In particular, in contrast to prior works which require output tokens (or substrings of tokens) to have an amount of average empirical entropy that is at least logarithmic in the size of the alphabet of tokens, we show that even outputs satisfying only a very weak notion of “minimal empirical entropy” – which requires only that a constant fraction of the tokens in a sufficiently long substring of the output have a single bit of empirical entropy, independently of the size of the token alphabet – can be robustly watermarked without additional distributional assumptions.
We first consider the setting of robustness against random substitutions. Notably, it is not immediately clear how a “random substitution” is even defined in the case of an output that uses a large token alphabet rather than restricting to a binary setting where a substitution always implies a bit flip; we model such a transformation by allowing a theoretical adversary to a priori map each token in the alphabet to a distribution of “replacement” tokens, and subsequently replacing randomly selected tokens with a sample from the respective replacement distribution.444This definition, as mentioned, captures several natural notions of substitution-based attacks such as paraphrasing or redaction. We show the following:
Theorem 1 (Informal).
If there exists a binary PRC which provides robustness against a fraction of adversarial substitutions for any constant , then there exists a large token alphabet watermarking scheme that is computationally undetectable and, for any LLM output satisfying the minimal empirical entropy requirement, robust to a fraction of random substitutions for any constant .
Combining this with the PRC construction of [4], we obtain:
Corollary 2 (Informal).
Assuming subexponential hardness of LPN, there exists a large token alphabet watermarking scheme that is computationally undetectable and, for any LLM output satisfying the minimal empirical entropy requirement, robust to a fraction of random substitutions for any constant .
Additionally, we can extend this result to provide robustness to random substitutions and deletions, but, as in [4], a PRC that is robust to only random substitutions and random deletions is insufficient on its own. [4] leverages such a PRC but also relies on an additional heuristic assumption – to which the authors refer as the output text being “sufficiently variable” – which requires that the distribution of the errors to the PRC codeword introduced by the watermarking algorithm is “consistent” in that the errors can be modeled as a binary symmetric channel. We generalize this assumption to the case of a large token alphabet (which, notably, requires a generalization of the definition of a random substitution compared to the binary-alphabet case) by introducing the notion of a “natural” prompt, or a prompt given to the LLM that, over the distribution of all possible outputs and subsequent random substitution attacks, causes the errors to the PRC codeword introduced by the composition of the watermarking algorithm and the random substitution channel to likewise be modelable by a binary symmetric channel. Given this, we show:
Theorem 3 (Informal).
If there exists a binary PRC which provides robustness against a fraction of adversarial substitutions and a fraction of random deletions for any constants , then there exists a large token alphabet watermarking scheme that is computationally undetectable and, for any natural prompt and LLM output satisfying the minimal empirical entropy requirement, robust to a fraction of random substitutions and a fraction of random deletions for any constants .
We can again combine this with the corresponding PRC construction of [4] to obtain:
Corollary 4 (Informal).
Assuming subexponential hardness of LPN, there exists a large token alphabet watermarking scheme that is computationally undetectable and, for any natural prompt and LLM output satisfying the minimal empirical entropy requirement, robust to a fraction of random substitutions and a fraction of random deletions for any constants .
This notion of a “natural” prompt importantly rules out certain contrived or pathological examples of prompts whose outputs are known to be inherently difficult to robustly watermark, but may be practically restrictive. A way to bypass the necessity for these heuristic assumptions would be to strengthen the robustness of the underlying PRC to handle adversarial substitutions (and random deletions) as opposed to only random substitutions:
Theorem 5 (Informal).
If there exists a binary PRC which provides robustness against a fraction of adversarial substitutions and a fraction of random deletions for any constants , then there exists a large token alphabet watermarking scheme that is computationally undetectable and, for any LLM output satisfying the minimal empirical entropy requirement, robust to a fraction of random substitutions and a fraction of random deletions for any constants .
While [10] demonstrates a PRC with the requisite robustness, their construction requires a large alphabet of tokens, making it unsuitable for our results because it would vastly increase the entropy requirement. Indeed, no known construction of binary-alphabet PRCs provides robustness against a large fraction of both adversarial substitutions and random deletions.
However, the recent PRC construction of [3] allows instead for robustness against a large fraction of adversarial substitutions and a constant fraction of adversarial edits – that is, insertions and deletions – but with the caveat that the constant itself is very small and depends on the output’s entropy555That is, it is constant only assuming that the output has a constant entropy average for a sufficiently long substring., and additionally that the construction itself is based on a non-standard “permuted codes” assumption. The authors demonstrate that they can use the framework of [4] to construct binary-alphabet watermarking robust to a constant fraction of adversarial edits based on similar entropy requirements to [4]; we in turn show as our final result that we can leverage our framework with their PRC construction to construct minimal-entropy watermarking for a large token alphabet that likewise guarantees robustness to a constant fraction of adversarial edits:
Theorem 6 (Informal).
If, for any , there exists a constant and a binary PRC which provides robustness against a fraction of adversarial substitutions and an fraction of adversarial edits, then, for any , there exists a constant and a large token alphabet watermarking scheme that is computationally undetectable and, for any LLM output having at least a fraction of tokens with one bit of entropy, robust to an fraction of adversarial edits.
