TextSeal: Multi-Domain Analysis
- TextSeal is a term designating three distinct systems in computer vision, LLM security, and text encryption, each addressing specialized text-related challenges.
- In Byzantine sigillography, TextSeal employs a two-stage deep-learning pipeline using YOLOv5 for localization and ResNet18 for classification, achieving high precision, recall, and low character error rate.
- Its LLM watermarking variant uses dual-key Gumbel-max sampling for distortion-free provenance detection, while its n-Sum encryption supports semantic comparisons of encrypted texts.
TextSeal is an ambiguous term in the technical literature, designating three distinct systems in different research areas. In computer vision and sigillography, it denotes a modular, two-stage deep-learning pipeline that takes a raw image of the reverse of a Byzantine seal and produces a diplomatic transcription of its inscribed Greek characters (Rageau et al., 2024). In large-language-model security, it denotes a localized watermark built on Gumbel-max sampling for provenance detection and distillation protection (Sander et al., 12 May 2026). In cryptography and privacy-preserving text analysis, it denotes an n-Sum encryption scheme in which the similarity between encryptions is roughly proportional to the semantic similarity between their generating messages (Kersting, 2013). The term therefore requires domain-specific disambiguation.
1. Disambiguation and scope
The three principal uses of the name TextSeal differ in objective, input modality, and formal machinery. One system reads Byzantine seal inscriptions from images, one embeds and detects watermark signals in LLM outputs, and one encrypts text so that encrypted messages remain semantically comparable.
| Usage | Paper | Core function |
|---|---|---|
| Byzantine seal transcription | "Character Recognition in Byzantine Seals with Deep Neural Networks" (Rageau et al., 2024) | Reverse-side seal image to diplomatic transcription |
| LLM watermarking | "TextSeal: A Localized LLM Watermark for Provenance & Distillation Protection" (Sander et al., 12 May 2026) | Distortion-free watermarking, detection, and localization |
| Comparable text encryption | "A Secure and Comparable Text Encryption Algorithm" (Kersting, 2013) | n-Sum encryption with semantic-overlap comparison |
A recurrent source of confusion is the assumption that TextSeal names a single framework. In the literature summarized here, the shared label is nominal rather than methodological.
2. TextSeal in Byzantine sigillography
In "Character Recognition in Byzantine Seals with Deep Neural Networks," TextSeal is a deep, two-stages, character reading pipeline for transcribing Byzantine seal images. Stage 1, "localization," uses a one-class object detector based on the "small" version of YOLOv5; its backbone is a CSP-Darknet module feeding into a PANet-style neck, with three feature-map outputs at strides 8, 16, and 32. Stage 2, "classification," uses a ResNet18 pretrained on ImageNet whose final 512-d global-pooling layer connects to a fully-connected classification head of dimension for 24 Greek glyphs plus a non-character pseudo-class. A final post-processing step applies a Hough-based text-line finder, sorts boxes within each line by projected abscissa, and concatenates the resulting labels into a diplomatic transcription (Rageau et al., 2024).
The system is trained and evaluated on a small corpus. The reported data statistics are 102 images in total, comprising 66 reverse and 36 obverse, and 2,463 samples for classification: 1,857 reverse, 456 obverse, and 150 non-char. Although 29 distinct Greek glyphs were originally annotated, classification is reduced to the 24 most-frequent classes. The experimental protocol uses 10-fold cross-validation at the seal level, with character-folds mirroring seal-folds so that no character crop in train and test derives from the same seal. Localization uses extensive geometric jitter, and classification uses padding to square, resize to 256×256, affine distortions, colour perturbation, and occasional random erasing.
The loss formulation follows the standard decomposition of the pipeline. The detection objective is
with a CIoU-based box-regression term and a binary cross-entropy objectness term. The classification network is trained with the standard cross-entropy loss
Evaluation uses for localization, Top-1 accuracy for classification, and Character Error Rate for end-to-end transcription:
The reported quantitative results separate the isolated components from the full pipeline. For reverse-side localization, 10-fold cross-validation at yields Precision , Recall , and . For classification on 20 main classes plus non-char, 10-fold cross-validation yields Top-1 , Top-2 0, Top-3 1, and 2. End-to-end transcription, measured by seal-averaged CER against ground truth, yields 3. The paper presents this as the first strong baseline for Byzantine seal transcription and compares it favorably with coin-digit studies that reported 43% accuracy on manually-cropped digits and 29% on automatically-cropped crops.
