ZK如何启发米兰达·克里斯开创AI水印技术

此外，我认为这是一项庞大的工程任务，

And then also I think it was a big engineering task,

或者说确实存在水印，只是极其隐秘。

or there is a watermark, but it's really really secret.

确实如此。

That's true.

是啊。

Yeah.

所以我们甚至可能根本不知道他们是否在使用水印技术。

So we could just not even know if they're watermarking.

确实。

Quite.

不太厚道。

Not nice.

我喜欢ZK播客现在开始讨论阴谋论了。

I love that the ZK podcast now has conspiracy theories on it.

我很想听听更多关于不同类型水印的例子。

I'd love to hear about more examples of types of watermarks.

你之前提到的红绿例子，能否再分享一些你知道的、可能已经部署或正在实验中的水印技术？

What you said before with the red green example, could you share a few more that you do know of that maybe have been deployed or have been experimented with?

不仅是文本，还包括你提到的其他媒介。

So for text, but maybe also for some of the other mediums you mentioned.

当然。

Sure.

我对一种图像水印比较熟悉。

I know one image watermark pretty well.

这是我的合著者Sam Gunn与他在伯克利的同事Xuandong Zhao和Don Song共同研究的。

This is by my co author Sam Gunn and his colleagues at Berkeley, Xuandong Zhao and Don Song.

这种水印被称为生成式图像模型的不可检测水印。

So this watermark is called an undetectable watermark for generative image models.

但这是一篇非常新的论文。

But this is a very recent paper.

对吧？

Right?

大概几个月前，或者一个月前？

Like a couple months ago or month one month ago maybe.

对吧？

Right?

还是说这是更早的？

Or is this older?

至少半年前。

At least six months ago.

我记得几个月前在某个会议上发表过，实际可能还要再早半年。

Think it appeared at a conference a few months ago and came out maybe six months before that.

可能我就是在那看到的。

Maybe that's where I saw it.

是的。

Yeah.

我想是在今年的ICLR会议上。

I think it was at ICLR of this year.

那它是怎么运作的呢？

So how does it work?

这类图像模型首先会采样一个随机潜变量向量。

It works with these kinds of image models that first sample random latent vector.

这些图像模型通常有一个潜空间，代表图像的高级特征。

So these image models typically have a latent space which represents the higher order features of the images.

你可以把空间中的每个分量想象成代表图像的亮度、愉悦度或自然度等属性。

So you can think of each component in the space as representing something like how bright the image is or how happy it is or how like nature it is.

类似这样的抽象特征。

Something abstract like that.

这些模型会先采样这些随机特征，然后通过某种变换将这些特征转化为实际图像。

And so these models will first sample these random features and then have some transformation from these features to an actual image.

它们还有一个逆向过程，可以将图像转换回潜变量，这些潜变量通常接近生成它们时使用的原始潜变量。

And they also have a reverse process so you can take an image and transform it into latents which are typically close to the latents that were used to generate them.

但这个转换过程并不完美。

But this transformation isn't perfect.

这里存在一些误差。

There's some error here.

因此这个水印是通过在潜在空间中嵌入特定模式来实现的。

And so this watermark works by embedding a pattern in the latents.

通常它们像是围绕零值分布的高斯随机变量。

So usually they're like random gaussians centered at zero.

使用水印时，你会先选择一个特殊的秘密向量，比如由正负一组成的向量。

With the watermark, you'll first choose special secret vector of say plus or minus one.

关于这个向量如何选择，我稍后可能会详细说明。

And maybe I'll talk more about how this is chosen later.

然后他们会选择与这个向量符号相对应的潜在变量。

But then they'll choose the latents to have signs corresponding to this vector.

比如说，如果这个向量的第一个分量是1，那么第一个分量就会是正数，以此类推。

So you know, if the first component of this vector is one, then the first component will be positive and so on.

因此现在，如果你知道这个秘密向量，那么当你获取一张图像时，可以将其转换回潜在空间，并将符号与秘密向量进行比对。

And so now, if you know the secret vector, then if you get an image, you can transform it back to its latents and compare the signs to the secret vector.

什么是潜在空间？

What's a latent?

其实我不太了解这个术语。

I actually don't know that term.

这是图像处理术语还是向量术语？

Is that an image term or is that a vector term?

不是。

No.

这是机器学习术语，指那些不可见的变量，它们类似于生成参数，可能无法直接解释，但能生成最终信息的过程。

That's like a machine learning term for like variables you don't see that are sort of generate like like parameters that might not be interpretable, but they like generate the process that's able to put the final information.

能举个类似的例子吗？

What would an example of something like that be?

就是你之前描述的那种明亮、欢快的感觉吗？

Is that what you were describing with like the sort of bright, happy, like that?

还是别的什么？

Or is it something else?

我也不太清楚。

I don't really know.

我听人们经常用这个词。

I hear people throw this term around.

我觉得Tarun说的有道理。

I guess what Tarun said makes sense.

就像潜在空间，作为用户你本来就不该看到它。

Like with the latent space, it's something that as a user you're not meant to ever see.

它只是生成图像过程中的一个中间步骤。

It's just like an intermediate step in generating the image.

这么说吧，我第一次接触这个术语是在隐马尔可夫模型中，当时我从这个概率分布中采样一个状态，但有一小部分变量会改变我的采样过程。

So so I mean like I think the first time I ever ran into this term was, like, in hidden Markov models where, like, I have a Markov chain that I'm, you know, I'm sampling a state from this, like, probability distribution, but the thing there's, like, some small set of variables that changes the my sampling process.

所以我进行采样过程时，比如生成下一个单词，就像'敏捷的狐狸跳过小屋'这样。

So I have my sampling process, you know, I'm generating the next text word, so it's like the quick fox jumped over the shed.

你可以想象存在其他变量会改变下一个词的概率分布。

And you could imagine that there's some other variables that change what the distribution of the next word is.

对吧？

Right?

所以最古老的文本模型——我是说90年代的，当然还有更早的——但那些在90年代流行起来的模型，比如二月份研究的这类东西，最终形成了可以说是最后一个前神经网络语言模型，也就是主题模型。我提到这个是因为它实际上和你刚才描述的东西非常相似。

And and so the oldest text models, like, from the nineties I mean, there's older than that, but, like, the ones that were popular in the nineties and February did this type of stuff and culminated in kind of, I would call it, like, the last pre neural net language model, which was topic models, and and that topic models are actually and the reason I'm bringing this up is it's actually very similar to the thing you just described.

主题模型的主要算法就是所谓的潜在狄利克雷分配。

So topic models are the the main algorithms is this thing called latent Dirichlet allocation.

LDA的作用是尝试学习词元上的分布，即对应不同词簇的单词分布。

And LDA, what it does is it tries to learn distributions over tokens, so distributions over words that that correspond to clusters.

比如可能你词汇中的一个簇是音乐相关的。

So maybe, like, one cluster in your words is like music.