This comes with the caveat that the size of the substring required for “minimal entropy” is larger; in particular, since a theoretical adversary able to make a constant fraction of arbitrary edits could decide to target a sufficient-entropy substring of any output, we require that at least a (larger) constant fraction of the entire output have sufficiently many tokens with a bit of empirical entropy. Combined with the construction of [3], which in particular is parameterized such that is in the above statement, this gives:
Corollary 7 (Informal).
Assuming the “permuted codes” assumption (Conjecture 3.1) of [3], then, for any , there exists a constant and a large token alphabet watermarking scheme that is computationally undetectable and, for any LLM output having at least a fraction of tokens with one bit of entropy, robust to an fraction of adversarial edits.
For clarity, we concisely summarize our results and provide comparison to related results in table form in Figure 1.
| Robustness Guarantees | |||||
| Result | Entropy | Subst. | Edits | Adv.? | Assumptions Required |
| [4] | subexponential LPN | ||||
| (del.) | subexponential LPN | ||||
| + heuristic | |||||
| [10] | ✓ | local weak PRFs | |||
| [3] | ✓ | permuted codes | |||
| Cor. 1 | subexponential LPN | ||||
| Cor. 2 | (del.) | subexponential LPN | |||
| + heuristic | |||||
| Cor. 3 | (del.) | PRC with adversarial subst. | |||
| +del. robustness | |||||
| Cor. 4 | overall | ✓ | permuted codes | ||
Our approach in a nutshell.
At a high level, through using a binary PRC but allowing the generative model output to have a large token alphabet, our approach provides a natural – and advantageous – “middle ground” between the watermarking scheme of [4], which deals with entirely binary tokens, and the watermarking scheme of [10], which deals entirely with a large token alphabet.
The watermarking algorithms constructed by [4] are designed for generative models which produce a binary output, and they attempt to embed the codeword of the (binary) PRC directly into the output of the model. The most direct way to transform this into watermarking for a model which outputs tokens from a larger alphabet is, as the authors propose, by simply converting the tokens into a binary representation. As we have mentioned, this comes at the cost of increasing the entropy requirement per output token proportionally to the token’s binary length. However, a more concerning issue with this approach is that this transformation does not preserve the token structure of the model’s output and thus dramatically changes the class of attacks against which the watermarking is robust; random substitutions or deletions of single bits in a binary encoding are incomparable with the more practical class of attacks (e.g., paraphrasing or redaction) which manipulate the output on the token level in an attempt to transform a model’s watermarked output into a similar but non-watermarked output.
Our approach preserves the token structure of the output by, rather than attempting to embed the PRC codeword directly into the output, hashing the output tokens into bits and attempting to embed the codeword into the hashes of the output tokens; as a result, the output’s structure is preserved, as each token corresponds to exactly one bit of the PRC codeword. [10] uses a similar approach, but rather than hashing the output tokens to binary and embedding a binary PRC codeword, they embed a codeword of a PRC with a polynomial-sized alphabet and hash the output tokens into that alphabet. This allows them to obtain significantly stronger robustness guarantees, but at the cost of dramatically increasing the per-token entropy requirement to be logarithmic in the security parameter, since successful embedding requires the hash of the output token distribution to be close to uniform over the PRC’s alphabet. In contrast, our approach has more limited robustness, but achieves it with a far more reasonable requirement of constant entropy because we restrict the PRC to a binary alphabet.
1.2 Comparison with Related Work
Our work builds upon the previous undetectable watermarking schemes of [4], [6], and [10] by providing a scheme with both a low entropy requirement for the tokens generated by the model and strong robustness guarantees against attacks that, notably, manipulate tokens in the natural output directly rather than relying on a reduction to a binary alphabet. To explain what we mean by this and why it is advantageous, recall that, in the results of [4], which focus on watermarking over a binary alphabet (i.e., every token is 0 or 1), one can simply model a fraction of random substitutions as a binary symmetric channel, i.e., flipping each bit independently with probability .
To extend their results to an output drawing from a large alphabet of tokens, the authors propose translating each token to a binary encoding, either by using a fixed-length encoding or a more efficient variable-length (e.g., Huffman) encoding, and generating a watermarked binary (translated) output by using a modified generative model that generates the binary translations of its output tokens. While they indeed prove robustness against random binary substitutions to bits in the translated output, this definition of robustness loses its meaning entirely when one considers the more natural definition of substitutions made to tokens in the untranslated output, as mentioned in [4]. For instance, even using a fixed-length encoding, random binary substitutions change the corresponding untranslated tokens in ways that are not necessarily random and depend on which bits are affected; worse still, using a variable-length encoding means that a single random substitution to the translated binary output can potentially alter every untranslated token in the entire output. In the other direction, since each token in the untranslated output corresponds to multiple bits in the binary translation, changing any token will correspond to modifying a correlated block of bits in a way that is not necessarily even independent between the bits in the block.
