- The paper introduces VOW, a protocol that leverages a VOPRF framework to enable cryptographically verifiable watermark insertion and detection in LLM outputs.
- It employs optimized multinomial sampling and top-k acceleration to achieve efficient watermarking for short texts without compromising user privacy.
- Empirical evaluations show high detectability (TPR > 0.99) and strong statistical calibration, highlighting VOW’s potential for reliable LLM content provenance.
Verifiable and Oblivious Watermark Detection for LLMs: The VOW Protocol
Motivation and Problem Statement
The proliferation of LLMs has elevated concerns for content provenance, accountability, and regulatory compliance in generative text. Conventional watermarking techniques for LLM outputs typically operate within a symmetric-key framework, requiring the user to reveal their text to a provider for detection. This disclosure introduces severe privacy risks, especially in multi-provider environments or when user data is confidential. Additionally, providers may lack incentives for honest detection, introducing unverifiable claims and potential SLA violations (e.g., covert model downgrading). Asymmetric and learning-based watermarking schemes have emerged, but many fail to provide formal linkages between watermark insertion and detection, or become impractical for typical short output sequences (e.g., conversational snippets).
Protocol Design and Cryptographic Foundations
VOW circumvents the traditional trust model by reformulating watermark detection as a secure two-party computation grounded in the Verifiable Oblivious Pseudorandom Function (VOPRF). The conceptual structure involves three phases:
- Setup: Provider generates a VOPRF secret key and publishes the public key.
- Insertion: Watermarking operates akin to Green-Red (KGW) schemes, partitioning the token vocabulary at each generation step according to a cryptographic predicate IsGreen, itself an evaluation of the VOPRF over context-token pairs. The token selection process incentivizes sampling from the green list, embedding a statistical signal.
- Detection: User blinds their candidate context-token pairs and submits them to the provider, who computes blinded VOPRF evaluations and returns proofs. The user verifies these proofs locally and proceeds with statistical hypothesis testing for watermark presence.
The VOPRF instantiation (e.g., 2HashDH, RFC 9497) ensures that the provider never learns plaintext input, while the detection results are cryptographically binding to the provider's committed key. This provides both verifiability and privacy—necessary for service auditing contexts.
Threat Model and Security Properties
VOW is formally analyzed under a dual threat model:
- Malicious Provider: May misreport detection results or attempt to infer private user input. VOW guarantees input privacy (via VOPRF obliviousness) and verifiability (via non-interactive DLEQ proofs), barring the provider from forging detection outcomes.
- Malicious User: May seek to forge watermarked content. VOW, under DDH assumptions, is unforgeable: a computationally bounded adversary cannot synthesize texts that pass watermark detection, except at negligible probability or via brute-force learning attacks which are rendered infeasible by context size and token space cardinality.
Importantly, context length h offers tunability: larger values improve unforgeability but reduce robustness to perturbations.
Practical Optimization and Deployment
Insertion naively requires per-token PRF evaluations over large vocabularies. VOW introduces two key optimizations:
- Unbiased Multinomial Sampling: Uses rejection sampling to sample tokens from the watermark-biased distribution without iterating the vocabulary, reducing computational cost by several orders of magnitude.
- Top-k Acceleration: Employs adaptive filtering and early stopping min-heap strategies for constrained sampling regimes.
Detection leverages batch VOPRF evaluation, reducing communication and proof overhead to constant size for arbitrarily long input sequences.
Empirical Evaluation: Detectability, Robustness, and Overhead
VOW is benchmarked against KGW (LeftHash, SelfHash), RDF, PDW, and UPV baselines across key axes:
Figure 2: Trade-off between perplexity and true positive rate at 10−5 FPR (lower PPL indicates better quality).
- Overhead: Optimized VOW achieves ITL competitive with LeftHash while batch detection runs efficiently. Unoptimized insertion or detection is prohibitively slow.

Figure 3: End-to-end throughput of VOW under different watermarking and sampling parameters, illustrating practical generation speed.
- Robustness Against Adversarial Attacks: All evaluated watermarking schemes, including VOW, fail to maintain reliability under advanced paraphrasing (e.g., GPT-5.1), although resilience to simple edit/synonym attacks remains strong.
Figure 4: AUC and TPR curves for watermarking schemes under synonym replacement and paraphrasing attacks, showing loss of detection reliability under paraphrasing.
Figure 5: Distribution of detection p-values for non-watermarked and paraphrased watermarked samples, indicating indistinguishability post-attack.
- Reliability and Pseudorandomness Validation: The IsGreen predicate and Binomial detector are calibrated to statistical theory, with empirical FPR matching theoretical expectations.
Figure 6: Empirical versus theoretical FPR ratio for watermark detection; ideal calibration at ratio 1.
Comparative Analysis and Implications
VOW uniquely combines cryptographic verifiability, user privacy, practical detectability for short texts, and manageable overhead. Unlike PDW or UPV, detection is interactive and not purely local, but VOW operates efficiently even in low-entropy domains and incurs minor computational cost after optimization. All evaluated schemes are vulnerable to semantic attacks (paraphrasing), pointing to an inherent trade-off between robustness and unforgeability.
The implications are threefold:
- Practical Auditing: VOW is highly suited for LLM service auditing, enabling users to verify API output provenance without revealing their content and providers to attest to detection honesty.
- Cryptographic Accountability: Embedding a verifiable proof alongside output traces shifts LLM accountability from statistical anomaly detection to cryptographically precise provenance.
- Robustness Limitation: The inability to withstand advanced paraphrasing points to required future developments in embedding semantic invariance or hybrid cryptographic/statistical watermarking.
Future Directions
Research avenues include integrating VOW's VOPRF core into semantic watermarking (e.g., embedding-level signal), formal security analyses for batch VOPRF, constructing non-interactive protocols for short-text detection, and combining watermarking with operational auditing for generation-time accountability.
Conclusion
VOW represents a protocol for watermarking LLM outputs that achieves cryptographically verifiable and privacy-preserving detection suitable for real-world, short-text applications. Its performance, theoretical guarantees, and practical optimizations position it as a compelling basis for provenance auditing in generative AI. The challenge of robustness to semantic attacks remains open, demanding new algorithmic and cryptographic mechanisms for future watermarking frameworks (2604.27666).