- The paper presents a novel cryptographic approach that decouples timestamp from payload to thwart both provider-side and user-side forgery.
- It leverages one-way key evolution and randomized ECC-encoded payloads to achieve near-perfect recovery with negligible false positives.
- Empirical validation on 800 LLM-generated samples confirms 100% generation time recovery and robust judicial-grade evidentiary reliability.
Trustworthy Generation-Time Watermarking for AIGC: The TimeMark Framework
Motivation and Problem Context
The growing ubiquity of LLM-based AIGC production raises substantial challenges for intellectual property authentication, especially in determining the creation time of generated content. Traditional watermarking approaches, whether zero-bit or multi-bit, are vulnerable to decoding ambiguity, statistical attacks, and provider-side forgery—rendering them unsuitable for evidentiary use in legal disputes. The absence of a technically enforceable link between generation events and trustworthy timestamps hinders robust copyright determination and priority establishment.
Shortcomings of Prior Approaches
Conventional multi-bit token-level watermarking encodes timestamp or other metadata directly as payload. This direct-embedding paradigm creates several critical vulnerabilities:
- Imperfect Recovery: Statistical coding induces decoding errors that cannot guarantee 100% time reconstruction, contradicting forensic evidentiary requirements.
- Provider-Side Forgery: Since encoding rules and cryptographic parameters are owned by the service provider, arbitrary backdating or postdating (via arbitrary timestamp payload encoding) is trivially feasible.
- Statistical Imitability: The deterministic relationship between payload and watermark signature allows adversaries, given sufficient queries, to learn and synthesize a surrogate watermark function, enabling user-side forgery through surrogate-model-guided sampling and reweighting [jovanovic2024watermark].
These limitations fundamentally constrain the evidentiary weight of LLM watermarking methods, especially for the establishment of generation time as credible evidence in judicial settings.
The proposed TimeMark framework introduces a structural paradigm shift: instead of directly encoding timestamps as payload, timestamp information is cryptographically decoupled from the watermark payload and bound to a time-dependent secret key. This section summarizes the overall system design (Figure 1).
Figure 1: The overall TimeMark framework, featuring cryptographically secured time-key management and random payload instantiation for each generation.
Key Design Elements
- One-way Key Evolution & HSM Integration: Time is discretized into windows (e.g., minute-level) with each window t associated with a unique key Kt​, derived via a one-way hash chain (e.g., Kt​=H(Kt−1​)). Key material is stored within a Hardware Security Module (HSM) under regulatory supervision, enforcing forward-only derivability and precluding service-provider access to prior keys. This cryptographically restricts the provider’s ability to issue content with arbitrary historical timestamps.
- Payload Randomization: Rather than using timestamp bits, the watermark payload is a freshly sampled random sequence R for every instance. This sequence is encoded with a high-redundancy ECC (e.g., BCH(63,10)) and mapped to text positions by an allocation function A. This randomization strategy strips the watermark signal of persistent statistical structure, nullifying user-side statistical imitation via large-scale adversarial queries.
- Two-Stage Encoding: The generation process is partitioned. In Stage I (early tokens), the seed for greenlist partitioning combines Kt​, R, and the (hash of the) prefix, embedding a payload bit in each position. In Stage II (later tokens), R is omitted from seed computation to facilitate efficient verification.
- Public Verifiability & Verification: On challenge, the hypothetical generation time candidates are mapped to Kt​ candidates, and decoding is performed against all plausible windows. Decoding leverages ECC decoding for robust recovery. If the reconstructed codeword yields a high match rate with first-stage tokens (threshold ϕ, e.g., 0.65), the generation time is authenticated. The process guarantees negligible probability of false positives for both wrong-key and wrong-payload hypotheses, with a formal separation proven via binomial tail bounds.
Evaluation: Theoretical and Empirical Results
Error Correction and Reliability
When using BCH(63,10), the system tolerates up to 13 bit errors during watermark bit recovery, with the probability of successful recovery essentially unity under plausible decoding noise (Kt​0–Kt​1 per position for bias Kt​2).
The match-rate analysis in decoding steps further indicates:
- False Rejection (correct Kt​3 and Kt​4 but match rate < Kt​5): Probability essentially Kt​6 (negligible).
- False Acceptance (incorrect Kt​7 or Kt​8 yet match rate > Kt​9): Probability bounded by Kt​=H(Kt−1​)0.
Thus, the framework's design creates a strict dichotomy between authentic and forged generation-time claims.
Experimental Validation
On 800 LLM-generated samples (with Qwen2.5-7B), every watermarked text had its generation time recovered perfectly (Kt​=H(Kt−1​)1), and zero false positives were detected for non-watermarked baselines. The mean verification score for genuine watermarks was Kt​=H(Kt−1​)2 versus Kt​=H(Kt−1​)3 for non-watermarked content, substantiating high calibration of the threshold-based decision regime.
Security and Evidentiary Guarantees
TimeMark fundamentally prevents both classes of forgery:
- Provider-Side (Backward Timestamps): One-way key chains anchored in regulated HSMs preclude the fabrication of prior time-keys, thereby making unauthorized assignment of historical generation times infeasible.
- User-Side (Statistical Attacks): Randomized payloads with strong ECC, coupled with absence of direct semantic linkage between payload and generation time, render large-scale training of surrogate watermark classifiers and subsequent imitation attacks fruitless.
The architecture satisfies all legal and practical requirements for judicial-grade timestamping: authenticity, process integrity, resistance to undetectable tampering, public verifiability, and routine operation.
Practical Implications and Future Prospects
TimeMark establishes a viable technical foundation for legal-grade watermark timestamping of AIGC. For practical deployment, the principal limitation is the dependence on long-form generated texts for error-free recovery and the implicit assumption that the watermarked output is preserved in its original form. Ongoing research directions include:
- Short-Text Robustness: Adapting ECC strategies and allocation functions to enable perfect identification with fewer tokens, crucial for granular and interactive AIGC use-cases.
- Edit Robustness: Integrating semantic-level watermarking or targeted redundancy to recover from moderate text modifications, enhancing applicability in real-world settings where post-generation edits are common.
Conclusion
The TimeMark framework provides a technically sound, cryptographically anchored solution to the generation-time attribution problem in AIGC. By decoupling time-identity from payload, introducing one-way keys under centralized regulatory custody, and leveraging random payload assignment with strong ECC, the framework meets strict evidentiary standards and neutralizes both provider- and user-forgery vectors. This methodology constitutes a rigorous foundation for future systems aiming to support intellectual property resolution and legal authentication in an era dominated by automated content generation.