In contrast to [4], we show robustness against modifications specifically to tokens in the output, which we remark is a far more natural definition as it preserves the structural features of the output that would be discarded by manipulating a translation of the output to a binary encoding. While it is not initially clear how one would even define a “random substitution” for the case of a large set of tokens – in particular, while it is fairly straightforward to start with a similar definition to a binary symmetric channel by modifying each token with some independent probability , it is less clear how each token would be modified given a large alphabet of tokens – we show that we can achieve robustness against even a class of random substitutions where an adversary may, a priori (i.e., before seeing the output), choose, for each token in the alphabet, an arbitrary distribution of tokens to replace an occurrence of that token if it is selected randomly to be substituted. This captures some basic semantic attacks such as limited forms of substitution or paraphrasing where an adversary may opt to replace some randomly chosen words with synonyms in an attempt to remove a watermark, giving robustness to a variety of practical attacks.
The approaches of [6] and [10] also consider outputs over a large token alphabet as we do. [6] considers a weaker form of robustness, substring completeness, which requires that the watermark be detectable if the detection algorithm is given any unmodified substring of sufficient empirical entropy from the output; while they also consider reducing to a binary alphabet via fixed-length encoding in their construction of substring-complete watermarking, we note that this notion, unlike the stronger notion of robustness, is preserved in the translation to a larger token alphabet (as, clearly, an unmodified substring in the binary representation is likewise unmodified when translated to tokens). That said, a substring-complete watermarking scheme requires that a contiguous substring of the output be unmodified to be detectable, and, as the entropy requirement for such a substring is dependent on the security parameter, such a scheme cannot even provide robustness against any constant fraction of random edits.
Meanwhile, [10] provides a very strong notion of edit distance robustness against any constant fraction of even adversarial substitutions, deletions, or insertions; they do so by transforming a binary PRC robust to adversarial substitutions into a large-alphabet PRC with this improved notion of edit distance robustness, and applying a similar approach to that of [4] and our work to the transformed PRC. Specifically, their construction of an edit-distance-robust PRC works by indexing the original PRC – roughly speaking, using an alphabet whose size is equal to the block length of the original PRC, and letting each token in the expanded alphabet represent the presence of a 1 in its corresponding position in the respective block of the underlying PRC, so that insertions or deletions in the transformed PRC effectively become substitutions in the original. Of course, the drawback of this approach, as we have mentioned, is that the extremely large required alphabet size of the PRC leads to a correspondingly large entropy requirement (i.e., logarithmic in the security parameter) for the generative model’s output, something which we explicitly seek to avoid in our results because natural language generally possesses large amounts of low-entropy tokens.
PRC constructions.
As mentioned above, [4] construct PRCs robust against adversarial substitutions or random substitutions and deletions, assuming the hardness of LPN. Under the same assumption, [1] showed the existence of PRC with stronger security guarantees, i.e., CCA security and adaptive robustness. [9] construct PRCs against adversarial substitutions from weaker assumptions, as well as unconditionally-secure PRC with pseudorandomness against space-bounded adversaries. Most recently, [3] construct PRCs featuring subexponential security, a stronger notion of “strongly adaptive robustness” which guarantees adaptive robustness even against an adversary with full knowledge of the watermarking key, and robustness to a constant fraction of (even arbitrary or adversarial) edits without the prohibitive entropy requirement of [10], albeit based on a non-standard “permuted codes” assumption. In the realm of negative results, [8, 7] recently showed that PRCs cannot be constructed from a wide-range of cryptographic primitives in a black-box manner.
2 Definitions
Given a discrete distribution , we define the (binary) entropy of to be the quantity . Furthermore, given a selection from a distribution, we define the empirical entropy of in as the quantity .
2.1 Error Channels
Towards defining robustness for watermarking generative models whose outputs are large alphabets, we first must define generalized notions of error channels over families of large token alphabets. Formally:
Definition 8.
Given some vocabulary of tokens , a channel is a (potentially randomized) algorithm that perturbs an output using tokens from .
Additionally, given a family of vocabularies parameterized by a security parameter , we may consider a family of channels where, for each , is a channel over vocabulary .
We next define standard notions of random substitution and deletion channels:
Definition 9.
Given a family of vocabularies parameterized by a security parameter , we define the random deletion channel family where , given constant and security parameter , takes as input a series of tokens and, for each in order, appends it to with probability , then outputs .
Definition 10.
Given a family of vocabularies parameterized by a security parameter and a family of functions , we define the random substitution channel family where , given constant and security parameter , takes as input a series of tokens and outputs where with probability and otherwise.
For the case of a binary alphabet , we also define the analogous binary symmetric channel , which takes as input a series of tokens and outputs where with probability and otherwise.
Notably, the definition of a random substitution channel for a non-binary vocabulary of tokens allows for instances of any token to be substituted with a (potentially arbitrarily determined) distribution over other tokens, capturing a variety of attacks such as simple paraphrasing attacks or randomized censorship that are practical when considering a large token alphabet but cannot be captured by random substitutions in a binary setting such as that of [4].
Lastly, we define notions of arbitrary (potentially adversarial) channels in the binary and large-alphabet settings:
Definition 11.
We refer to a channel as a -bounded substitution channel over a vocabulary if, given some input , always outputs where and, letting , for at most indices .