像萨克斯、长号这类词被选中的概率永远不会低于10%。

So all of the words like saxophone, trombone, whatever, have probabilities of being chosen that never go below 10%.

而其他所有词的概率则在10的负9次方百分比左右。

But then everything else is, like, 10 to the minus 9%.

然后这个就被称为音乐主题。

And then that that's that'll be called the music topic.

而视频主题可能包含摄像机、相机、灯光等高概率词汇。

And then the video topic might be, like, camcorder, camera, light, and those are all high high probability words and all.

所以早期就有这类预测下一个词分布概率的模型，而潜在部分则负责如何对这些不同分布进行聚类。

So there were already these kinds of, like, models where people are, like, predict next distribution over next word, and the latent part was choosing how you cluster the the different distributions.

明白。

Understand.

我认为神经网络领域的理念是，神经网络能学习到类似这样的潜在表征。

And I think the idea in neural net land is that the neural net learns some representation like that, that is this latent represent.

你无法确切知道它是什么，但从均方误差或性能表现来看确实有效。

You don't know exactly what it is, but it seems to work in terms of, like, mean squared error or, like, how well it's performing.

但'潜在'这个词用于指代未知背景变量的用法，在机器学习领域已有三十年历史。

But the the usage of the word latent for, like, background variable that you don't know is kind of like in machine learning has existed for thirty years.

不过，我觉得这是同一个概念。

But, yeah, I think it's the same thing.

这就像一组特定类型像素的特征，它们代表着某种有用的信息。

It's like some set of features of certain types of pixels that represent like something useful.

就像是可能类似于

Like like maybe like

回到你之前说的，米兰达，这就像是图像的前身。

back going back to what you said, Miranda, then it's like something sort of their predecessor to what the image is.

你正在回溯到前一步骤，正是在那里检测是否存在任何水印。

You're going backwards to like the step before, and it's that where you're kind of testing it for any sort of watermark.

没错。

Exactly.

好的。

Okay.

是的。

Yeah.

那些潜在变量。

The latents.

是的。

Yeah.

那么为了完整描述这个方案，我说过你们使用这个符号向量来嵌入水印，并且需要用它来检测。

And so maybe to complete the description of the scheme, I said you use this vector of signs to embed the watermark and you need this to detect.

现在如果你真的这么做并使用固定的符号向量，比如第一个分量决定图像亮度而你总是选择其为正值，你就会严重扭曲生成图像的分布，因为它们永远会是明亮的。

And now if you actually do exactly that and have a fixed vector of signs, then you know, if the first component determined the brightness of the image and you're always choosing that to be positive, you're significantly skewing the distribution of images that you generate because they'll always be bright.

所以这实际上影响了输出结果。

So it's affecting the output actually.

没错。

Yeah.

因此我认为这种做法并不理想。

So this I think is not great.

有些图像水印确实会选择固定向量，用相同的符号向量来修改所有图像。

And there are some image watermarks that really choose like a fixed vector and, you know, use the same vector of signs to alter all of the images.

但这篇关于不可检测图像水印论文的核心洞见在于：他们能选择大量看似独立随机的不同向量，从而为每张图像有效选择全新的随机符号向量。

But the insight in this undetectable image watermark paper is they have a way to choose lots of different vectors that look independently random, so they can effectively choose a brand new random vector of signs for each image.

然而，如果你有一个主密钥，仍然可以检测出水印。

Yet, if you have like a master secret key, you can still detect the watermark.

因此你仍能辨别出这个看似随机的向量来自特定的水印向量家族。

So you can still tell that this random looking vector comes from the special family of watermarked vectors.

要实现这一点，你需要一个称为伪随机码的对象，这来自我和Sam Gunn的论文。

And to do this, you need an object called a pseudo random code, which was from my paper with Sam Gunn.

所以是的，我承认我对这个方案有偏爱，因为它就像是...

So yeah, I guess I'm biased in liking the scheme because it's like

我们...我们即将讨论PRC，因为在我看来，这里与ZK（零知识）最相似的联系在于简洁证明

We we are we are going to get to to PRCs because I think to me, that's where the connect the, like, if the thing that looks most like ZK stuff exists is like succinct proofs

嗯。

Yeah.

最接近ZK概念的就是这个PRC（伪随机码）。

The thing that looks closest to that is this PRC.

有意思。

Interesting.

在你创建或讨论的工作中，是否存在公开验证者？

In the work that you created or you talked about, like, are there public verifiers?

有验证者吗？

Is there a verifier?

它存在吗？

Does it exist?

它是如何处理这个问题的？

How does it deal with it?

它是否在运行那种逆向转换来获取底层内容？

Is it, like, running that, like, anti transformation in order to get to that underlying stuff?

还是能够直接穿透并识别出潜在内容是什么？

Or is it able to kinda cut through and just like figure out what the latents were?

是的。

Yeah.

好问题。

Good question.

对于嵌入在潜在空间中的这些图像水印，检测器确实需要运行逆向过程。

So for these image watermarks that are embedded in the latents, the detector does have to run the reverse procedure.

好的。

Okay.

这会产生一定的计算成本。

Which it has some computational cost.

不过没有生成图像那么耗费资源。

It's not as bad as generating an image.

好的。

Okay.

你还需要了解生成图像所使用的模型信息。

And you also need to know something about like what model was used to generate the image.

哦，因为逆向过程是与模型绑定的。

Oh, Because For the reverse procedure is tied to the model.

好的。

Okay.

所以这是这些图像水印的一个缺点。

So that is one downside of these image watermarks.

我想，我们讨论了很多关于水印的设置，我认为，我们刚才讨论的例子中一个关键点是，我们想要一些特性，也有一些特性是我们不希望水印具备的。

I guess, you know, we've talked a lot about the kind of setup for watermarks, and I think, you know, one key thing to the examples that we just talked about is there's clearly some some features we want and some features we don't want out of a watermark.

所以这些基本属性，就像CK中的正确性或共识中的活跃性。

And so there are these kind of, like, fundamental properties, almost like soundness in in CK or liveness in consensus.

水印必须具备一组特性，才能被证明，比如嵌入水印或被验证者验证。

There's there's a set of properties that a watermark must have, and in order to be sort of, like, proven, like embedding the watermark or verified by whoever is verifying.

那么我们能否讨论一下人们研究且重要的那些属性集合？

So maybe could we talk through the sets of properties that people study and and are important?

你知道，显然目前所有例子中最常提到的一个概念就是某种偏差，比如，

You know, obviously, the most the one that's come up in all the examples so far is some notion of bias of, like, hey.

通过添加水印，我引入了偏差。

By adding in the watermark, I'm biasing.

我正在改变生成的内容，并且希望以某种方式限制这种改变。

I'm changing the thing generated, and I wanna limit that somehow.

但如果我们将此与可靠性、完备性等概念类比，水印应具备哪些特性呢？

But, you know, if if we make this comparison to, you know, sort of soundness, completeness, things like that, what are kind of the properties you want in the watermark?

