The Watermarking Wars: Capacity vs. Robustness, animated
⮞ An evolution of the Model Heist Detector. Rather than examining a single Z-test, this animation explores the entire landscape of model watermarking strategies. We compare the mathematical capacity and evasion robustness of white-box (weight modification), black-box (trigger sets), and generative (LLM token bias) watermarks.
▸ What did you just learn?
The Threat Model Dictates the Defense. If a thief steals your weights and deploys them publicly, you can download the weights and run a statistical test (White-box). But if they hide the model behind an API, you must prove ownership using only queries and responses (Black-box).
White-Box (Weight Shifting). A high-capacity mark embedded directly into the parameter vectors. It survives fine-tuning but requires full access to the stolen model to verify.
Black-Box (Trigger Sets). You poison the model during training to classify specific noise patterns as a secret label. If the API returns that label for your secret noise, it's your model. The math here relies on the over-parameterization of neural networks to memorize random noise without hurting primary task utility.
Generative Watermarking (LLMs). For language models, the watermarking happens at generation time. A pseudo-random hash of the previous token splits the vocabulary into a "Green list" and a "Red list". The model is gently biased to pick Green tokens. Over 100 words, a natural text has ~50% Green tokens, but the watermarked text has ~80%—a statistically undeniable signature.
The Fundamental Trade-off. Watermarks face a strict theoretical bound: Capacity vs. Distortion vs. Robustness. An attacker attempting to scrub the watermark adds noise. We animate the ROC curves to show how each strategy degrades under scrubbing attacks.
▸ The math, precisely
Rendered on load. If equations appear as raw text, your browser blocked the math font CDN.