If , we refer to such a channel as a -bounded binary substitution channel.
Definition 12.
Given strings and , let be the edit distance between and , or the minimum number of insertions and deletions required to transform into (or, symmetrically, vice versa). We refer to a channel as a -bounded binary edit channel over a vocabulary if, given some input , always outputs where .
If , we refer to such a channel as a -bounded binary edit channel.
That is, a substitution channel is -bounded if it makes at most a fraction of substitution edits to its input, and, respectively, a -bounded edit channel makes at most a fraction of insertion or deletion edits, though these edits may be determined adversarially or arbitrarily.
2.2 Generative Models and Watermarking
We define generative models over large alphabets following the framework of [10], as computationally bounded algorithms which, given some input (prompt) and a sequence of tokens in a vocabulary generated thus far, returns a probability distribution over representing the next token to be generated.
Definition 13 ([10]).
A generative model is an efficient algorithm over some vocabulary that, given a prompt and sequence of tokens , outputs a probability distribution .
A generative model family is a family of generative models parameterized by a security parameter , such that operates on vocabulary where is bounded above by some polynomial , and so that there exists symbol belonging to for every and polynomial (the maximum output length) such that if then must have .
To watermark the output of a generative model, then, is to generate an output in such a way that it can be determined, using a secret key, that the output came from the watermarked model. Ideally, such a watermark preserves the distribution of the output from the model, is undetectable to parties not possessing the secret key, and is also robust to manipulation by an adversary attempting to remove the watermark. Formally:
Definition 14 ([10]).
Assume a family of generative models with vocabulary and maximum output length , and consider a tuple of efficient algorithms , where:
-
takes as input a security parameter and outputs a secret key ,
-
takes as input the security parameter , secret key , and prompt , and outputs a sequence of tokens .666As in [10], if the model’s output is shorter than the maximum length , we assume that the remainder of is padded by repeating a special “ending” token .
-
takes as input the security parameter , a secret key , and a sequence of tokens , and outputs boolean corresponding to whether a watermark was detected in .
We refer to as a secure watermarking scheme for if the following properties hold:
-
Soundness: For any , there is negligible such that:
-
Undetectability: For any probabilistic polynomial-time oracle-aided adversary , there is negligible such that:
where is simply an oracle that outputs the result of given a prompt , and is an oracle that on input , generates a complete output from by outputting the result of the following procedure:
-
1.
Initialize .
-
2.
For , generate by drawing from the respective distribution output from , and append to . If then pad the remainder of with and terminate, returning .
-
1.
Furthermore, for some channel family where , we refer to as robust with respect to if there is negligible such that for any prompt :
We may additionally restrict this definition to a set of prompts (where robustness holds if the above is true for prompts ).
In order for an output to be undetectably and robustly watermarkable, it also must have some amount of entropy. We consider a notion of “entropy-restricted substring robustness” where we only require robustness to hold for outputs which have a sufficiently long substring containing a certain fraction of tokens with sufficiently high empirical entropy:
Definition 15.
Assume a family of generative models with vocabulary and maximum output length , and let be a secure watermarking scheme for . Then, for a channel family where , we refer to as satisfying -entropy-restricted substring robustness with respect to if there is negligible such that for any prompt (which may be specified to be restricted to a set ):
| and |
where denotes the substring consisting of the first tokens in .
That is, this definition requires that robustness holds only if there exists a substring of the output with length at least where at least a fraction of the output tokens were generated with at least bits of empirical entropy with respect to the generative model’s output distribution.
2.3 Pseudorandom Error-Correcting Codes
Closely related to watermarking generative algorithms is the concept of pseudorandom error-correcting codes, introduced in [4]. These are a strengthening of the classical notion of error-correcting codes with the added requirement that the code for a given message should be pseudorandom, or indistinguishable from uniform randomness by a computationally bounded adversary.
Definition 16 ([4]).
Consider a tuple of efficient algorithms , where:
-
takes as input a security parameter and outputs a secret key ,
-
takes as input a secret key and message for some vocabulary and input length , and outputs a code for some code length .
-
takes as input a secret key and code , and outputs either a message or to indicate that there is no valid decoding.
Given a channel that introduces some error into the code, we call a pseudorandom error-correcting code (PRC) with robustness to if the following properties are satisfied for any and the respective , , :
-
Robustness (with respect to ): For any , there is negligible such that:
-
Soundness: For any , there is negligible such that:
-
Pseudorandomness: For any probabilistic polynomial-time oracle-aided adversary , there is negligible such that, letting be an oracle that returns given message and be an oracle that implements a uniformly randomly selected function :
In this work we consider only zero-bit binary PRCs, where and – that is, there is only a single possible input (which by convention we label as ), and the code is a binary string of length .
3 Protocol and Results
Input: Security parameter , generative model over token vocabulary with maximum output length (belonging to family ), prompt , error-correcting pseudorandom code with code length such that .
Output: Secret key for and a tuple of functions , where is the set of functions .
Protocol:
-
1.
Generate .
-
2.
Generate by, for , randomly sampling .
-
3.
Return and .