我刚意识到这些特性与零知识证明或简洁证明系统之间存在非常明确的联系，之前竟没注意到这点，这很有意思。

I just realized a very explicit connection between these properties and ZK or succinct proof systems, I So didn't realize this is good.

从高层次来看，水印需要具备的特性首先是能在被标记内容中检测到它的存在。

At a high level, the properties you want from a watermark are one that you can detect it in watermarked content.

嗯。

Mhmm.

只要掌握检测所需的密钥或其他信息，水印就应该能被实际识别出来。

If you know the secret key or whatever information you need to detect, it should actually show up.

第二个特性是要求低误报率。

The second property is you want a low false positive rate.

人类生成的内容不应被错误地标记为含有水印。

So human generated content shouldn't be falsely flagged as watermarked.

第三则是需要某种质量保证机制。

And then third, you want some kind of quality guarantees.

所以你不想因为嵌入这个水印而损害内容的质量。

So you don't want to be harming the quality of the content by embedding this watermark.

通过创建 是的。

By creating Yeah.

是的。

Yeah.

这回到你之前说的，你不想让它影响结果。

This is going back to what you were saying with where it's like, you don't want it to impact the outcome.

你不想让它比如让某些东西变亮，仅仅因为你想在里面加入这个水印就总是变亮。

You don't want it to like make something brighter and always bright just because you wanna have this this watermark in it.

没错。

Exactly.

是的。

Yeah.

所以质量非常重要，特别是如果公司要在像ChatGPT这样的产品上部署水印。

So quality is super important, especially if companies are going to be deploying watermarks on top of like ChatGPT for example.

他们确实不希望影响模型输出的文本质量。

They really don't want to be harming the quality of the text that it outputs.

是的。

Yeah.

我还要补充第四个同样重要的特性，但我认为这是水印的额外优势——鲁棒性。

And I would add a fourth property that's also important, but I consider it to be a bonus property of watermarks, which is robustness.

也就是说，即使有人试图去除水印，你仍希望它能保留下来。

So you want the watermark to remain even if an adversary is trying to remove it.

这些就是我们期望的高阶特性。

So these are the high level properties that we want.

但在我与Sam Gunn或Zamir合作的论文《语言模型的不可检测水印》中，

But in papers like in my work with Sam Gunn and or Zamir, it's called an undetectable watermark for language models.

我们形式化了这些期望特性的概念，这些定义受到了密码学的启发。

We formalized notions of these properties that we want, and these definitions were inspired by cryptography.

很酷。

So Cool.

我们想要的第一个特性是水印可检测性，我们将其定义为完备性——如果你熟悉简洁证明，这也是

The first property we wanted that the watermark is detectable, we define this as completeness, which if you're familiar with succinct proofs, this is also

哦，

Oh,

是的。

a yes.

这些特性之一。

Property of those.

是的

Yeah.

这个属性的含义是：如果你生成的文本具有足够的熵值，即有足够的自由度来嵌入水印，那么水印实际上应该以压倒性的概率出现。

So this is the property that if the text you're generating has enough entropy, meaning like there's enough freedom to embed the watermark, then it should actually appear with overwhelming probability.

这，你知道的，与证明文献中的概念相呼应。

And this is, you know, draws parallels to the proof literature.

但我要说这是一个更普遍的密码学特性。

But I would say is a more general cryptographic property.

比如，加密也同样具备这类特性。

Like, you have this kind of property for encryption as well.

而且，我之前提到过水印有点像加密，所以这些不同的密码学对象之间有许多相似之处。

And, you know, I said earlier that watermarks are a bit like encryption, so there are lots of parallels between these different cryptographic objects.

不错。

Nice.

而误报率则被形式化为可靠性，这也是这些证明的一个属性。

And the false positive rate, formalized as soundness, which is a property of these proofs as well.

但它指出，与秘密水印密钥无关生成的内容被标记为含水印的概率应当可以忽略不计。

But it says that content generated independently of the secret watermarking key should be flagged as watermarked with only negligible probability.

最后，我认为我们这篇论文的主要贡献在于形式化了质量保证，这非常困难，因为连文本质量的定义都难以确定。

And finally, we had like I would say our main contribution of this paper was formalizing a quality guarantee, which is very difficult because it's hard to even define what quality of text is.

但我们解决这个问题的方法是提出：当水印无法被检测时——在我看来这相当于能达到的最高质量。

But the way we manage to get around this is we say that a watermark is undetectable or in my mind like the highest quality you can possibly get.

如果无法区分带水印模型与原始模型，就达到了这种状态。

If it's infeasible to distinguish between the watermarked model and the original model.

这表明任何计算能力有限的算法都无法区分原始模型与水印模型。

So this says that no computationally bounded algorithm can tell the difference between the original model and the watermarked model.

只要它不知道其中的窍门。

As long as it doesn't know what the like trick is.

对吧？

Right?

因为如果它拥有验证组件，就能看出区别。

Because if it had the if ver it had the verifier component, then it would see the difference.

但在不知道的情况下，它不应该察觉到差异。

But without knowing that, it shouldn't see a difference.

没错。

Exactly.

是的。

Yeah.

这一点非常重要。

That's super important.

你需要密钥来区分检测器的能力——检测器理应能识别水印——和区分器的能力

You need the secret key to sort of separate the power of the detector, which, you know, should be able to see the watermark, and the distinguisher, which

应该能实现RPT，即PPT算法

should RPT, be able to PPT algorithm.

对

Yeah.

是的

Yeah.

没错

Yeah.

这可以是任何概率多项式时间算法

This can be any probabilistic polynomial time algorithm.

实际上有趣的是，不可检测性定义确实很像不可区分性混淆的定义，就像我无法检测出差异那样

So actually, the funny thing, the other thing about the undetectability definition, so it really resembles, like, the indistinguishability obfuscation definitions for, like, I can't detect the difference.

但至少在我看来，那篇论文中的形式化定义与Sahai类IO论文中的定义有所不同

But one kind of at least, like, when I think about the, you know, the formal definition in that paper versus, like, a bunch of kind of, like, the Sahai type IO papers.

从文本上看，这些定义实际上看起来甚至有些相似，是的。

Like, the definitions actually look even, like, qualitatively, if I look at the text, they're, like, kind of similar Yeah.

这对我来说，就像是让我觉得这里有些比大多数LLM内容更正式的东西的原因之一。

Which I I thought to me was, like, kind of one of the reasons I was like, oh, there's something, like, more formal here than, like, most LLM stuff.

但我有个问题，在我看来值得深入探讨，就是你需要某种统计约束才能使水印正常工作，需要一定的最小熵。

But I had one question that's kind of worth diving into in my opinion, which is there's a a kind of statistical constraint you need in order to get your watermark to work and that you need a certain minimum entropy.

要不你来给我们详细解释一下？

And maybe why don't you walk us through that?

