Skip to main content
Writing
·Paper Review·11 min read

Hidden in Plain Tokens: Simply Robust, Gradient-Free Watermark for Synthetic Audio

As synthetic speech and generative music systems reach human parity, the line between authentic and AI-generated audio is almost completely gone. For security teams, red-teamers, and AI safety researchers, content provenance is now a critical battleground.

Paper: Hidden in Plain Tokens: Simply Robust, Gradient-Free Watermark for Synthetic AudioGeorgios Milis, Yubin Qin, Yihan Wu, et al. (arXiv)

Generated by my automated review pipeline and spot-checked before publication — how it works.

Contents

Image generated by AI

TLDR

  • What: A gradient-free, training-free audio watermarking technique that clusters neural codec vocabularies using graph community detection (Leiden algorithm) to make token-level watermarks invariant to non-idempotent retokenization errors.
  • Who's at risk: Synthetic audio generation platforms, deepfake detection APIs, and provenance tracking systems deploying continuous-modality autoregressive models (e.g., Moshi, MusicGen, CosyVoice3, Spark-TTS).
  • Key number: Boosts watermark detectability under identity verification by several orders of magnitude, achieving a statistical confidence score of log(p)=42.47-\log(p) = 42.47 on Moshi conversational audio compared to $8.51$ for the baseline KGW method, while maintaining zero gradient-training overhead.

As synthetic speech and generative music systems reach human parity, the line between authentic and AI-generated audio is almost completely gone. For security teams, red-teamers, and AI safety researchers, content provenance is now a critical battleground. While inference-time token-level watermarking—pioneered by Kirchenbauer et al. (ICML 2023) for Large Language Models—has proven highly effective for discrete text, applying it directly to continuous modalities like audio has been a massive failure.

The core issue lies in the non-idempotence of neural audio codecs (such as Mimi or EnCodec). When a watermarked audio waveform is generated, the underlying tokens are synthesized into a continuous waveform. When a validator attempts to detect the watermark, they must re-tokenize this waveform. However, because codecs prioritize perceptual reconstruction quality over exact index preservation, this re-tokenization step introduces significant index mismatches. This "retokenization noise" completely degrades the fragile watermark signal.

In a new paper presented at ICML 2026, Milis et al. (ICML 2026) introduce "Hidden in Plain Tokens," an elegant, gradient-free watermarking defense. Instead of resorting to computationally expensive neural codec fine-tuning, the authors discover that retokenization errors are highly structured and consistent. By modeling the codec vocabulary as a graph and applying community detection, they cluster frequently-confused tokens into stable "semantic communities," applying the watermark bias at the cluster level rather than the individual token level.


Threat Model

The evaluation of this watermarking scheme is framed around an attacker attempting to strip or evade synthetic audio detection while the defender attempts to retain highly reliable detection capabilities.

Attacker A malicious actor or post-processing pipeline attempting to strip watermarks from synthetic audio to bypass downstream detectors (e.g., uploading to social media, distributing deepfakes).
Victim Autoregressive audio generation APIs (e.g., Moshi, MusicGen, CosyVoice3) seeking to enforce provenance and prevent abuse.
Goal Attacker: Strip the watermark below the detection threshold (1%1\% False Positive Rate, or log(p)<2-\log(p) < 2) while preserving audio quality.Defender: Achieve highly confident watermark detection (log(p)2-\log(p) \gg 2) even after aggressive audio modifications.
Budget Attacker: Access to standard signal processing suites, lossy compression (MP3), temporal operations (cropping, shifting, speedups), or alternative neural codecs (transcoding).Defender: No training budget required (gradient-free inference-time modification).

Background & Problem Setup

To understand why traditional token-level watermarking fails on audio, consider the standard Kirchenbauer et al. (ICML 2023) (KGW) text watermark. At each autoregressive step, a hash of the preceding hh tokens pseudo-randomly splits the vocabulary VV into a "green list" GG and a "red list" RR with a green list ratio γ(0,1)\gamma \in (0,1). The logits of the green list tokens are biased by a constant offset δ>0\delta > 0 to encourage their selection.

