Papers
Topics
Authors
Recent
Search
2000 character limit reached

VOW: Verifiable and Oblivious Watermark Detection for Large Language Models

Published 30 Apr 2026 in cs.CR | (2604.27666v1)

Abstract: LLM watermarking is crucial for establishing the provenance of machine-generated text, but most existing methods rely on a centralized trust model. This model forces users to reveal potentially sensitive text to a provider for detection and offers no way to verify the integrity of the result. While asymmetric schemes have been proposed to address these issues, they are either impractical for short texts or lack formal guarantees linking watermark insertion and detection. We propose VOW, a new protocol that achieves both privacy-preserving and cryptographically verifiable watermark detection with high efficiency. Our approach formulates detection as a secure two-party computation problem, instantiating the watermark's core logic with a Verifiable Oblivious Pseudorandom Function (VOPRF). This allows the user and provider to perform detection without the user's text being revealed, while the provider's result is verifiable. Our comprehensive evaluation shows that VOW is practical for short texts and provides a crucial reassessment of watermark robustness against modern paraphrasing attacks.

Summary

  • The paper introduces VOW, a protocol that leverages a VOPRF framework to enable cryptographically verifiable watermark insertion and detection in LLM outputs.
  • It employs optimized multinomial sampling and top-k acceleration to achieve efficient watermarking for short texts without compromising user privacy.
  • Empirical evaluations show high detectability (TPR > 0.99) and strong statistical calibration, highlighting VOW’s potential for reliable LLM content provenance.

Verifiable and Oblivious Watermark Detection for LLMs: The VOW Protocol

Motivation and Problem Statement

The proliferation of LLMs has elevated concerns for content provenance, accountability, and regulatory compliance in generative text. Conventional watermarking techniques for LLM outputs typically operate within a symmetric-key framework, requiring the user to reveal their text to a provider for detection. This disclosure introduces severe privacy risks, especially in multi-provider environments or when user data is confidential. Additionally, providers may lack incentives for honest detection, introducing unverifiable claims and potential SLA violations (e.g., covert model downgrading). Asymmetric and learning-based watermarking schemes have emerged, but many fail to provide formal linkages between watermark insertion and detection, or become impractical for typical short output sequences (e.g., conversational snippets).

Protocol Design and Cryptographic Foundations

VOW circumvents the traditional trust model by reformulating watermark detection as a secure two-party computation grounded in the Verifiable Oblivious Pseudorandom Function (VOPRF). The conceptual structure involves three phases:

  • Setup: Provider generates a VOPRF secret key and publishes the public key.
  • Insertion: Watermarking operates akin to Green-Red (KGW) schemes, partitioning the token vocabulary at each generation step according to a cryptographic predicate IsGreen\mathrm{IsGreen}, itself an evaluation of the VOPRF over context-token pairs. The token selection process incentivizes sampling from the green list, embedding a statistical signal.
  • Detection: User blinds their candidate context-token pairs and submits them to the provider, who computes blinded VOPRF evaluations and returns proofs. The user verifies these proofs locally and proceeds with statistical hypothesis testing for watermark presence.

The VOPRF instantiation (e.g., 2HashDH, RFC 9497) ensures that the provider never learns plaintext input, while the detection results are cryptographically binding to the provider's committed key. This provides both verifiability and privacy—necessary for service auditing contexts.

Threat Model and Security Properties

VOW is formally analyzed under a dual threat model:

  • Malicious Provider: May misreport detection results or attempt to infer private user input. VOW guarantees input privacy (via VOPRF obliviousness) and verifiability (via non-interactive DLEQ proofs), barring the provider from forging detection outcomes.
  • Malicious User: May seek to forge watermarked content. VOW, under DDH assumptions, is unforgeable: a computationally bounded adversary cannot synthesize texts that pass watermark detection, except at negligible probability or via brute-force learning attacks which are rendered infeasible by context size and token space cardinality.

Importantly, context length hh offers tunability: larger values improve unforgeability but reduce robustness to perturbations.