因为这实际上是为了获得这些类似密码学的保证，你仍然需要一些统计特性，是的，详细讨论这个会很好。

Because because actually that's sort of something where it's in order to get these cryptographic like guarantees, you still need some statistical property and like, yeah, it'd be great to kind of like talk through that.

是的。

Yeah.

正如我提到的，我们的完整性保证是，如果响应有足够的熵，那么水印就会出现。

So as I mentioned, our completeness guarantee is that if the response has enough entropy, then the watermark appears.

之所以需要这个熵要求，是因为你无法期望给确定性响应加水印。

And the reason why you need this entropy requirement is that you can't hope to watermark deterministic responses.

举个例子，如果我提示大语言模型输出比如圆周率的前100位数字，如果这个模型足够优秀，这里就不该有任何随机性。

So for example, if I prompt the LLM to output like, I don't know, the first 100 digits of PIE, there should be no randomness here if the LLM is any good.

对吧？

Right?

大语言模型对输出内容根本没有选择权。

Like the LLM has no choice in what it's outputting.

所以它不应该能在这里嵌入水印。

And so it shouldn't be able to embed the watermark here.

是的。

Yeah.

实际上，可靠性已经意味着你不能给这段文字加水印，否则就会产生误报。

In fact, like soundness already implies that you can't watermark this text because then like this would be a false positive.

所以在完备性和可靠性之间存在某种张力——如果你让大语言模型输出人类生成的文本，那就不该被加上水印。

So there's some like tension between completeness and soundness, which is that, you know, if you ask the LLM to output a human generated text, then this should not be watermarked.

没错。

Yeah.

因此我们的解决方案是，要求水印仅在响应具有足够随机性时出现，这样你才能真正对此有所控制。

So the way that we get around this is you ask that the watermark only appears when there's enough randomness in the response that you actually have some control over this.

有意思。

Interesting.

所以你可以用熵保证的形式来规范化这一点。

And so you can like formalize this in terms of an entropy guarantee.

在我提到的这篇关于SAM和OR的不可检测水印论文中，我们也证明了只有在具备一定熵值的情况下才能实现水印。

And in this paper I mentioned undetectable watermarks with SAM and OR, we also prove that you can only hope to watermark if you have a certain amount of entropy.

所以我们在这方面也有一个下限。

So we have like a lower bound there as well.

很酷。

Cool.

如果你查看大语言模型水印相关文献，通常当他们证明可检测性时，都会设定某种熵边界。

And so if you look at like the LLM watermarking literature, usually when they prove detectability, they'll have some kind of entropy bound.

你只能在足够随机的文本中检测到水印。

You can only detect the watermark in random enough text.

或者也需要一定数量的文本？

Or like a certain amount of text too?

就像，是不是某种程度上...或者说可以是短的、长的，只要不是人类写的就行？

Like is it sort of or I guess it could be short, long, as long as it's not human.

对。

Yeah.

不同的方案有着略微不同的保证机制。

People have different like different schemes have slightly different guarantees.

对于某些方案，你需要足够长的文本和整个长度内足够高的熵率。

For some schemes, you need a long enough text and a high enough rate of entropy throughout the whole length.

我认为有些方案只需要足够的熵值。

I think for some schemes, need enough entropy.

文本长度并不重要。

It doesn't matter how long the text is.

可以是很短的文本但包含高度集中的熵值，那样也是可行的。

It could be like a very short text with highly concentrated, like a large amount of entropy in that short text and that would be okay.

在图像的情况下，也有最小限制吗？

In the image case, is there also minimums?

比如在这种情况下是否有最小尺寸限制？

Like are there size minimums in that case?

因为你也可以生成像1像素的白色方块这样的东西。

Because you could also generate like a one pixel white box.

我觉得那里面藏不了多少信息。

Can't hide much in that, I feel.

我同意。

I I agree.

我不熟悉他们证明的保证条件

I'm not familiar with the guarantees they prove

好的。

Okay.

对于图像水印来说。

For image watermarks.

我认为总体来说在那里证明事情更难，因为你依赖这个模型从图像返回到潜在空间。

I think in general it's harder to prove things there because you're relying on this model to go from the image back to the latents.

所以很难在那里证明保证。

So it's hard to prove guarantees there.

但直观上，至少潜在空间的大小与你能够嵌入的效果之间应该存在某种关系。

But intuitively, there should be some relationship between at least like the size of the latent space and how well you're able to embed.

所以，现在我想我们已经讨论了水印具有的特性，这些特性某种程度上类似于密码学特性，当然在我的期望中带有更多约束。

So, you know, now I think we've we've kind of talked about the properties that the watermark has, which kind of resemble cryptographic properties on my desire, obviously, with more constraints.

比如，我可以为任何NP程序生成零知识证明。

Like, you know, I can generate a ZK proof for any NP program.

但在这里，情况更像是'不行'。

But, like, here, it's like, no.

实际上我只能为某些具有足够熵的内容生成水印，对吧，这有点不同...是的。

I actually can only generate the watermark for some if they have enough entropy, right, which is like a slight different yeah.

也许这种差异实际上并不小。

Not it's maybe it's not actually slight.

这是个不小的差异。

It's a nontrivial difference.

但有个重要观点，我是在读了你的论文——那篇关于不可检测ORM的论文后才真正理解的，那就是这些构建的水印在某种意义上不会损害模型。

But an important thing that I think I only understood once I read your paper, the the undetectable ORM paper, is there's a sense in which the watermarks that are constructed are sort of they don't damage the model.

它们所做的只是改变模型的采样特性。

All they're doing is changing sampling properties of the model.

有点像区块链通过随机性选择验证者。

A little bit like a blockchain samples randomness to choose a validator.

你

You

知道，这个类比跨度确实有点大。

know, that's a very that's a long jump to to to that.

但有趣的是，这些模型的运作方式——我把大语言模型抽象为只做两件事：

But the interesting thing is the way that these models work is is I abstract the LLM to just doing two things.

预测下一个token的概率分布，然后采样一个token。

Predict and distribution over NEXT tokens, sample a token.

我们并没有改变预测下一个标记的功能，这意味着我没有调整模型的权重。

And we don't change the predict the NEXT token thing, which means I don't mutate I don't adjust the weights of the model.

我没有改变任何东西。

I don't change I don't change anything.

我只是改变了用于采样下一个标记的种子，这有点像区块链的工作原理。

I'm just changing the seed that I'm using to sample the next token, which that is the thing that's like a blockchain.

这有点像验证随机函数（VRF）的概念。

That's the thing that's like a VRF a little bit.

所以或许值得详细讨论这一点，因为我认为这正是水印技术显得比ZKML或其他隐私机器学习更强大的原因——后者需要将整个模型置于私有状态。

And so maybe it would be great to kind of talk through this because I think this is the reason Watermark seems so much more powerful than, like, things like ZKML or other private machine learning where it's like, I have to put the entire model into Ah, yeah.

如果采用差分隐私方案，我就必须改变模型本身。

Private state, or I have to mutate the model if I was doing differential privacy.