Input: Security parameter , generative model over token vocabulary with maximum output length (belonging to family ), prompt , error-correcting pseudorandom code with code length , secret key for , and tuple of functions , where is the set of all functions .
Output: Watermarked output .
Protocol:
-
1.
Initialize , , and .
-
2.
Draw . Let , the element of .
-
3.
Let .
-
4.
Randomly and independently sample two tokens . Generate the next token by selecting one of these two as follows:
-
(a)
If , let for a uniformly random .
-
(b)
Otherwise, if , let be whichever of the two samples has (where is the bit of ). That is, if , let , and otherwise let .
-
(a)
-
5.
Append to , then:
-
(a)
If , terminate (padding the remainder of to length with tokens if necessary) and output .
-
(b)
Otherwise, if , start a new block by returning to step (2), incrementing , and resetting to 1.
-
(c)
Otherwise, generate the next token of the current block by incrementing and returning to step (3).
-
(a)
Input: Security parameter , message (for ), error-correcting pseudorandom code with code length , secret key for , and tuple of functions , where is the set of functions .
Output: Boolean indicating whether a watermark was detected.
Protocol:
-
1.
Let . For , , :
-
(a)
If , return .
-
(a)
-
2.
If none of the above calls to succeed, return .
Here, we formally restate the theorems presented in the introduction and present the protocol with which we prove them. To begin, we demonstrate a watermarking protocol which provides soundness, undetectability, and (given any output with “minimal empirical entropy”, or at least a constant fraction of tokens in a sufficiently long substring having a single bit of empirical entropy) robustness against any random substitution channel for constant , given the existence of a binary PRC with robustness to any (arbitrary) -bounded substitution channel for . Formally:
Theorem 17.
If, for any constant , there exists a pseudorandom code (having block length ) with robustness against any -bounded binary substitution channel, then, for any generative model family with token alphabet family , family of functions , and constants and , there exists a secure watermarking scheme for that satisfies -entropy-restricted substring robustness with respect to the random substitution channel .
Combining this with the respective PRC construction from [4] gives:
Corollary 18.
If Assumption 1 of [4] is true777This assumption, at a high level, requires either subexponential hardness of LPN or polynomial hardness of both LPN and a low-density planted XOR problem., then, letting be the block length of the respective PRC (in Theorem 1 and Theorem 2 of [4]) required to achieve robustness against any -bounded binary substitution channel, for any generative model family with token alphabet family , family of functions , and constants and , there exists a secure watermarking scheme for that satisfies -entropy-restricted substring robustness with respect to the random substitution channel .
We provide the proofs in Appendix A. Next, we would like to extend the above result to demonstrate that is additionally robust to a large fraction of random deletions if the same also holds for . However, in order to leverage the corresponding PRC construction of [4], we require a heuristic assumption, as discussed in the introduction, that a given prompt is “natural”. Formally:
Definition 19.
We say that a prompt produces consistently distributed errors for a watermarking scheme with respect to a substitution channel family if there exists some constant such that, taken over the randomness of and the channel , each token of the output, after being generated by (given prompt ) according to some function and bit of codeword from and then modified according to , has an identical probability , independent from that of other tokens, of having .
Given this, we can present our following result that leverages this definition:
Theorem 20.
If, for any constants and , there exists a pseudorandom code (having block length ) with robustness against the composition of channels , then, for any generative model family with token alphabet family , family of functions , and constants , , and , there exists a secure watermarking scheme for that, for any family of prompts where any produces consistently generated errors for with respect to the substitution channel , satisfies -entropy-restricted substring robustness over with respect to the composition of channels .
Again, combining this with the respective PRC construction from [4] gives:
Corollary 21.
If Assumption 1 of [4] is true, then, letting be the block length of the PRC given by Theorem 4 of [4] required to achieve robustness against the composition of channels , for any generative model family with token alphabet family , family of functions , and constants , , and , there exists a secure watermarking scheme for that, for any family of prompts where any produces consistently generated errors for with respect to the substitution channel , satisfies -entropy-restricted substring robustness over with respect to the composition of channels .
Alternatively, though none is currently known, if there were a construction of that guaranteed robustness against adversarial substitutions and random deletions, one could bypass the need for heuristic assumptions such as that given by Definition 19 and instead leverage Claim 26 directly:
Theorem 22.
If, for any constants and , there exists a pseudorandom code (having block length ) with robustness against the composition of channels for any -bounded binary substitution channel , then, for any generative model family with token alphabet family , family of functions , and constants , , and , there exists a secure watermarking scheme for that satisfies -entropy-restricted substring robustness over with respect to the composition of channels .
Lastly, we show that we can leverage a PRC such as the new construction of [3] based on a “permuted codes conjecture” applied to folded Reed-Solomon codes, which features robustness to both a large (close to ) fraction of (potentially arbitrary) substitutions and a very small but constant fraction of (potentially arbitrary) edits, to construct low-entropy watermarking robust to a constant fraction of arbitrary edits. However, this comes at a cost to the length of the minimal-entropy substring required to prove robustness; in particular, for the case where we allow adversarial or arbitrary edits, we require a constant fraction of the entire output to have sufficient entropy, as otherwise it is fairly straightforward to see that a constant fraction of arbitrary edits could specifically target the minimal-entropy substring for corruption and thus break robustness. Thus, we conclude:
Theorem 23.
