Papers
Topics
Authors
Recent
Search
2000 character limit reached

TimeMark: A Trustworthy Time Watermarking Framework for Exact Generation-Time Recovery from AIGC

Published 14 Apr 2026 in cs.CR and cs.CL | (2604.12216v1)

Abstract: The widespread use of LLMs in text generation has raised increasing concerns about intellectual property disputes. Watermarking techniques, which embed meta information into AI-generated content (AIGC), have the potential to serve as judicial evidence. However, existing methods rely on statistical signals in token distributions, leading to inherently probabilistic detection and reduced reliability, especially in multi-bit encoding (e.g., timestamps). Moreover, such methods introduce detectable statistical patterns, making them vulnerable to forgery attacks and enabling model providers to fabricate arbitrary watermarks. To address these issues, we propose the concept of trustworthy watermark, which achieves reliable recovery with 100% identification accuracy while resisting both user-side statistical attacks and provider-side forgery. We focus on trustworthy time watermarking for use as judicial evidence. Our framework integrates cryptographic techniques and encodes time information into time-dependent secret keys under regulatory supervision, preventing arbitrary timestamp fabrication. The watermark payload is decoupled from time and generated as a random, non-stored bit sequence for each instance, eliminating statistical patterns. To ensure verifiability, we design a two-stage encoding mechanism, which, combined with error-correcting codes, enables reliable recovery of generation time with theoretically perfect accuracy. Both theoretical analysis and experiments demonstrate that our framework satisfies the reliability requirements for judicial evidence and offers a practical solution for future AIGC-related intellectual property disputes.

Authors (3)

Summary

  • The paper presents a novel cryptographic approach that decouples timestamp from payload to thwart both provider-side and user-side forgery.
  • It leverages one-way key evolution and randomized ECC-encoded payloads to achieve near-perfect recovery with negligible false positives.
  • Empirical validation on 800 LLM-generated samples confirms 100% generation time recovery and robust judicial-grade evidentiary reliability.

Trustworthy Generation-Time Watermarking for AIGC: The TimeMark Framework

Motivation and Problem Context

The growing ubiquity of LLM-based AIGC production raises substantial challenges for intellectual property authentication, especially in determining the creation time of generated content. Traditional watermarking approaches, whether zero-bit or multi-bit, are vulnerable to decoding ambiguity, statistical attacks, and provider-side forgery—rendering them unsuitable for evidentiary use in legal disputes. The absence of a technically enforceable link between generation events and trustworthy timestamps hinders robust copyright determination and priority establishment.

Shortcomings of Prior Approaches

Conventional multi-bit token-level watermarking encodes timestamp or other metadata directly as payload. This direct-embedding paradigm creates several critical vulnerabilities:

  1. Imperfect Recovery: Statistical coding induces decoding errors that cannot guarantee 100% time reconstruction, contradicting forensic evidentiary requirements.
  2. Provider-Side Forgery: Since encoding rules and cryptographic parameters are owned by the service provider, arbitrary backdating or postdating (via arbitrary timestamp payload encoding) is trivially feasible.
  3. Statistical Imitability: The deterministic relationship between payload and watermark signature allows adversaries, given sufficient queries, to learn and synthesize a surrogate watermark function, enabling user-side forgery through surrogate-model-guided sampling and reweighting [jovanovic2024watermark].

These limitations fundamentally constrain the evidentiary weight of LLM watermarking methods, especially for the establishment of generation time as credible evidence in judicial settings.

TimeMark: Cryptography-Informed Trustworthy Time Watermarking

The proposed TimeMark framework introduces a structural paradigm shift: instead of directly encoding timestamps as payload, timestamp information is cryptographically decoupled from the watermark payload and bound to a time-dependent secret key. This section summarizes the overall system design (Figure 1). Figure 1

Figure 1: The overall TimeMark framework, featuring cryptographically secured time-key management and random payload instantiation for each generation.