但在这里，你只改变了采样过程，这在计算上是相对低成本的。

But here, you're only changing the sampling, and it's so computationally kind of a very relatively low effort thing.

是的，通过讨论这个采样变异如何产生所需的特性，能帮助我们更好地理解。

And, yeah, like talking through that and understanding like how this kind of sample mutation leads to these properties that you want.

哦，是的。

Oh, yeah.

这是个非常好的观点，水印技术极其轻量级，完全不需要触及模型的权重。

That's a really good point that watermarking is super lightweight and that you don't need to touch the weights of the model at all.

我喜欢把这些水印方案看作只是对LLM采样算法的修改。

I like to think of these watermarking schemes as just modifying the sampling algorithm of the LLM.

我的意思是，就像Tarun说的，这些LLM有两个组成部分。

And what I mean by that is, like Tarun said, these LLMs have two components.

一个是神经网络，它以当前生成的响应作为输入。

One is like a neural network that takes as input the response output so far.

嗯。

Mhmm.

并生成下一个token的概率分布。

And generates a probability distribution over the next token.

所以这确实是计算量最大的部分——运行这个神经网络来获取概率分布。

So this is really the computationally expensive part running this neural network to get this probability distribution.

而现在是一个非常廉价的步骤，你只需根据这个分布采样下一个词元。

And now there's a very cheap step where you just sample the next token according to this distribution.

水印技术修改的正是这个采样步骤。

And it's the sampling step that the watermarks modify.

所以我之前描述的红绿方案，就是通过提高绿色词元的概率并降低红色词元的概率来修改采样步骤。

So the red green scheme that I described earlier modifies the sampling step just by increasing the probabilities of the green tokens and decreasing the probabilities of the red ones.

因此它完全不会触及模型的权重。

So it's not touching the weights of the models at all.

它只是改变了采样算法。

It's just changing the sampling algorithm.

有意思。

Interesting.

所以红绿方案可以说是你能想到的最简单的方案。

And so the red green scheme is kind of the simplest scheme you can think of.

但即便是更复杂的方案，也只是改变采样过程。

But even the more complicated schemes only change the sampling process.

直到你这么说我才意识到，我们之前讨论过的CKML模型要求底层模型必须被修改。

I didn't realize until you said this that the CKML models that we've talked to though require that the model be changed underneath.

嗯，不是

Well, not

我也曾以为那些就像是

that I also thought of those as like

不是那样，但你必须在这个框架内评估整个事情。

It's not that it but you have to evaluate the whole thing in contained in this.

对吧？

Right?

这种方法的侵入性非常小。

This thing is very minimally invasive.

我基本上是在原样运行模型。

I'm, like, running the model as is.

我只是在改变采样方式。

I'm only changing the sampling.

嗯。

Mhmm.

我不需要把你放进我的安全区。

I don't have to, like, put you in my enclave.

我不需要用ZK编译器重新编译你的代码。

I don't have to recompile your code with the ZK compiler.

对吧？

Right?

实际上我完全没有动它。

Like, I'm not touching it at all effectively.

好的。

Okay.

除了采样部分。

Except for sampling.

有意思。

Interesting.

这也意味着仅通过API访问就能实现水印功能。

This also means that you can watermark with only API access.

哦。

Oh.

因此，只要你能获取这些概率分布，就可以自行进行采样或修改采样方式，从而为来自ChatGPT等API的文本添加水印。

So as long as you have access to these probability distributions, you can do sampling yourself or change sampling yourself to watermark text that's coming from say an API to ChatGPT.

实际上我就这么操作过，为我们的方案获取了一些带水印的示例文本。

So I actually did this to get some like sample watermark text for our scheme.

我只拥有ChatGPT的API访问权限。

I only had API access to ChatGPT.

对吧？

Right?

就像我自己无法运行整个神经网络一样。

Like I couldn't run the whole neural network myself.

但仅凭这个API访问权限，就足以改变采样器和ChatGPT生成文本的水印。

But even just with this API access, it was enough to change the sampler and watermark ChatGPT generated text.

有意思。

Interesting.

这让我想进一步了解一下底层模型。

This leads me to like ask a little bit about the underlying models.

是否存在某些模型组可以使用非常相似的水印方案？

And if like, are you are there sort of groups of models where you'd have a very similar watermarking scheme for it?

并且你实际上可以像刚才那样，将其应用到所有模型上。

And you can actually do what you just did, which is like kind of apply it to all of them.

还是必须为每个模型单独定制水印系统？

Or do you have to create bespoke watermarking systems for every single one?

或许存在某些模型组可以批量处理。

And let's like and maybe there's groups and you can do a few.

我很好奇这方面具体是如何划分的。

I'm just kind of curious how that breaks down.

是的。

Yeah.

这类仅改变采样器的大语言模型水印技术的一个优点在于，你可以跨任意数量的模型使用相同的水印密钥。

So one nice thing about these LLM watermarks that just change a sampler is that you can use the same secret watermarking key across any number of models.

哦。

Oh.

对。

Right.

以红绿方案为例，你可以将相同的红绿分区规则应用于任意数量的模型。

So with the red green scheme for example, you can use the same red green partition for as many models as you want.

由于你只是提高了绿色词汇的出现概率，因此可以统一应用该方案，并以相同方式检测——只需统计绿色词汇的数量即可。

And since you're just increasing the probability of the green words, you can do this for all of them and detect in the same way, just count the number of green words.

这正是基于采样器方案的精妙之处：无论模型数量多少都可使用相同密钥，这对于频繁更新模型或部署多模型的实际场景非常实用。

So this is a very nice property of the sampler based schemes where you can use the same secret key for any number of models, which should be nice in practice if they're like updating these models often or have many different models deployed.

不过我猜这显然取决于媒介类型。

I guess though there's a distinct like it depends on the medium.

回到文本与图像的对比，显然无法在这两类媒介间使用相同技术。

So going going back to like text versus images, obviously, you're not really able to use the same technique across those.

但所有图像生成模型是否都能用你之前提到的不可检测水印工作中描述的方式进行测试呢？

But would like all image generation models be able to be tested the same way that that was described in the undetectable watermark work that you described earlier?

关于文本水印和图像水印的区别，这是个很好的观点。

So that's a good point about the difference between these text and image watermarks.

对于图像水印，即使你在不同模型中以相同方式改变潜在空间，由于还需要通过反演过程从图像回到潜在空间，这个过程可能因模型而异。

For the image watermarks, even if you're changing the latents in the same way across different models, since you also have this inversion process where you go from the image to the latents, that might be different from model to model.

基本上无法使用同一个检测器适用于所有模型。

There's sort of nothing you can do to use the same detector for all of them.

你必须使用与生成图像的模型相对应的正确反演器。

Like you'll have to use the correct inverter for the model that generated the image.

因此，即便你使用相同的潜在空间偏置方法，也必须使用特定于模型的反演器。

And so even if you're using the same way of biasing the latents, you're going to have to use the model specific inverter.

