Waterfall: Framework for Robust and Scalable Text Watermarking

First, note that the fidelity desideratum is a major constraint to a scheme’s ability to meet the other desiderata. Intuitively, a scheme that can only generate a small set $\mathbb{T}_{c,s}^{\mathcal{W}}$ of possible watermarked text would have fewer ways to encode the watermark, leading to lower signal capacity (smaller $|\mathbb{M}|$, lower scalability), and less capacity for error correction to withstand attacks (lower robust verifiability).

For illustration, consider a basic semantic watermarking scheme (Basic) that lists out synonyms for each word in the original text $T_{\text{o}}$ (e.g., big cat) and remembers a map of IDs to possible combinations of these synonyms (e.g., 01:big feline, 10:large cat, 11:large feline). Watermarking for ID $\mu$ is then selecting the text $T_{\text{w}}$ with the matching synonym combination. Note that schemes like Basic typically only have a relatively small support set $\mathbb{T}_{c,s}^{\mathcal{W}}$ and hence limited watermarking possibilities.

However, LLMs can come up with many more possibilities and access a larger $\mathbb{T}_{c,s}^{\mathcal{W}}$ compared to schemes like Basic using mechanical paraphrasing rules (e.g., synonym replacement). Past works have shown that LLMs can effectively paraphrase text given suitable prompts (Shu et al., 2024; Witteveen et al., 2019). For example, while synonym replacement can only generate possibilities involving word replacements, an LLM may be able to completely reorder, break, or fuse sentences while preserving semantic content $c$. In general, as some expressions are more common, we can associate a probability distribution $p_{c}(T)$ over this set $\mathbb{T}_{c,s}^{\mathcal{W}}$.

Intuitively, we can consider a suitable paraphrasing prompt combined with text $T_{\text{o}}$ as tokens $\hat{c}$ that can constrain an LLM’s text generation to $\mathbb{T}_{c,s}^{\mathcal{W}}$. Given $\hat{c}$, the LLM autoregressively access $p_{c}(T)$ by producing conditional probability distributions $p(w_{j}|\hat{w}_{1:j-1},\hat{c})$ for token $w_{j}$ at step $j$ given the preceding sampled tokens $\hat{w}$, and sampling for each step until it deemed that it had conveyed $c$. Specifically, at step $j$, the LLM generates a vector of logits $L_{j}(\hat{w}_{1:j-1},\hat{c})\in\mathbb{R}^{|\mathbb{V}|}$, where

We denote LLMs used this way as LLM paraphrasers. By using LLM paraphrasers, we significantly increase $\mathbb{T}_{c,s}^{\mathcal{W}}$, which helps us better meet the fidelity, robust verifiability and scalability desiderata.

Given the extensive threat model, most watermarking schemes would face a major challenge in meeting the robust verifiability desideratum. For example, $\mathbb{A}_{2}$ paraphrasing attacks would likely break schemes such as Basic which depend on word ordering²²2Using example in Section 3.1, “large cat”$\rightarrow$“cat that is large” would invert the embedded ID “10” to “01”., let alone attacks involving further processing by black-box LLMs (e.g., $\mathbb{A}_{4}$, $\mathbb{A}_{5}$ attacks). Instead, we could decompose $p_{c}(T)$ and the watermarked text $T_{\text{w}}$ into multiple signal carriers, and embed the same watermarking signal to all. This way, we adopt a probabilistic approach where each carrier could independently be used to verify a watermark, to withstand attacks that can only corrupt a proportion of carriers.

Specifically, we could consider each consecutive $n$ tokens in $T_{\text{w}}$ as an $n$-gram carrier unit. At each LLM paraphraser token generation step $j$, we could apply a watermarking operator $\mathcal{W}$ (Section 3.3) that perturbs the logits of Equation 1 based on the ID $\mu$ and past $n-1$ generated tokens: $\check{L}_{j}=\mathcal{W}[\mu,\hat{w}_{j-n+1:j-1}](L_{j}(\hat{w}_{1:j-1},\hat{c}))$. The perturbed logits will cause a detectable bias in each $n$-gram, hence the more $n$-grams that persist after any attack, the higher the verifiability.

Meanwhile, in future generation steps $j^{\prime}$, the LLM paraphraser will correct deviations from semantic content $c$ and preserve fidelity given sufficient generation steps, as the subsequent logits $L_{j^{\prime}}(\hat{w}_{1:{j^{\prime}}-1},\hat{c})$ are still conditioned on paraphrasing prompt $\hat{c}$.