If, for any constant , there exists a pseudorandom code and a constant such that has robustness against the composition of channels for any -bounded binary substitution channel and any -bounded binary edit channel , then, for any generative model family (having maximum output length ) and constants , there exists a secure watermarking scheme for and constant such that satisfies -entropy-restricted substring robustness with respect to any -bounded edit channel over the vocabulary of .
Combining this with the respective PRC construction from [3] gives:
Corollary 24.
If Conjecture 3.1 of [3] is true, then, for any generative model family (having maximum output length ) and constants , there exists a secure watermarking scheme for and a constant such that satisfies -entropy-restricted substring robustness with respect to any -bounded edit channel over the vocabulary of .
References
- [1] Omar Alrabiah, Prabhanjan Ananth, Miranda Christ, Yevgeniy Dodis, and Sam Gunn. Ideal pseudorandom codes. In Michal Koucký and Nikhil Bansal, editors, Proceedings of the 57th Annual ACM Symposium on Theory of Computing, STOC 2025, Prague, Czechia, June 23-27, 2025, pages 1638–1647. ACM, 2025. doi:10.1145/3717823.3718309.
- [2] Diane Bartz and Krystal Hu. OpenAI, Google, others pledge to watermark AI content for safety, White House says, 2023. URL: https://www.reuters.com/technology/openai-google-others-pledge-watermark-ai-content-safety-white-house-2023-07-21.
- [3] Miranda Christ, Noah Golowich, Sam Gunn, Ankur Moitra, and Daniel Wichs. Improved Pseudorandom Codes from Permuted Puzzles, 2025. doi:10.48550/arXiv.2512.08918.
- [4] Miranda Christ and Sam Gunn. Pseudorandom error-correcting codes. In Leonid Reyzin and Douglas Stebila, editors, Advances in Cryptology - CRYPTO 2024 - 44th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2024, Proceedings, Part VI, volume 14925 of Lecture Notes in Computer Science, pages 325–347. Springer, August 2024. doi:10.1007/978-3-031-68391-6_10.
- [5] Miranda Christ, Sam Gunn, Tal Malkin, and Mariana Raykova. Provably robust watermarks for open-source language models. CoRR, abs/2410.18861, 2024. doi:10.48550/arXiv.2410.18861.
- [6] Miranda Christ, Sam Gunn, and Or Zamir. Undetectable watermarks for language models. In Shipra Agrawal and Aaron Roth, editors, The Thirty Seventh Annual Conference on Learning Theory, June 30 - July 3, 2023, Edmonton, Canada, volume 247 of Proceedings of Machine Learning Research, pages 1125–1139. PMLR, 2024. URL: https://proceedings.mlr.press/v247/christ24a.html.
- [7] Nico Döttling, Anne Müller, and Mahesh Sreekumar Rajasree. Separating pseudorandom codes from local oracles. IACR Cryptol. ePrint Arch., page 1020, 2025. URL: https://eprint.iacr.org/2025/1020.
- [8] Sanjam Garg, Sam Gunn, and Mingyuan Wang. Black-box crypto is useless for pseudorandom codes. IACR Cryptol. ePrint Arch., page 1021, 2025. URL: https://eprint.iacr.org/2025/1021.
- [9] Surendra Ghentiyala and Venkatesan Guruswami. New constructions of pseudorandom codes. CoRR, abs/2409.07580, 2024. doi:10.48550/arXiv.2409.07580.
- [10] Noah Golowich and Ankur Moitra. Edit distance robust watermarks for language models. CoRR, abs/2406.02633, 2024. doi:10.48550/arXiv.2406.02633.
- [11] John Kirchenbauer, Jonas Geiping, Yuxin Wen, Jonathan Katz, Ian Miers, and Tom Goldstein. A watermark for large language models. In Andreas Krause, Emma Brunskill, Kyunghyun Cho, Barbara Engelhardt, Sivan Sabato, and Jonathan Scarlett, editors, International Conference on Machine Learning, ICML 2023, 23-29 July 2023, Honolulu, Hawaii, USA, volume 202 of Proceedings of Machine Learning Research, pages 17061–17084. PMLR, 2023. URL: https://proceedings.mlr.press/v202/kirchenbauer23a.html.
- [12] Rohith Kuditipudi, John Thickstun, Tatsunori Hashimoto, and Percy Liang. Robust distortion-free watermarks for language models. CoRR, abs/2307.15593, 2023. doi:10.48550/arXiv.2307.15593.
- [13] Xuandong Zhao, Prabhanjan Ananth, Lei Li, and Yu-Xiang Wang. Provable robust watermarking for ai-generated text. CoRR, abs/2306.17439, 2023. doi:10.48550/arXiv.2306.17439.
Appendix A Proof
In this appendix, we provide the complete proof of Theorem 17 (and Corollary 18); the remainder of the proofs (which proceed similarly) are deferred to the full version.
We begin by proving that is a secure watermarking scheme (i.e., undetectable and sound), as these properties hold regardless of the robustness of (though they do require pseudorandomness and soundness); afterwards, we prove robustness based on the respective robustness of .