Key Design Elements

  • One-way Key Evolution & HSM Integration: Time is discretized into windows (e.g., minute-level) with each window tt associated with a unique key KtK_t, derived via a one-way hash chain (e.g., Kt=H(Kt−1)K_t = H(K_{t-1})). Key material is stored within a Hardware Security Module (HSM) under regulatory supervision, enforcing forward-only derivability and precluding service-provider access to prior keys. This cryptographically restricts the provider’s ability to issue content with arbitrary historical timestamps.
  • Payload Randomization: Rather than using timestamp bits, the watermark payload is a freshly sampled random sequence RR for every instance. This sequence is encoded with a high-redundancy ECC (e.g., BCH(63,10)) and mapped to text positions by an allocation function A\mathcal{A}. This randomization strategy strips the watermark signal of persistent statistical structure, nullifying user-side statistical imitation via large-scale adversarial queries.
  • Two-Stage Encoding: The generation process is partitioned. In Stage I (early tokens), the seed for greenlist partitioning combines KtK_t, RR, and the (hash of the) prefix, embedding a payload bit in each position. In Stage II (later tokens), RR is omitted from seed computation to facilitate efficient verification.
  • Public Verifiability & Verification: On challenge, the hypothetical generation time candidates are mapped to KtK_t candidates, and decoding is performed against all plausible windows. Decoding leverages ECC decoding for robust recovery. If the reconstructed codeword yields a high match rate with first-stage tokens (threshold Ï•\phi, e.g., 0.65), the generation time is authenticated. The process guarantees negligible probability of false positives for both wrong-key and wrong-payload hypotheses, with a formal separation proven via binomial tail bounds.

Evaluation: Theoretical and Empirical Results

Error Correction and Reliability

When using BCH(63,10), the system tolerates up to 13 bit errors during watermark bit recovery, with the probability of successful recovery essentially unity under plausible decoding noise (KtK_t0–KtK_t1 per position for bias KtK_t2).

The match-rate analysis in decoding steps further indicates:

  • False Rejection (correct KtK_t3 and KtK_t4 but match rate < KtK_t5): Probability essentially KtK_t6 (negligible).
  • False Acceptance (incorrect KtK_t7 or KtK_t8 yet match rate > KtK_t9): Probability bounded by Kt=H(Kt−1)K_t = H(K_{t-1})0.

Thus, the framework's design creates a strict dichotomy between authentic and forged generation-time claims.

Experimental Validation

On 800 LLM-generated samples (with Qwen2.5-7B), every watermarked text had its generation time recovered perfectly (Kt=H(Kt−1)K_t = H(K_{t-1})1), and zero false positives were detected for non-watermarked baselines. The mean verification score for genuine watermarks was Kt=H(Kt−1)K_t = H(K_{t-1})2 versus Kt=H(Kt−1)K_t = H(K_{t-1})3 for non-watermarked content, substantiating high calibration of the threshold-based decision regime.

Security and Evidentiary Guarantees

TimeMark fundamentally prevents both classes of forgery:

  • Provider-Side (Backward Timestamps): One-way key chains anchored in regulated HSMs preclude the fabrication of prior time-keys, thereby making unauthorized assignment of historical generation times infeasible.
  • User-Side (Statistical Attacks): Randomized payloads with strong ECC, coupled with absence of direct semantic linkage between payload and generation time, render large-scale training of surrogate watermark classifiers and subsequent imitation attacks fruitless.

The architecture satisfies all legal and practical requirements for judicial-grade timestamping: authenticity, process integrity, resistance to undetectable tampering, public verifiability, and routine operation.

Practical Implications and Future Prospects

TimeMark establishes a viable technical foundation for legal-grade watermark timestamping of AIGC. For practical deployment, the principal limitation is the dependence on long-form generated texts for error-free recovery and the implicit assumption that the watermarked output is preserved in its original form. Ongoing research directions include:

  • Short-Text Robustness: Adapting ECC strategies and allocation functions to enable perfect identification with fewer tokens, crucial for granular and interactive AIGC use-cases.
  • Edit Robustness: Integrating semantic-level watermarking or targeted redundancy to recover from moderate text modifications, enhancing applicability in real-world settings where post-generation edits are common.

Conclusion

The TimeMark framework provides a technically sound, cryptographically anchored solution to the generation-time attribution problem in AIGC. By decoupling time-identity from payload, introducing one-way keys under centralized regulatory custody, and leveraging random payload assignment with strong ECC, the framework meets strict evidentiary standards and neutralizes both provider- and user-forgery vectors. This methodology constitutes a rigorous foundation for future systems aiming to support intellectual property resolution and legal authentication in an era dominated by automated content generation.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.