This approach increases our framework’s robustness against not just paraphrasing attacks, but also more general LLM-based attacks (e.g., $\mathbb{A}_{5}$). Past works have shown that language models tend to generate few novel $n$-grams outside their training set for small $n$ (McCoy et al., 2023). Hence, LLMs trained on text with our watermarked $n$-grams may more likely generate them in their output. Given sufficient queries to these LLMs, the watermark could then be reliably verified, which we empirically demonstrate in Section 4.

Finally, we propose a watermarking operator $\mathcal{W}$ comprising two components: 1) vocab permutation, and 2) orthogonal perturbation. In this section, we will use a toy example (Vec) to show how these components work before presenting their general form. In Vec, we have logits $L=[3,2,1]$, indexed by an ordered set $V_{o}=\{\alpha,\beta,\gamma\}$ representing the token space, e.g., $L(\alpha)$ = 3. Figure 2a presents $L$ as a graph ($V_{o}$ as $x$-axis).

Vocab permutation. The vocab permutation operator $\mathcal{P}$ produces a single permutation of $V_{o}$ and $L$ for any given key $k_{\pi}$ (arrow \raisebox{-1.05pt} {1}⃝ in Figure 2a). The inverse operator $\mathcal{P}^{-1}$ reverses the permutation of $\mathcal{P}$ when provided the same key (arrow \raisebox{-1.05pt} {2}⃝ in Figure 2a). As $|V_{o}|=3$, there are 6 possible permutations of $L$, plotted as graphs over a new ordered index $V_{w}=\{a,b,c\}$, which we can interpret as the watermarking space. Then, we define the average permutation operator $\bar{\mathcal{P}}$ acting on $L$ (indexed by $V_{o}$) as one that takes a sequence of keys $K_{\pi}$, apply $\mathcal{P}$ to get $L_{k_{\pi}}$ for each $k_{\pi}\in K_{\pi}$, and averages them to get a vector $\bar{L}$ (indexed by $V_{w}$). Note that when we use $\bar{\mathcal{P}}$ on $L$ over all possible keys, we get a constant vector (e.g., $\bar{L}=\sum_{i=1}^{6}L_{i}/6=[2,2,2]$, \raisebox{-1.05pt} {3}⃝ in Figure 2a).

Similarly, given a vector $G$ indexed by $V_{w}$, which we can interpret as the watermark signal, the inverse operator $\mathcal{P}^{-1}$ permutes $G$ and $V_{w}$ given a key $k_{\pi}$, mapping it to $V_{o}$, the LLM-ordered token space (arrow \raisebox{-1.05pt} {4}⃝ in Figure 2b). $\bar{\mathcal{P}}^{-1}$ acting on $G$ analogously averages over all keys, and will also give a constant vector indexed over $V_{o}$ (e.g., $\bar{G}=\sum_{i=1}^{6}G_{i}/6=[0,0,0]$, \raisebox{-1.05pt} {6}⃝ in Figure 2b).

This leads to an interesting insight: the permutation operators provide a way for us to add watermark signals to logits in a deterministically shifting $V_{w}$ space (based on a sequence of keys) to boost verifiability and fidelity. For illustration, assume that an LLM paraphraser produces $L$ (in $V_{o}$-space) for all token generation steps. We use a long sequence $K_{\pi}$ of pseudo-random uniformly sampled keys to apply $\mathcal{P}$ on $L$ multiple times ($n$-gram watermarking), and add the same watermarking signal $G$ in each resulting $V_{w}$ space for all instances. If we apply $\bar{\mathcal{P}}^{-1}$ with $K_{\pi}$ on the perturbed signal $L+G$, the distortion from the permuted $L$ will effectively contribute only uniform background noise to $G$ (\raisebox{-1.05pt} {7}⃝ in Figure 2c), which improves verifiability. If we instead convert $L+G$ back to $V_{o}$ space (for token generation) with $\mathcal{P}^{-1}$ for all steps and apply $\bar{\mathcal{P}}$, we get the original logits with only uniform background noise from watermarking (\raisebox{-1.05pt} {8}⃝ in Figure 2c), which improves fidelity.