或许有方法可以设计适用于所有模型的全局反演器。

Now there might be ways to like design global inverters that work for all of them.

我对这个领域不太熟悉，但相比文本水印，实现跨模型的图像水印似乎要困难得多。

I'm not so familiar with this area, but it seems much harder to have like a an across model image watermark compared to a text watermark.

是的。

Yeah.

我是说，我想我之所以最终了解这方面的文献，部分原因是我在观察密码学领域的人们如何尝试解决问题，从计算角度看，那些方法似乎都很疯狂。

I mean, I think one of the reasons I was I kinda ended up learning about this literature was I basically was looking at how people in cryptography land were trying to do things, and, like, all of them just seemed crazy from a computational standpoint.

然后我看到了水印技术。

And then I saw the watermark stuff.

我当时就想，这几乎不需要计算量，却能获得人们期望中90%的收益，就像Nice那样。

I'm like, this is like no computation, and you're getting, like, 90% of the benefits that people wanted from, like Nice.

比如对整个模型进行ZK验证之类的。

ZK ing the whole model or whatever.

我再次提到ZKI时，指的不是零知识证明。

And so when I use ZKI again, I don't mean zero naught.

我的意思是，关键在于简洁性。

I mean, it's succinctness there.

我们知道。

We know.

我们知道。

We know.

但我觉得需要阅读大量论文才能理解的一个有趣点是关于威胁模型的概念，以及我们如何看待对手攻击、伪造水印或试图让某些本无水印的内容被检测为阳性。

But an interesting thing that I think I needed to read a bunch of these papers to understand was sort of the threat model and, like, how we think about adversaries attacking and, like, forging watermarks or trying to to make something that doesn't watermark detect as positive.

哦。

Oh.

我认为讨论一下鲁棒性特性会很有意义，比如你们是如何构建攻击威胁模型的。

And I think it would be great to talk a little bit about the robustness properties and, like, how you formulate the threat model for attacks.

或许现在我们可以聊聊表情符号攻击。

And, like, maybe now is we can talk about the emoji attack.

为了描述威胁模型，讨论一些具体算法可能不错，比如你们与Zamir和Gunn合作的论文中提到的基于哈希的水印技术。

And and maybe in order to describe the threat model, it would be good to talk about concrete algorithms such as hash based watermarks like your paper with Zamir and Gunn.

是的。

Yeah.

那么，好吧。

So, okay.

我经常提到这个红绿方案。

I mentioned this red green scheme a lot.

这样做的一个问题是，如果某个话题被列入绿名单，它可能会被过度讨论。

And one problem with this is that if a certain topic is on the green list, it'll be talked about a lot more than it should be maybe.

因此理想情况下，你不希望所有回答都使用相同的红绿名单，因为这会在系统层面改变模型讨论的话题。

And so ideally, you don't want to use the same red green list for all responses because this will systematically change what topics the model is talking about.

所以在Scott的方案、Kirchenbauer等人的方案以及我和Sam、Orr的方案中，都采用了使用哈希函数（或我们用的是伪随机函数）来生成随机性，从而为每个回答获取新的红绿名单的想法。

And so one idea used in both Scott's scheme and the Kirchenbauer et al scheme, as well as mine with Sam and Orr, is to use a hash function, or in our case like a pseudo random function to derive randomness to effectively get a new red green list per response.

具体做法是：取模型生成的最后几个词，对它们进行某种哈希计算，以确定模型输出的下一个词或标记应该使用哪些红名单和绿名单。

So the idea is to take the last few words generated by the model and evaluate some kind of hash on these to determine what should be in the red list and the green list for the next word or token that the model outputs.

这可能在原理上类似于Fiat-Shamir（如果你熟悉密码系统的话），即对当前对话记录进行哈希计算，为协议后续步骤提供随机性。

So maybe this is similar in spirit to like Fiat Shamir, if you're familiar with cryptographic systems, where, you know, you're taking a hash function on the transcript so far to drive randomness for what you're doing next in the protocol.

基本上就是在创建这个水印的过程中。

In the creation of this watermark, basically.

是的。

Yeah.

举个具体例子，如果模型输出了'作为一个大型语言模型'，你需要决定接下来输出哪个词。

Maybe as a concrete example, if the model has output like as a large language model, you wanna know which word to output next.

这类基于哈希的方案会计算'作为一个大型语言模型'的哈希值，用生成的随机性来选择响应中下一个词的红绿分区。

This family of hash based schemes would compute the hash of as a large language model, derive some randomness which it uses to choose the red green partition for the next word in the response.

而要进行检测，你需要能重新计算这些哈希值来推导随机性，从而判断当时的红绿分割情况。

And now to detect, you need to be able to recompute the hashes to derive this randomness to tell what the red green slits were.

好的。

Okay.

这使得验证过程稍微复杂了些。

So it makes the verification process a little bit more complex.

是啊。

Yeah.

至少多了一个步骤。

You have an extra step at least.

没错。

Yeah.

这个额外的步骤在计算上仍然很廉价，但它真正影响的是鲁棒性。

There's this extra step which is still computationally cheap, But where it really hurts you is in robustness.

所以现在如果哈希部分的任何单词发生变化，你就无法恢复之前的相同随机性。

So now if any word in this hashed portion changes, then you can't recover the same randomness as before.

哦，是的。

Oh, yeah.

然后你会得到一个完全不同的红绿分区。

And you'll get a completely different red green partition.

哎呀。

Yikes.

所以你不能让它改变。

So you can't it can't change.

是的。

Yeah.

基本上，我的意思是，这取决于程度

Basically, I mean, it depends how much

你

you

哈希。

hash.

但如果你对整段文字进行哈希处理，那么这段内容就完全不能更改。

But if you hash, say, a paragraph, then this whole paragraph can't change at all.

否则，你将无法检测到水印。

Otherwise, you wouldn't be able to detect the watermark.

现在Scott的方案和Christian Bauer等人的方案是对前两个词进行哈希，所以它们在鲁棒性上不会受到太大影响。

And now Scott's scheme and the Christian Bauer et al scheme hash something like the past two words, so they don't take a huge hit to robustness.

但我的方案是对更长的部分进行哈希。

But my scheme, we hash a much longer portion.

这是为了获得这种额外的不可检测性和高质量特性。

This is to get this extra undetectability high quality property.

有意思。

Interesting.

所以，这些基于哈希的方案非常突出。

So, yeah, these hash based schemes are very prominent.

它们催生了所谓的表情符号攻击。

And they motivate what's called the emoji attack.

在表情符号攻击中，你要求模型输出响应时，在每个单词之间插入一个表情符号。

And in the emoji attack, you ask the model to output your response, but insert an emoji between every pair of words.

这样你就会得到类似'单词 表情符号 单词 表情符号'的输出。

And so now you'll get something that's like word emoji, word emoji.

对吧？

Right?

你可以轻松地通过删除所有表情符号来恢复原始文本。

And you can easily get back an actual text by just deleting all of the emojis.