A.1 Undetectability and Soundness
Claim 25.
satisfies soundness and undetectability for any family of generative models .
Proof.
Both properties are fairly straightforward to demonstrate.
Soundness follows from the soundness of ; notice that , on any given input, calls at most a number of times polynomial in the security parameter , since , , and the size of are polynomial in . Since is generated by , the probability of each such call returning a result besides is negligible in , and thus the probability over and of returning must likewise be negligible by a union bound.
Undetectability follows from the pseudorandomness of . First consider an “ideal” world where the code from is replaced with true randomness, and thus each is or with exactly probability . In this world we can show easily that perfectly preserves the distribution of each token generated by . To see this, consider any token . If is drawn as and (which happens with probability ), and is the probability that conditioned on and , the probability that is selected as the next token is:
since, in , is selected when (which, as we assume to be uniformly random, happens with probability exactly 1/2) if and with probability 1/2 otherwise. The same is true symmetrically when is drawn as and , and when is drawn as both and (which happens with probability ) then it is selected with probability 1. Thus, as all of these events are mutually exclusive, the probability that is selected as the next token is exactly:
So if is truly random, it is straightforward to see that, in each iteration of , the next token is drawn with exactly the same probability as it would be by , and thus the output of is identically distributed to the output of on any specific prompt . We shall denote the above “ideal” experiment by .
However, as is instead the pseudorandom output of , assume towards contradiction that there is some adversary and polynomial where
We leverage to construct an adversary which contradicts the pseudorandomness of . runs , but every time invokes its oracle runs and returns the result of running on the given prompt with the single exception that every code generated from is replaced by the output of a call to its own oracle.
If the oracle given to calls , then the experiment runs is identical to ; if it instead generates uniform randomness, then the experiment is instead identical to , whose output is as we have already argued identically distributed to generating tokens with . Thus,
is by construction equal to
But since we assumed this latter quantity was at least polynomial , the former must be as well, contradicting the pseudorandomness of and by contradiction completing the argument that satisfies undetectability.
A.2 Robustness
The robustness guarantee of our watermarking scheme depends primarily on the robustness of , since, while the scheme itself generates errors attempting to embed the PRC codeword into (the hash of) the output, we show that these errors are comprised of a limited number of specifically substitution errors, which can be bounded as long as sufficiently many of the output tokens are generated with enough empirical entropy. Notably, however, these errors are not necessarily random, as, depending on the behavior of the model, tokens could be generated in such a way that the errors are correlated with significant probability over the choice of .
Random Substitutions
If we restrict to the case of only random substitutions, we note that an alternative version of that generates a new function for every token, as opposed to reusing the same for an entire codeword of , would be sufficient to prove robustness, since without insertions or deletions the number and order of the tokens cannot change (and thus one could always track which function was used to generate each token, even after random substitutions were made). However, this alternative approach fails with even a single insertion or deletion, and additionally only gains a small constant factor in the analysis for random substitutions, so we opt to instead present and analyze the existing version of to better set up the subsequent results for robustness against substitutions and deletions.
For the case of random substitutions only, we demonstrate the following claim:
Claim 26.
For constants such that , if having block length is robust against any -bounded binary substitution channel, then, for any family , satisfies -entropy-restricted substring robustness against the random substitution channel family .
(We note that [4] demonstrates constructions of the requisite PRC.)
Proof.
First, similarly to the other two properties, it suffices to prove robustness by bounding the number of errors (i.e., tokens where ) in the “ideal” experiment described in Claim 25 where the codewords generated by are replaced by uniformly random bits; as shown in Claim 25, pseudorandomness of guarantees that the view of this experiment is identically distributed to that of the real execution of except with negligible probability, and thus, if in the ideal experiment there exists with overwhelming probability a block of the random codeword where sufficiently many tokens in the output are correctly embedded, it follows that there will also with overwhelming probability be such a block of the pseudorandom code (which will thus be recoverable) in the real experiment.
We next need to bound the error rate of the output of introduced by the embedding process. Intuitively, in each step, the closer the distribution is to uniform over , the more likely the algorithm is to draw a pair such that and thus output a token that hashes to the correct value of from without biasing the distribution of tokens. We make the following claim to show that, in a block where a sufficient number of tokens are drawn with enough empirical entropy, it is likely that enough of those tokens are drawn from sufficiently “close to uniform” distributions so that enough of those tokens are able to be drawn with hash value matching the PRC codeword to make the watermark easily detectable:
Claim 27.
Consider the execution of over some block of (i.e., the iteration from to for some fixed ). There exists negligible such that, with at least probability over the choice of function , the fraction of tokens for which is, except with probability over the randomness of , at most , where is the fraction of tokens drawn with empirical entropy at least 1.
Proof.
Consider an alternate experiment to generate the given block of where, to generate every token , we first sample a new function , and sample using the respective function but otherwise according to . Then, given some token drawn with empirical entropy at least 1, this means that it was sampled from a distribution such that . In particular, this means that the probability that was generated from a pair such that must likewise be at most 1/2. If , then the probability over the randomly generated function that is exactly 1/2 (meanwhile, if , this probability is clearly 0); thus, the probability that during the generation of this specific token must be at least 1/4.