More generally, we define the vocab permutation operator $\mathcal{P}$ and its inverse $\mathcal{P}^{-1}$ as pseudorandom permutations over ordered sets $V_{o}$ and $V_{w}$ given a key $k_{\pi}\in\mathbb{K}_{\pi}$:

where $V_{o}^{k_{\pi}}$, $V_{w}^{k_{\pi}}$ are uniform-randomly chosen permutations of $V_{o}$ and $V_{w}$ if $k_{\pi}$ is sampled randomly. For a function $L$ over $V_{o}$ mapped to a vector of length $|V_{o}|$, we have $L(\mathcal{P}(k_{\pi},V_{o}))=L(V_{o}^{k_{\pi}})$ and we overload notation by defining $\mathcal{P}(k_{\pi},L(\cdot))\triangleq L(\mathcal{P}(k_{\pi},\cdot))=L_{k_{\pi}}$. As in the Vec example, $\mathcal{P}$ applied to a function (vector) can be viewed as the same function but with its domain permuted.

We then define an average operator $\bar{\mathcal{P}}$ over a sequence of keys $K_{\pi}$ acting on a function $L$,

which outputs an average function of $L$ over $V_{w}$ (denoted as $\bar{L}$ ). $\bar{\mathcal{P}}(K_{\pi},L)$ will flatten towards a constant function over $V_{w}$ for a sufficiently large $K_{\pi}$. To achieve this for our framework, we set $K_{\pi}=\{k_{\pi}\mid k_{\pi}=h_{\pi}(\mu,\hat{w}_{j-n+1:j-1})\}_{j}$, for all LLM paraphrasing steps $j$ and where $h_{\pi}$ is a hash function, which generates pseudorandom $K_{\pi}$ sequences. Empirically, we clearly observe the flattened and clear watermarking signals (see Figure 7 in Appendix).

Orthogonal perturbation: Our proposed perturbation operator $\mathcal{F}$ involves two sub-operations acting on $V_{w}$. It first maps each key $k_{p}\in\mathbb{K}_{p}$ to a unique function in a pre-defined family of orthogonal functions, and then adds the chosen perturbation function to the logits $L_{j}$ of the LLM output in $V_{w}$ space:

where $\langle\cdot,\cdot\rangle$ denotes the canonical dot product over $V_{w}$. Examples of orthogonal function families include the Fourier or square wave basis, discretized over $\mathbb{V}$. The key $k_{p}=h_{p}(\mu,z)\in\mathbb{K}_{p}$ is a client defined function $h_{p}$ of ID $\mu$, and also any metadata $z$ (which could be extracted after verification as we demonstrate in Section 4.1) if required. $\kappa$ is a scalar that controls the perturbation magnitude.

Combining both components, our watermarking operator (Figure 3, and Algorithm 1 in Appendix) for generation step $j$ involves (a) using $k_{\pi}=h_{\pi}(\mu,\hat{w}_{i-n+1:i-1})$ and the permutation operator $\mathcal{P}(k_{\pi},L_{j})$ to transform logits from the $V_{o}$ to $V_{w}$ space, (b) applying the perturbation operator in Equation 5, and (c) transforming the perturbed logits back to $V_{o}$ space using $\mathcal{P}^{-1}(k_{\pi},.)$ to produce a probability distribution for sampling and generation of the watermarked text $T_{\text{w}}$:

Our verification operator will produce a score by computing the average cumulative token distribution of a text using $\bar{\mathcal{P}}(K_{\pi},.)$ and taking the inner product with $\mathcal{F}_{1}(k_{p})$. Applying the right keys $k_{p}$ and $k_{\pi}$ on the suspected text $T_{\text{sus}}$ will result in a high score $q$, else the score will be close to 0 (see Figure 3, and Algorithm 2 in Appendix). Using orthogonal functions helps us improve verifiability by avoiding interference from other watermarks (e.g., added by adversaries as an $\mathbb{A}_{3}$ attack).

Notice that the many possible vocab permutations ($|\mathbb{V}|!$) and perturbation functions in any orthogonal function family $|\mathcal{F}_{1}|$ allows for a much large set of IDs compared to schemes like Basic, helping with scalability. For example, up to $|\mathcal{F}_{1}|\cdot|\mathbb{V}|!$ IDs can be assigned to a unique permutation-perturbation function pair for watermarking. Using a relatively small $|\mathbb{V}|=32000$ and the Fourier basis over that would yield a maximum $|\mathbb{M}|\sim 10^{130274}$. Schemes like Basic only support $M$ that scales with the number of possible synonym replacements for a given text.