嗯。

Mhmm.

这样做的作用是，如果水印是通过哈希来嵌入的，哦

What this has done is now if the watermark is embedded by hashing Oh,

所以需要完全调整所有内容，就因为里面插入了这些表情符号？

totally adjust everything because it has all these emojis in it?

对。

Yeah.

没错。

Exactly.

就像如果哈希计算中使用了表情符号，一旦删除它们，哈希值就完全不同了。

Like if the emojis are used in the hashes, now once you delete them, the hashes are entirely different.

哦，哇。

Oh, wow.

而且这种攻击方式完全不会影响质量，因为你最终得到的文本和没有插入表情符号时一模一样。

And also you're not hurting quality by doing this attack at all because you get back exactly the same text you would have had without emojis.

等等。

Wait.

我不确定自己是否完全理解了这个原理。

I don't know if I fully understood this.

就是说，这些表情符号是作为水印的一部分被添加进去，然后你们又喜欢添加和移除的吗？

Like, are the emojis being added as part of this watermarking that you then like add and remove?

还是说如果对手试图

Or is it if an adversary tried to,

不是这样的。

like No.

不是。

No.

假设假设你试图在作业上作弊。

Suppose suppose you tried to cheat on your homework.

好吧。

Okay.

然后你说，嘿。

And you said, hey.

实际上，把你刚才给我的回复里所有空格都替换成表情符号。

Actually, take the response you just gave me and replace all the spaces with emojis.

比如，在模型内部。

Like, within the model.

所以他们是在模型内部操作

So they're doing Within the

模型。

model.

好的。

Okay.

但现在它被用表情符号做了水印标记。

So now though now it's watermarked with the emojis.

但当你提交作业时，你手动删掉所有表情符号换成空格，这样你就破坏了哈希验证。

But then you, when you turn in your homework, you just, like, go and manually delete all the emojis and put spaces, and now you've ruined the hashing.

对吧？

Right?

是的。

Yeah.

因为这就像是一个非常简单的攻击方式，某种程度上就像幼儿园小孩能想到的第一招。

Because so it's like it's it's like a very simple it's like a the first attack a kindergartner would come up with in some ways.

对吧？

Right?

就像是，对。

Of like Yeah.

这超级简单，却能完全击败这些基于哈希的方案。

It's like super simple and completely defeats these hash based schemes.

即便是那些只哈希保存最近两个标记的方案也不行，因为你到处都加了表情符号。

Even the ones that only hash save the past two tokens because you have emojis everywhere.

你能给这些基于哈希的方案增加一个特性吗？如果它们检测到这种明显的低级注入模式，就不哈希那部分内容？

Could you add another quality to these hash based ones that if they see sort of that kind of pattern of like just dumb obvious injections that it doesn't hash that part?

可以。

Yeah.

所以我觉得你可以玩这种猫捉老鼠的游戏，对吧？

So you can, I think, play this kind of cat and mouse game Yeah?

当你发现特定攻击时，就可以在水印中添加一些步骤来忽略触发攻击的内容。

Where if you see a specific attack, then you can, you know, add some steps to the watermark that ignores things that are activating the attack.

但我觉得即使你修复了一大类表情符号攻击，人们还是会想出新的攻击方式。

But I think if you fix even a broad class of emoji like attacks, people will come up with new attacks.

所以这种博弈非常难进行。

So it's very hard to play this game.

事实上，极限情况下，哈佛大学的张等人团队有篇论文《沙中水印》证明，要构建一个能抵御任意多项式时间对手的水印是不可能的。

In fact, in The Limit, there is a paper by Zhang et al, group at Harvard called Watermarks in the Sand, which shows that it's impossible to construct a watermark that's robust to an arbitrary polynomial time adversary.

他们证明如果攻击者有足够的决心，就能移除任何水印。

So they show that if the adversary is dedicated enough, then it can remove any watermark.

这是在相当强的假设条件下得出的结论。

This is under some fairly strong assumptions.

我认为这更像是一篇理论性论文。

I would say it's more of a theory paper.

可以说，它并没有给出我们当前需要担心的实际攻击手段。

It doesn't give practical attacks we need to worry about now, I would say.

但它确实表明你无法拥有一个强有力的鲁棒性定理。

But what it does show is you can't have a strong robustness theorem.

就像，不能说，这里有一个方案，并证明它对试图移除水印的多项式时间对手具有鲁棒性。

Like, can't say, here's a scheme and prove that it's robust to polynomial time adversaries that are trying to remove the watermark.

是的。

Yeah.

我是说，你与费马小定理做类比很有趣，因为我认为费马小定理就像，嘿，随机预言模型，它是安全的。

I mean, it is interesting you made this analogy to Fiad Shimura because I think about Fiad Shimura as like, hey, random oracle model, it's safe.

但是，哦，就像所有最近的论文都在说，哦，在某些情况下它有点崩溃，虽然不是完全像鲁棒性问题，但在轻微扰动下。

But, oh, like, all of the recent papers that are like, oh, it's like kind of borked under some sort of like, something not quite like the robustness thing, but, like, under slight perturbations.

好吧。

Okay.

不存在相关性难处理性或其他什么。

There's not correlation intractability or whatever.

就像，费马小定理从窗户映照出来。

Like, Fietscher mirrors out the window.

我们之前讨论过一些关于方案稳健性的问题。

You know, we talked a little bit about robustness of schemes.

我个人觉得最让我这个技术宅着迷的是它与纠错码的联系，这种想法让我觉得：如果我把秘密作为选择的随机性路径，就能为水印提供某种保证。

And one really I think the thing that kind of nerds sniped me personally a lot about this was the connection to, like, error correcting codes and sort of this idea that, like, I can error I can have these, like, error correcting codes that have randomness in them, and if I, you know, make my secret, like, the path of the set of randomness I choose, then I can get these kind of guarantees for watermarks.

而且在某种程度上，我可以处理一定程度的增删，比如有人删除了某个字符。

And, also, there's sort of some sense in which I can handle additions and deletions up to some amount, like, you know, someone deleting one of the characters.

对吧？

Right?

这其实就是一种鲁棒性。

Like, which is a form of robustness.

当然，在你之后还有其他研究，但它们似乎都基于你提出的这种抽象框架——关于水印与编码理论、纠错码以及这种自然嵌入关系的思考方式。

And there have been other works, obviously, after yours, but they all seem to build build off this kind of abstraction you came up with for thinking about watermarks and their relation to coding theory and error correcting codes and kind of this natural embedding.

所以如果能探讨水印与纠错码的关系会很有意义，比如一旦进入纠错码领域，你就能讨论这个水印能抵抗文本中多少删除或添加操作。

So it would be great to kind of talk about the relationship between watermarks and error correcting codes and sort of, like, the the way that once you go to error correcting code land, you can suddenly talk about, okay, like, you can you know, this watermark is resistant up to some number of deletions in the text or some number of additions.