3. TextSeal as a localized LLM watermark
In "TextSeal: A Localized LLM Watermark for Provenance & Distillation Protection," TextSeal is a watermark for LLMs built on Gumbel-max sampling. At generation step 4, the base LLM outputs a next-token distribution 5, and a secret key together with the preceding 6 tokens seeds a pseudorandom function assigning each candidate token 7 a random value 8. The selection rule is
9
and Proposition 2.1 states that 0, which is the basis of the distortion-free claim. TextSeal then introduces dual-key routing: two independent keys 1 and 2 are maintained, and at each step one key is chosen at random with probabilities 3 and 4, where 5. The stated purpose is to restore nearly all stochastic diversity while remaining distortion-free (Sander et al., 12 May 2026).
Detection is based on token-level scores and entropy weighting. For key 6, the raw score is
7
and when the key is unknown at detection time, the early-fusion score is
8
Entropy weights are computed from a proxy entropy 9 and normalized within the sequence to form weights in 0. The weighted sum
1
is then approximated under 2 by a moment-matched Gamma law, yielding a final 3-value through the Gamma CDF. Under watermark absence, the selected 4 implies 5 i.i.d., and the null distribution of the unweighted sum is exactly Gamma.
Localization is handled by a multi-region search over dyadic window lengths 6 with stride 7, reducing the candidate set to 8 rather than 9. The extraction pipeline has a fast filter based on prefix sums and a rigorous test based on entropy-weighted Gamma 0-values. Multi-region recovery greedily selects the window with minimal 1, masks its tokens, and repeats up to 2 zones. Family-wise error is controlled by combining a global full-text test, a single best-window test, and a multi-region aggregation with Bonferroni(3).
The implementation section emphasizes serving compatibility. For speculative decoding, 3 is assigned to draft-accepted tokens and 4 to rejections, so the empirical acceptance rate 5 matches the routing ratio. For multi-token prediction, all draft heads use key 1 and fall back to key 2, with no change in latency or KV cache. The paper states zero inference overhead in the sense that the PRF is only evaluated on the top-6 token subset, approximately 200 tokens, incurring 7 overhead per token, or 0.07 ms, versus 0.4–1.1% for SynthID’s tournament sampling, or 0.6 ms. A 4-bit quantized 0.8 B proxy model for detection raises the unweighted detection score from median 4.8 to 6.2 in 8, while using 1.4 GB VRAM and 0.115 ms/token.
Empirically, the paper reports that varying 9 traces a Pareto frontier between Self-BLEU and median 0, and that TextSeal strictly dominates SynthID-Text at all diversity levels. On Qwen 3.5-27B across 12 benchmarks, average accuracy is unchanged at 70.6% versus 70.6%, with example slices including AIME 40.1→41.1, GSM8K 95.4→96.0, MMLU 49.2→51.5, and HumanEval 97.0→93.3, the latter attributed to minor formatting noise. A multilingual human evaluation comprises 6,000 A/B comparisons in 5 languages, with WM preferred 672 times, Base 591, and 4,737 ties, corresponding to a WM rate of 53.2% and net win +1.35%; no language achieves 1 after Bonferroni correction, and TOST equivalence with 2 confirms quality within 3. For localization under dilution, a 400-token watermarked block embedded in up to 12,000-token Wikipedia causes the global test to fail at approximately 4,000 tokens, whereas the ensemble retains 4 even at 12,000 tokens, or 3.3% watermark. The watermark is also described as radioactive: in a distillation setup from DeepSeek-R1-14B into Qwen2.5-3B on 5,000 math traces, all three tested watermarks produce student-forcing 5, and TextSeal yields the strongest signal in the all-data setting.
4. TextSeal as n-Sum comparable encryption
In "A Secure and Comparable Text Encryption Algorithm," TextSeal denotes Kersting’s n-Sum encryption, described as a simple algorithm for encrypting text messages such that the similarity between encryptions is roughly proportional to the semantic similarity between their generating messages. The formal specification defines 6, where the public parameters are 7. Here 8 is a dictionary mapping each word to a unique integer index, 9 is a thesaurus mapping a word 0 to a synset 1, 2 is an integer upper bound, and 3 is the n-sum-level parameter. Encryption takes a plaintext message 4 viewed as an unordered multiset of words and outputs
5
where each sum has the form
6
No efficient general decryption algorithm is provided; recovering 7 from 8 is conjectured to be NP-hard and is presented as the basis of security (Kersting, 2013).