In addition, with orthogonal functions, our framework also allows for the embedding of metadata during watermarking. For example, a client can use $\mu$ to verify that $T_{\text{sus}}$ is watermarked, and also extract information on which article it was plagiarized from (Algorithm 3). We demonstrate this empirically in Section 4.1 using the Fourier basis as perturbation functions and Discrete Fourier Transform (DFT) for extraction.

Our watermarking framework, Waterfall, combines these insights into a structured watermarking/verification process. For watermarking (Figure 3 left), given $T_{\text{o}}$ and $\mu$, Waterfall uses an LLM paraphraser to autoregressively paraphrase a text $T_{\text{o}}$, producing initial logits for the new text $T_{\text{w}}$ [Step \raisebox{-1.05pt} {1}⃝]. The ID $\mu$ is used to seed the vocab permutation operator (Section 3.3) for mapping the logits to $V_{w}$ space, and chooses the perturbation function (Equation 5) [Step \raisebox{-1.05pt} {2}⃝], both of which will be used in the watermarking operation (Section 3.3) to produce the perturbed logits [Step \raisebox{-1.05pt} {3}⃝]. The LLM samples the perturbed logits to produce a watermarked token, and for the next token loop, the past $n-1$ tokens are used to seed vocab permutation while all past tokens are fed as context which helps the LLM paraphraser maintain $T_{\text{w}}$ fidelity despite watermarking [Step \raisebox{-1.05pt} {4}⃝].

For verification (Figure 3 right), each token in $T_{\text{sus}}$ is counted in $V_{w}$ space as specified by $\mu$ and the previous tokens in the same $n$-gram unit, producing an average cumulative token distribution [Step \raisebox{-1.05pt} {1}⃝]. The ID $\mu$ also specifies a specific perturbation function [Step \raisebox{-1.05pt} {2}⃝], which is used to perform an inner product with the cumulative distribution to compute a verification score $q$ [Step \raisebox{-1.05pt} {3}⃝].

Practical considerations. Waterfall is highly adaptable, i.e., it can be implemented with different LLM as paraphrasers, allowing our framework to achieve better watermarking performance and support more text types as the LLM landscape evolves. Methods like prompt engineering (Wei et al., 2022; Lin et al., 2023) and Reflexion (Shinn et al., 2023; Madaan et al., 2023) may also help to boost performance in some settings, as we demonstrate in our code watermarking experiments (Section G.2). We elaborate further on possible large-scale deployment methods of Waterfall and other practical considerations in Appendix L.

For watermarking of text articles, we demonstrate the effectiveness of Waterfall with experiments using text samples $T_{\text{o}}$ from the c4 realnewslike dataset (Raffel et al., 2020), comprising articles with mean token length of 412. The experiments mirror realistic scenarios, for e.g., news outlets watermarking their articles before publishing them to be able to effectively scan the internet for, and verify, plagiarized content (Brewster et al., 2023). For this setting, we evaluate the semantic similarity $\mathcal{S}$ using the Semantic Textual Similarity (STS) score based on the all-mpnet-base-v2 model³³3https://huggingface.co/sentence-transformers/all-mpnet-base-v2 ($\mathcal{S}$ for sample text pairs are provided in Section E.5).

For benchmarks, we consider two recent linguistics-based watermarking methods: M-bit by Yoo et al. (2023) and P-nlw by Qiang et al. (2023). These methods are advanced variants of Basic that use deep learning to improve watermarking performance (details in Section E.3). To implement Waterfall, we use llama-2-13b-hf ⁴⁴4https://huggingface.co/meta-llama/Llama-2-7b-chat-hf as the paraphraser, and the Fourier basis for the perturbation functions. Additional details such as paraphrasing prompts are in Appendix E.

Fidelity-verifiability. We consider the fidelity and verifiability of the schemes before adversarial attacks. Verifiability is computed as the AUROC based on varying their respective classification thresholds, i.e., the verification score threshold $\bar{q}$ for Waterfall, and bit-error rate threshold for M-bit and P-nlw.

Waterfall allows for adjustable watermarking strength to calibrate the fidelity-verifiability trade-off based on the clients’ use cases. Figure 4a shows the Pareto frontier of the trade-off. Stronger watermark strength $\kappa$ improves verifiability but also introduces larger distortions to the LLM paraphrasing process, decreasing the fidelity of watermarked text. For our experiments, we mainly used $\kappa=6$, achieving a mean AUROC of 0.992 and STS of 0.887. Even for shorter texts of just 100 tokens ($about$ 65 words), Waterfall achieves high verifiability with an AUROC of 0.98 (Figure 4b). Additional results are in Section E.4.