在我看来，这似乎是人们追求鲁棒性的主流方向——除非我遗漏了其他重要方面。

And, you know, to me that seems to be like the way people are kind of moving towards robustness, unless I'm missing something else.

所以

So Does

那实际上也能解决表情符号攻击的问题吗？

that actually solve for the emoji attack too?

如果你用的是纠错码而不是简单的基于哈希的方法？

If you're using error correcting codes instead of the simple hash based one?

是的。

Yeah.

太酷了。

How cool.

没错。

Yeah.

纠错码非常强大。

The error correcting codes are super powerful.

这是我在这个领域最喜欢的工作，就是引入了所谓的伪随机纠错码。

And this is like by the favorite work that I've done in this area was the introduction of something called pseudo random error correcting codes.

这是与Sam Gunn合著的论文。

This was a paper with Sam Gunn.

然后我想我们还有一篇更新的后续论文，《理想伪随机码》。

And then I guess we have a newer follow-up paper, Ideal Pseudorandom Codes.

那篇可能更偏理论。

That's maybe more theoretical.

那是STOC会议论文。

That's the stock paper.

对吧？

Right?

是的。

Yeah.

那篇论文刚在今年STOC会议上发表。

That just appeared at stock of this year.

那也是与Omar Alrabia、Prahbhanjan Ananth和Yevgeniy Dodis合作的成果。

That was also joint with Omar Alrabia, Prahbanjan Anant and Yevgeny Dodas.

所以，是的。

So, yeah.

这些伪随机码是什么？

What are these pseudorandom codes?

我想它们就是字面意思。

I guess they're exactly what they sound like.

它们就像是看起来随机的纠错码。

They're like error correcting codes that appear random.

通常纠错码通过引入大量结构来工作。

So usually error correcting codes work by introducing a lot of structure.

比如一个好的纠错码就是简单重复信息多次。

Like one good error correcting code would just be to repeat the message over and over again.

但这样显然会引入大量结构，且不具备伪随机性。

But of course, this adds a lot of structure and isn't pseudo random.

伪随机码很难构建，因为码字需要看起来随机。

Pseudo random codes are hard to construct because the code words need to appear random.

因此它们仍需具备结构，以便在出现错误后能恢复信息。

So they still need to have the structure so you can recover the message after errors are imposed.

但这种结构需要以某种方式隐藏，使其看起来仍是随机的。

But somehow the structure needs to be hidden so that they still appear random.

这就是伪随机码的定义。

This is what a pseudo random code is.

乍一看，它可能与水印技术没有明显关联。

And at a glance, there might not be an obvious connection to watermarking.

但实际上，我和Sam引入它们正是因为水印技术，某种程度上也是为了解决基于哈希方案的这些问题。

But actually, Sam and I introduced them because of watermarking and kind of because of these issues with the hash based schemes.

还记得我们期望基于哈希的方案能动态生成新的红绿列表吗？

So remember what we wanted from the hash based schemes was to basically generate fresh red green lists on the fly.

是的。

Yeah.

当时我们从先前令牌的哈希值推导这些列表，但现在却损害了鲁棒性，因为我们需要恢复哈希值才能知道选择了哪些列表。

Where we were deriving these lists from the hashes of previous tokens, but now we're hurting robustness because we need to recover the hashes to know what lists we chose.

一旦有任何变动或被注入内容，你就基本完蛋了。

And the minute anything changes or is injected, you're sort of screwed.

没错。

Exactly.

是的。

Yeah.

于是我们开始思考，与其从哈希值中获取随机性，不如为每个标记随机采样不同的红绿列表然后彻底忘记它们？

And so we started thinking that instead of deriving the randomness from hashes, what if you could somehow just sample a different red green list for each token and forget about them?

现在在检测时，如果足够多的标记在该绿的时候是绿的，即便不知道具体列表，也能通过密钥神奇地进行检测。

And now, during detection, somehow magically, if enough of the tokens are green when they should be, without even knowing the lists, you can use a secret key to detect.

嗯。

Mhmm.

这有点像纠错码——你可以想象采样一个密码字，它会告诉你响应中每个标记对应的红绿列表。

And this is kind of like an error correcting code where you can think of sampling code word that tells you what the red green lists are for each token in the response.

现在忘记密码字的存在，但当你收到响应时，仍可以通过这种鲁棒解码方式还原出原始信息。

And now, forget about the code word, but if you get back a response, you can do this like robust decoding to get back the message anyway.

这想法虽然超级模糊，但这就是背后的原理。

This is like super fuzzy, but this is the idea behind them.

关键在于采样机制。

It's the sampling aspect.

你某种程度上接受了不会直接匹配的模式，而是在寻找某种规律，但不像哈希那样严格。

And you're sort of accepting that like it won't like you're still looking for a pattern, but you're not looking as like direct it's almost like the hash one is so hard.

哈希方式太死板了。

It's like so finite.

而这个更像是概率问题。

Whereas this is like a I guess it's a probability.

你其实是在计算这些绿色词汇出现的概率

Like you're still looking for like a probability of these green words or green list

对。

Yeah.

或类似的东西。

Words or something.

对。

Yeah.

之前在检测阶段，你问的是'这个响应是否接近这个特定序列？'

Before in detection you were kind of asking, is this response close to this specific sequence?

而现在使用伪名编码，你问的是'这个响应是否接近这个大家族中的任何代码词？'

Whereas now with pseudonym codes, you ask like, is this response close to any code word in this large family?

哇。

Wow.

这听起来是个更难的问题，但我们利用纠错码的力量，能高效判断给定响应是否接近该编码。

And this sounds like a harder question, but we use the power of error correcting codes to have an efficient way of telling whether a given response is close to the code.

那么在这种情况下，如果存在类似机制，是否会有个最终内容的转换阈值作为分界点？

In in that case, with something like that, if you still like, would there be almost like a threshold of transformation of the end content at which it's like sort of like a cutoff?

比如变化量低于这个程度时仍能被识别为带有水印

Like, if it's under this much change, it will still be recognized as watermarked.

但如果改动超过这个阈值，水印就可能丢失

But if you really alter it past that, then it might get lost.

比如，如果差异过大，是否会失去这种纠错码的能力？

Like, could you lose the power of this error correcting code if it gets too different?

是的。

Yeah.

确实如此。

Definitely.

这在某种程度上是固有的特性。

And this is kind of inherent.

这些纠错码通常具有距离属性，能告诉你可容忍多少错误。

So these error correcting codes usually have some distance property that tells you how many errors you can tolerate.

我们有类似机制，不过我们的检测保证与编码理论中的略有不同，因为我们处于计算受限环境且存在随机性。

So we have something analogous which says that, I guess our our detection guarantees are a little bit different from those in coding theory because we're in like a computationally bounded setting and we have some randomness.

但概括来说，只要响应足够接近，就仍能被检测到。

But at a high level our guarantee says if the response is close enough, then it will still be detected.

如果超出某个界限，我们就完全无法保证了。

If it's beyond some bound, then we have no guarantee at all.