Practical Optimization and Deployment

Insertion naively requires per-token PRF evaluations over large vocabularies. VOW introduces two key optimizations:

  • Unbiased Multinomial Sampling: Uses rejection sampling to sample tokens from the watermark-biased distribution without iterating the vocabulary, reducing computational cost by several orders of magnitude.
  • Top-kk Acceleration: Employs adaptive filtering and early stopping min-heap strategies for constrained sampling regimes.

Detection leverages batch VOPRF evaluation, reducing communication and proof overhead to constant size for arbitrarily long input sequences.

Empirical Evaluation: Detectability, Robustness, and Overhead

VOW is benchmarked against KGW (LeftHash, SelfHash), RDF, PDW, and UPV baselines across key axes:

  • Detectability on Short Texts: VOW achieves TPR >0.99>0.99 at >150>150 tokens for FPR 10510^{-5}, outperforming nearly all baselines, while maintaining statistical calibration between theoretical and empirical FPR. Figure 1

    Figure 1: True positive rate (TPR) of watermarking schemes versus token length at fixed false positive rate 10510^{-5}.

  • Quality-Detectability Tradeoff: VOW preserves perplexity (PPL) near the non-watermarked baseline. Text quality drops sharply with PDW, RDF, and UPV. Figure 2

Figure 2

Figure 2: Trade-off between perplexity and true positive rate at 10510^{-5} FPR (lower PPL indicates better quality).

  • Overhead: Optimized VOW achieves ITL competitive with LeftHash while batch detection runs efficiently. Unoptimized insertion or detection is prohibitively slow. Figure 3

Figure 3

Figure 3: End-to-end throughput of VOW under different watermarking and sampling parameters, illustrating practical generation speed.

  • Robustness Against Adversarial Attacks: All evaluated watermarking schemes, including VOW, fail to maintain reliability under advanced paraphrasing (e.g., GPT-5.1), although resilience to simple edit/synonym attacks remains strong. Figure 4

    Figure 4: AUC and TPR curves for watermarking schemes under synonym replacement and paraphrasing attacks, showing loss of detection reliability under paraphrasing.

    Figure 5

    Figure 5: Distribution of detection pp-values for non-watermarked and paraphrased watermarked samples, indicating indistinguishability post-attack.

  • Reliability and Pseudorandomness Validation: The IsGreen\mathrm{IsGreen} predicate and Binomial detector are calibrated to statistical theory, with empirical FPR matching theoretical expectations. Figure 6

    Figure 6: Empirical versus theoretical FPR ratio for watermark detection; ideal calibration at ratio 1.

Comparative Analysis and Implications

VOW uniquely combines cryptographic verifiability, user privacy, practical detectability for short texts, and manageable overhead. Unlike PDW or UPV, detection is interactive and not purely local, but VOW operates efficiently even in low-entropy domains and incurs minor computational cost after optimization. All evaluated schemes are vulnerable to semantic attacks (paraphrasing), pointing to an inherent trade-off between robustness and unforgeability.

The implications are threefold:

  • Practical Auditing: VOW is highly suited for LLM service auditing, enabling users to verify API output provenance without revealing their content and providers to attest to detection honesty.
  • Cryptographic Accountability: Embedding a verifiable proof alongside output traces shifts LLM accountability from statistical anomaly detection to cryptographically precise provenance.
  • Robustness Limitation: The inability to withstand advanced paraphrasing points to required future developments in embedding semantic invariance or hybrid cryptographic/statistical watermarking.

Future Directions

Research avenues include integrating VOW's VOPRF core into semantic watermarking (e.g., embedding-level signal), formal security analyses for batch VOPRF, constructing non-interactive protocols for short-text detection, and combining watermarking with operational auditing for generation-time accountability.

Conclusion

VOW represents a protocol for watermarking LLM outputs that achieves cryptographically verifiable and privacy-preserving detection suitable for real-world, short-text applications. Its performance, theoretical guarantees, and practical optimizations position it as a compelling basis for provenance auditing in generative AI. The challenge of robustness to semantic attacks remains open, demanding new algorithmic and cryptographic mechanisms for future watermarking frameworks (2604.27666).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.