Note that M-bit and P-nlw were designed with only one setting, allowing for only a single fidelity-verifiability score, with mean STS scores of 0.998 and 0.942 respectively, and corresponding AUROC scores of 0.987 and 0.882. While the STS scores are high, it is expected given that the schemes only make minor edits to $T_{\text{o}}$ which would be more fragile to attacks, as we will see later. Additionally, the word replacements by M-bit and P-nlw introduced noticeable linguistic errors that are difficult to evaluate and not captured by the STS score (shown in Section E.5).

Robust verifiability. We consider the various classes of attacks $\mathbb{A}$ mentioned in Section 2. Details of the setup for each attack and additional results are in Appendix F.

$\mathbb{A}_{1}$ attacks are insertion, deletion, and synonym substitution attacks that are often considered in past works As shown in Figure 6, robust verifiability of Waterfall shows only a slight decrease even with strong attacks on $20\%$ of words, while that of M-bit and P-nlw fall drastically with increasing attack strength.

$\mathbb{A}_{2}$ involves translation and paraphrasing attacks, which are more realistic and effective attacks that can achieve higher fidelity and verification reduction than $\mathbb{A}_{1}$ and had not been considered by past text watermarking works. We perform translation attack to translate the watermarked text to Spanish and back to English, and paraphrasing attack to paraphrase the watermarked text. Again, the verifiability of Waterfall remains significantly higher than benchmarks post-attack.

$\mathbb{A}_{3}$ involves using the same scheme to try overwrite the existing watermark with another watermark. For Waterfall, the 1^st watermark remain verifiable even after the 2^nd is added, given the design of $\mathcal{P}$ and $\mathcal{F}$ with vocab permutation and orthogonal perturbation functions that minimizes interference of the 2^nd watermark on the 1^st. However, this attack destroys the verifiability of M-bit and P-nlw, as the 2^nd watermark process almost always chooses the same word positions as the original process, overwriting $\mu_{1}$. Furthermore, the benchmark schemes extracts $\mu_{1}$ as part of verification, enabling targeted overlap watermark attacks which we demonstrated in Section F.3.

$\mathbb{A}_{4}$ uses $T_{\text{w}}$ for in-context prompting of any LLM to perform tasks that rely on the IP or semantic content of $T_{\text{w}}$. For illustration, we considered the case where adversaries use an LLM to answer questions regarding watermarked articles. As this attack totally changed the structure of the texts, the watermarks of M-bit and P-nlw were removed. However, with Waterfall, watermarks were still verifiable due to the preservation of watermarked $n$-grams from the context to the response.

$\mathbb{A}_{5}$ which involves using text containing IP for unauthorized LLM training such as fine-tuning will be discussed in Section 4.3.

Scalability. As mentioned in Section 3.3, Waterfall has a large maximum scalability of $M=|\mathcal{F}_{1}|\cdot|\mathbb{V}|!\sim 10^{130274}$ based on our implementation using the Fourier perturbation function, and Llama-2 model as LLM paraphraser. In comparison, M-bit and P-nlw, have scalability dependent on the number of possible synonym replacements in any given text, which is limited by text length and varies for different text. On the c4 dataset with a mean article length of 355 words, M-bit and P-nlw can only embed a mean of 9.5 bits ($M\sim 10^{3}$) and 23.2 bits ($M\sim 10^{10}$) respectively.

In practice, scalability is further limited by how well the schemes can differentiate among similar watermarks. For e.g., the verification operation of M-bit and P-nlw may not be able to distinguish 2 IDs differing by 1 bit (see Section E.7.3 for details). To demonstrate this, we watermarked $T_{\text{w}}^{(i)}$ with $\mu_{i}$ and computed the verifiability of $T_{\text{w}}^{(i)}$ against 1000 randomly selected IDs $\mu_{j\neq i}$. We found that for Waterfall, all of the IDs achieved very high AUROC, while M-bit and P-nlw have many IDs with low AUROC: The 1^st percentile AUROC for Waterfall, M-bit, P-nlw are 0.976, 0.614, 0.766 respectively. Details and further results on scalability up to 100,000 IDs are in Section E.7.