The semantic-comparison functionality is central rather than incidental. For two ciphertexts 9 and 0, the total-set overlap is
1
interpreted as the fraction of sums in 2 that also appear in 3. For 4, the paper also defines word-pair coverage. For a candidate pair 5,
6
and
7
If the target plaintext actually contains 8, then 9; partial overlap indicates shared semantics. Comparison for 0 is implemented by sorting both sets, performing a two-pointer scan to compute the intersection, and returning the normalized overlap.
The security analysis links inversion to subset-sum and clique-type search. Recovering an 1-sum decomposition for an element of 2 is formulated as solving a subset-sum/Clique-type NP-hard problem over the universe of dictionary indices. The paper discusses a brute-force attack on 3 based on precomputing 4 for every dictionary pair. For 5, the space of pairs is approximately 6, and at approximately 7 pair-tests per second this would take many months on a single PC. Recommended countermeasures are to use 8, increase 9, and optionally remove duplicates from 0. A saturation bound is also given:
1
so that random collisions remain rare.
Performance is characterized in asymptotic terms. Reading dictionaries for key generation is 2 with storage 3. Encryption has time complexity
4
which for 5 becomes 6, and ciphertext size scales accordingly. Similarity comparison requires sorting plus linear-time intersection, and brute-force decryption or attack scales as 7.
5. Cross-domain comparison
The three TextSeal systems operate on different primitive objects. Byzantine TextSeal consumes raw images of the reverse of a Byzantine seal, identifies character instances with bounding boxes, and emits Greek glyph labels that are reassembled into a diplomatic transcription. The LLM watermarking TextSeal operates on next-token distributions and PRF-generated random variables, then produces detection scores, 8-values, and localized spans. The n-Sum encryption TextSeal operates on words, synsets, and integer sums, then produces ciphertext sets whose intersections support semantic comparison (Rageau et al., 2024, Sander et al., 12 May 2026, Kersting, 2013).
Their formal notions of success are likewise distinct. The sigillographic system is evaluated by 9, Top-00 accuracy, 01, and CER. The watermarking system is evaluated by detection strength in 02, preservation of downstream benchmark accuracy, human A/B judgments, robustness under dilution and fragmentation, and transfer through distillation. The encryption system defines overlap measures 03 and 04 and frames security in terms of NP-completeness and brute-force complexity.
This suggests that the common name does not mark a shared research program. The overlap lies chiefly in a broad concern with text-bearing artifacts: inscribed objects, generated text, and encrypted text. Beyond that, the technical substrates are heterogeneous—CNN-based vision, probabilistic watermarking for autoregressive decoding, and subset-sum-based comparable encryption.
6. Limitations, clarifications, and recurring misconceptions
A common misconception is that "distortion-free" in the LLM watermarking literature implies no change in diversity. The paper explicitly states the opposite limitation: like all distortion-free schemes, TextSeal reduces output diversity, not quality, and this may affect best-of-05 or creative-generation workflows. It also notes that strict distortion-freeness in the presence of repeated 06-grams requires a dedup protocol that is stateful, and that defaults omit this because repeats are rare for 07. Boundary recovery after adversarial edits is presented as open.
For Byzantine seal transcription, another possible misunderstanding is to treat the system as language-model-assisted OCR. The described pipeline is character-centric: a one-class detector, a crop classifier, and a Hough-based line finder are followed by concatenation in reading order, and at present no external Greek-LLM is applied. Occasional character-level corrections, such as merging "OU" ligatures, can be made by simple lookup rules. This suggests that the reported end-to-end CER reflects geometric localization, glyph classification, and line reconstruction rather than downstream linguistic normalization.
For the n-Sum encryption scheme, the term "encryption" can also be misunderstood if taken to imply ordinary reversible decryption. The paper explicitly provides no efficient general decryption algorithm and instead bases security on the conjectured NP-hardness of recovering the underlying message from the sum set. Its ability to support direct comparison of encrypted messages is not leakage identified post hoc; it is the defining design goal.