For text, the token match rate (TM) under re-tokenization is essentially $1.0.Forcontinuousaudiocodecs,however,thetokenmatchrate. For continuous audio codecs, however, the token match rate r = \text{TM}(y_{1:N}, x_{1:N})$ drops significantly because codecs are lossy.

Milis et al. (ICML 2026) theoretically formalize the expected zz-score under the alternative hypothesis H1H_1 (watermarked sequence) in the presence of retokenization corruption as:

E[zH1]=Ngγγ(1γ)rh+1\mathbb{E}[z|H_1] = \sqrt{N} \frac{g - \gamma}{\sqrt{\gamma(1 - \gamma)}} r^{h+1}

Where:

  • NN is the sequence length.
  • gg is the probability of the generative model choosing a green token in the absence of corruption.
  • rr is the token match rate (retokenization success probability).
  • hh is the history context size used for hashing.

Because r<1r < 1 in audio, the watermark signal decays exponentially as the context window hh increases. For h=1h=1 or h=2h=2, the signal vanishes almost immediately.

To solve this, prior state-of-the-art approaches like WMAR (Wu et al., 2025a) forced the codec tokenizer to become idempotent via supervised fine-tuning. However, this is computationally intensive and requires white-box access to the codec weights.

Watermarking Modality Comparison

Method Modality Gradient-Free? Robust to Codec Drift? Retokenization Invariance Strategy Quality Impact
KGW (Kirchenbauer et al., 2023) Text Yes N/A (Discrete) None (Assumes perfect identity mapping) Negligible
WMAR (Wu et al., 2025a) Audio/Image No No Fine-tune tokenizer to achieve idempotence Low to Moderate
Ours (Hidden in Plain Tokens) Audio/Multi Yes Yes Semantic clustering of vocabulary graph Negligible

Methodology

Instead of forcing the codec tokenizer to be idempotent, the proposed method accepts retokenization errors as a natural characteristic of continuous representation learning. The authors observe that these errors are not random noise; instead, tokens are consistently confused with their immediate semantic or acoustic neighbors in the latent space.

+------------------------+      +--------------------------+      +------------------------+
| Original Waveform (X)  | ---> |   Encoder E(X) = T1      | ---> |  Synthesized Audio     |
+------------------------+      +--------------------------+      +------------------------+
                                                                             |
+------------------------+      +--------------------------+                 v
| Retokenized Tokens T2  | <--- |  Re-encoded E(D(T1))     | <--- +------------------------+
+------------------------+      +--------------------------+      | Retokenized Waveform   |
            |                                                     +------------------------+
            v
+------------------------+
| Map to Cluster:        |
| C(T1) == C(T2) ?       | ---> Stable Cluster-level Match!
+------------------------+

Step 1: Mapping the Confusion Graph

The defender passes an unwatermarked calibration audio dataset (e.g., 2.7k sentences from the LibriSpeech development set) through the codec twice (Encode \rightarrow Decode \rightarrow Encode) to collect paired original and retokenized token sequences.

From these sequences, they construct a confusion matrix MNV×VM \in \mathbb{N}^{|V| \times |V|}, where MijM_{ij} counts how many times token ii was retokenized as token jj. This matrix MM is interpreted as the adjacency matrix of a weighted directed graph G=(V,M)G = (V, M), where the nodes are the individual codebook vectors.

Step 2: Unsupervised Community Detection

To distill this graph into stable, robust communities, they apply the Leiden algorithm (Traag et al., 2019), which optimizes for modularity to discover tightly knit token clusters P={c1,c2,,cK}P = \{c_1, c_2, \dots, c_K\}. The clustering granularity is governed by a resolution parameter ρ\rho:

  • Small ρ\rho results in larger, highly stable clusters (higher cluster match rate rclr_{cl}).
  • Large ρ\rho results in smaller, higher-resolution clusters (larger effective vocabulary size, minimizing key collisions).

The Leiden algorithm naturally isolates stable, unconfused tokens as singleton clusters.