Metadata extraction. We also demonstrate how Waterfall could be used to embed metadata while watermarking. We consider metadata $k_{p}\in\{1,2,...,31999\}$, and the task is to extract the embedded $k_{p}$ if the text has been verified as watermarked with $\mu$. We do so by using $k_{p}$ as the frequency of the Fourier perturbation function $\mathcal{F}_{1}$, and perform extraction with the DFT. Figure 4c shows the extraction accuracy of Waterfall for different perturbation magnitudes $\kappa$. By taking multiple samples of $T_{\text{w}}$, multiple articles could be combined together to improve extraction accuracy. For $\kappa=6$, accuracy increases from 48% to 99% with only 5 pieces of text. Details are in Section E.8.

Computational costs. We note that Waterfall also has lower computational cost compared to benchmarks (Table 2). Waterfall verification can be run in parallel on a CPU, requiring only 0.035s when ran on a single 16-core CPU, which is 75x and 4237x faster than M-bit and P-nlw respectively, both which require inference using deep learning models. This is important in the context of protection of IP, e.g., where data providers may have to scan through large amount of online data for any IP infringement. Further discussion on the deployment costs are in Appendix L.

To demonstrate the versatility of Waterfall, we also consider its out-of-the-box performance on code watermarking. We used the MBJSP dataset (Athiwaratkun et al., 2023) , and evaluate fidelity $\mathcal{S}(T_{\text{o}},T_{\text{w}})$ using the pass@10 metric (Kulal et al., 2019; Chen et al., 2021) achieved by $T_{\text{w}}$ on functional tests for the original code $T_{\text{o}}$. We compare Waterfall, implemented using Phind-CodeLlama-34B-v2⁵⁵5https://huggingface.co/Phind/Phind-CodeLlama-34B-v2 as the paraphraser, with SrcMarker (Yang et al., 2024), a recent state-of-the-art code watermarking scheme, configured for 16-bit watermarks. Experimental details are in Appendix G.

We found that surprisingly, Waterfall achieves higher verifiability and robust verifiability (after $\mathbb{A}_{2}$ LLM paraphrasing attacks) compared to SrcMarker while maintaining high code fidelity (Table 3). This is despite Waterfall not requiring any manual training/engineering of programming language-specific watermarking rules, which SrcMarker does. Instead, Waterfall inherits its code capabilities from its LLM paraphraser, making it easily adaptable to other languages (e.g., see Section G.5 for Python code results).

Finally, we explore how Waterfall watermarks may persist after LLM fine-tuning, allowing us to use them for LLM data provenance. We consider the setting where client $i$ watermarks a set of text $\{T_{\text{w}}^{(i)}\}$ that adversaries use, without authorization, to fine-tune their own LLMs (i.e., $\mathbb{A}_{5}$ attacks). Given multiple queries to the fine-tuned black-box LLM, the goal is for client $i$ to be able to verify that $\{T_{\text{w}}^{(i)}\}$ had been used for training. This setting mirrors realistic scenarios where content owners want to detect unauthorized use of data for LLM training (Novet, 2024).

For our experiments, we watermarked the ArXiv dataset (Clement et al., 2019) which consists of scientific paper abstracts categorized into topics. Each topic category is associated with a unique client ID $\mu$ with $4000$ text. These texts are then used to fine-tune gpt2-xl⁶⁶6https://huggingface.co/openai-community/gpt2-xl using the LoRA framework (Hu et al., 2022)⁷⁷7Note that this is a different model compared to that used for watermarking. We chose this to demonstrate that our watermark can persist despite the models’ different tokenizers. (details in Section H.1). We verified that using the watermarked dataset instead of the original dataset has minimal effect on the fidelity of the fine-tuned model (details in Section H.3).

Verifiability. To evaluate verifiability, we queried the fine-tuned model with the first 50 tokens of a randomly chosen abstract, and applied the verifiability operator on the next 100 generated new tokens to test for the associated watermark (details in Section H.2). Our results, presented in Figure 5, shows that Waterfall has high verifiability, reaching AUROC of 1.0 with just 100 queries to the fine-tuned LLM.

Scalability. To explore the scalability of Waterfall for data provenance, we combined the datasets of different number of clients, $M\in\{1,5,10,20,100\}$, each watermarked with their own unique ID $\mu$, and use the combined dataset for fine-tuning the adversarial model. As expected, Figure 5 shows that dealing with an aggregated dataset mixed with a larger $M$ number of different watermarks would result in a decrease in verifiability. However, our results indicate that this decrease leveled off from $M=20$ to $M=100$ and still allow for an AUROC (verifiability) of 1.0 with around 100 queries even for $M=100$, demonstrating the scalability of Waterfall to a sizable number of clients.