Notice that if , then by construction of we will always select such that – that is, the embedding of the bit of the PRC codeword will be successful. Meanwhile, if , then the embedding will be successful if and only if , which over randomly generated happens with probability exactly 1/2.
In the actual execution of , remains the same throughout the entire generation of the block; however, because tokens are always generated according to their unbiased probabilities from by construction, we note that the tokens generated are identically distributed to the above experiment (or to the output of simply generating non-watermarked tokens using ). Because of this, it still holds that, if we sample two independently random tokens and as above, there is still probability over the choice of that for every token generated with sufficient empirical entropy. Unlike the above experiment, though, these probabilities are not independent as tokens may be repeated, so it is not necessarily the case that the fraction of tokens satisfying the entropy requirement with is close to except with negligible probability; however, we may still conclude by an averaging argument that, with at least probability over the choice of , at least of the tokens with sufficient empirical entropy have .888This may seem unintuitive since, at first glance, one would expect the tokens selected, and thus the indices of the tokens with sufficient experimental entropy, to be affected by the choice of ; however, we again stress that, because perfectly preserves the distributions of tokens generated, the tokens are independent of and . In particular, one can imagine any set of tokens and argue that, conditioned on the tokens with indices in having sufficient empirical entropy, at least of the tokens with indices in have with probability over randomly generated .
Thus, in the case (which occurs with at least probability ) where at least of the tokens with sufficient empirical entropy (i.e., a fraction of total tokens) have , those tokens will never have , and the remainder will have it with at most probability . This means that, in expectation, at most a fraction of tokens can have . However, for the tokens with , the probabilities that are independent in the “ideal” experiment where the codeword is randomly generated, and thus it can be asserted that, except with negligible probability, the fraction of those tokens for which is actually true will be close to its expectation.
Specifically, assume at least a fraction of tokens have ; otherwise we are already done (as then a fraction would be guaranteed to have ). Then, by Hoeffding’s inequality, the probability that the fraction of all tokens with both and is at least greater than its expectation – in other words, that the number of such tokens is at least greater than its expectation – is at most
which is negligible in because is a (small) constant and is polynomial. And, in the case where a fraction of total tokens have but the above event is not true (which, letting be the negligible function above, must happen with at least probability ), the actual fraction of tokens with can be at most
which completes the argument.
Given this, assume that an output exists some substring of length at least containing at least a fraction of tokens with empirical entropy 1 (otherwise, if no such substring exists entropy-restricted substring robustness holds trivially). In this case, this substring must contain complete blocks of the PRC, and those blocks must contain at least a fraction of the tokens with sufficient entropy, which we may take to be greater than for sufficiently large .
Then, by an averaging argument, at least blocks in that substring have at least a fraction of such tokens, which by Claim 27 means that those blocks, with probability over the choice of functions , have (with overwhelming probability) at most a error rate for embedding . We shall refer to such blocks as “good” for later analysis. Notably, because an independently random function is drawn for each block, these probabilities are independent.
Now, let us assume that the output is subjected to the random substitution channel – that is, with independent probability , each token is replaced with a different token determined according to an arbitrary function .999Namely, consider mapping each token in the alphabet to a distribution of replacement tokens and, for each replacement, selecting a token from the corresponding distribution, as long as the same distribution is used for each instance of a token. Given this, we want to show that with overwhelming probability there is at least one block of the output that still has at most a fraction of tokens for which ; if we can conclude this, then by the robustness of the watermark must be detectable with overwhelming probability by hashing that block and running during the execution of . Formally, we prove this via the following:
Claim 28.
Given some “good” block of the output of , after is applied the expected fraction of tokens in that block for which is no more than .
Proof.
Assume as a worst case that, whenever a substitution is made to a token which, in the experiment given in Claim 27, was drawn with (i.e., selected from a pair whose elements hashed to different values), that substitution always changes the hash value of applied to the token, creating a guaranteed error. Other tokens are errors with probability , meaning that in expectation they will retain that probability after being substituted irrespective of the probability with which substitution changes the value of .
In this case, let be the fraction of tokens with . Then in expectation the resulting fraction of errors is
For “good” blocks we assumed that was at least (since Claim 27 selects blocks where more than 1/4 of the tokens with empirical entropy 1 have and we apply it to blocks with at least a fraction of tokens having empirical entropy 1), thus the conclusion follows.
Markov’s inequality then gives that the probability that, in a “good” block, the fraction of tokens for which is greater than (i.e., the watermark cannot be successfully detected) can be at most
which in particular means that, as long as , the probability that a “good” block is recoverable is a (small) constant. Importantly, the probability of this occurrence is independent between blocks due to the resampling of , which means that, since there are at least blocks having enough tokens with empirical entropy 1, each of which has an (independent) probability to be “good” and the above constant (and also independent) probability to, if “good”, have few enough tokens for which that robustness of guarantees that the codeword can be successfully detected, we can conclude that the probability of failing to detect the watermark is negligible (inverse exponential) in and thus in , as desired.