Step 3: Cluster-Level Watermarking

At each generation step:

  1. The history of the preceding hh tokens is converted to their corresponding cluster indices: C(xih),,C(xi1)C(x_{i-h}), \dots, C(x_{i-1}).
  2. These cluster indices are hashed to split the cluster vocabulary (instead of the raw token vocabulary) into green and red partitions GiG_i and RiR_i.
  3. The generation model's logits are biased by adding δ\delta to all tokens belonging to the clusters assigned to the green list GiG_i.

By making the hashing context and list assignment cluster-dependent, the expected zz-score is modified to:

E[zH1]=Ngγγ(1γ)rclh+1\mathbb{E}[z|H_1] = \sqrt{N} \frac{g - \gamma}{\sqrt{\gamma(1 - \gamma)}} r_{cl}^{h+1}

Since rcl>rr_{cl} > r, this effectively mitigates the exponential decay of the watermark signal.


Key Results

Milis et al. (ICML 2026) evaluate their approach using two prominent setups:

  • Moshi (Mimi Codec): A speech-text foundation model.
  • MusicGen (EnCodec): A text-to-music generation model.

1. Watermark Detectability and Robustness (Moshi)

Table 2 from the paper shows the mean detector confidence score log(p)-\log(p) and the structural loss relative to the identity baseline across various signal processing and compression attacks. Higher log(p)-\log(p) indicates stronger detection confidence (the baseline 1%1\% false positive rate threshold is log(p)=2-\log(p) = 2).

Group Attack Transformation Base (KGW) log(p)-\log(p) WMAR log(p)-\log(p) WMAR (aug) log(p)-\log(p) Ours (Hidden in Plain Tokens) log(p)-\log(p)
Baseline Identity (No Attack) 8.51 17.44 13.72 42.47
Signal Proc. Smooth 1.99 1.61 3.73 32.68
Lowpass 5.82 9.23 10.52 41.51
Highpass 1.11 1.50 1.94 25.59
Noise 2.23 0.61 8.01 20.59
Compression MP3 (64 kbps) 7.47 15.31 12.66 41.26
DAC Transcoding 6.62 8.12 10.51 40.13
EnCodec Transcoding 2.59 2.82 2.78 32.64
Temporal Crop (50% duration) 1.51 1.27 1.51 16.48
Shift 1.86 1.81 2.36 27.67
Speedup (1.1x) 1.52 1.20 1.35 26.49

As Table 2 illustrates, under standard MP3 compression, the baseline KGW watermark is severely degraded, and even the fine-tuned WMAR peaks at $15.31. The proposed method maintains an extraordinarily high confidence score of **\41.26**. Under temporal distortions (which typically ruin token alignment), the proposed method still achieves a highly detectable score of **\26.49$** under 1.1x speedup, whereas all baselines fail to meet the detection threshold.


2. Impact on Audio Quality

A common pitfall of robust watermarks is the degradation of audio quality. The authors evaluate this using Fréchet Audio Distance (FAD) (lower is better) and Mean Opinion Scores (MOS) via NISQA and DNSMOS (higher is better).

Table 1 demonstrates that clustering the vocabulary does not introduce audible distortions:

Model Setup Method FAD (VGGish) \downarrow FAD (CLAP) \downarrow NISQA \uparrow DNSMOS \uparrow
Moshi (Conversational) Unwatermarked 0.080 0.023 3.54 4.43
(h=0h=0) Base (KGW) 0.128 0.020 3.46 4.46
WMAR 0.407 0.032 3.28 4.41
Ours 0.133 0.027 3.53 4.42

The FAD and MOS scores for the proposed method are almost identical to the unwatermarked baseline. Conversely, WMAR's codec fine-tuning degrades the FAD score to $0.407$.


Limitations & Open Questions

While this gradient-free approach is highly practical, several open challenges remain:

  1. Temporal Misalignment Susceptibility: Standard token-level watermarks are fundamentally brittle to cropping or shifting because they disrupt the framing boundaries of neural audio codecs. While the proposed cluster-based method is more robust than others, extreme temporal warping still degrades the signal.
  2. Key Collisions and Entropy Trade-offs: As vocabulary size shrinks from V|V| to cVc|V|, the likelihood of key collisions increases. This can limit the maximum length of the context window hh that can be safely used without introducing repetitive generation artifacts.
  3. Black-box Codec Dependency: Capturing the confusion matrix requires black-box access to the target codec to collect calibration data. If the service provider updates their underlying codec, a new confusion matrix must be calculated and the community detection process re-run.

What Practitioners Should Do

If you are deploying synthetic audio generation pipelines or building deepfake detection systems, consider the following integration steps:

1. Build the Confusion Matrix Off-line

Avoid the temptation to dynamically compute retokenization errors during inference. Instead, run a calibration pass using a representative dataset (e.g., LibriSpeech for speech, MusicCaps for music) to construct a static token confusion graph:

# Conceptual pipeline to build the confusion matrix M
import numpy as np

vocab_size = 2048  # Example for Mimi codec Channel 0
M = np.zeros((vocab_size, vocab_size), dtype=np.int64)

for original_audio in calibration_loader:
    # 1. Encode original audio to tokens
    tokens_orig = codec.encode(original_audio)
    # 2. Decode back to continuous waveform
    recon_audio = codec.decode(tokens_orig)
    # 3. Re-encode to observe retokenization drift
    tokens_recon = codec.encode(recon_audio)
    
    # Update confusion counts
    for t_o, t_r in zip(tokens_orig.flatten(), tokens_recon.flatten()):
        M[t_o, t_r] += 1

2. Extract Stable Communities Using Leiden

Utilize the Leiden algorithm with a controlled resolution parameter ρ\rho (typically between $0.8 and \1.2)tofindtheoptimaltradeoffbetweenclustermatchrateandvocabularydiversity.Section5.4recommendsspecifichyperparameterselectionslike) to find the optimal trade-off between cluster match rate and vocabulary diversity. Section 5.4 recommends specific hyperparameter selections like (\rho=0.8, m=1)$ for Mimi channel 0.

3. Implement Cluster-Level Red/Green Partitioning

When applying Kirchenbauer's watermarking rule, map the current generation tokens to their respective cluster IDs before executing the hash function. Ensure the logit bias δ\delta is applied uniformly across all physical tokens belonging to the selected green-list cluster.


The Takeaway

Milis et al. (ICML 2026) demonstrate that the perceived fragility of token-level multimedia watermarking is not an inherent flaw of continuous models, but rather a solvable discretization mismatch. By replacing expensive, white-box neural network fine-tuning with simple graph community detection, they deliver a highly robust, drop-in defense. This represents a significant step forward in securing audio generative pipelines against unauthorized distribution and deepfake evasion.


Den's Take

This is an incredibly elegant solution to a massive practical headache. As someone who has spent years looking at how easily watermarks fail under basic lossy compression, I love that the authors didn't just throw more compute at the problem. By mapping codec token vulnerabilities as a graph, they solved a core structural flaw without expensive retraining. This is exactly the kind of clever, practitioner-first engineering we need.

For trust and safety teams at companies like ElevenLabs or OpenAI fighting the fallout of voice-clone scams—including high-profile incidents like the notorious $25M deepfake CFO heist in Hong Kong—this technique is a massive deal. Traditional KGW watermarks disintegrate the second audio is transcoded to MP3 or run through a basic bandpass filter, leaving platforms defenseless against adversarial stripping.

This shift to robust, structure-aware detection mirrors my findings in Prompt Injection Detection is Regime-Dependent: A Deployment-Aware Evaluation with Interpretable Structural Signals, where I demonstrated that safety defenses must be designed around the actual, messy distribution shifts of deployment-phase data rather than clean, idealized laboratory baselines. If we want generative audio provenance to be more than a compliance checkbox, we must build defenses that survive the inevitable noise of the real world.

Share

Comments

Page views are tracked via Google Analytics for content improvement.