
TLDR
- What: SAFESEAL is a key-conditioned, post-processing LLM watermarking framework that preserves named entities while utilizing context-aware synonym substitutions to embed robust, provider-specific verification patterns detected via a contrastive text-key encoder.
- Who's at risk: Proprietary LLM APIs (e.g., OpenAI's GPT-4o, Anthropic's Claude 3.5, or proprietary fine-tuned enterprise models) whose outputs are vulnerable to black-box model extraction, distillation, or unauthorized surrogate training.
- Key number: SAFESEAL achieves up to a 58.47% higher watermark detection rate than the best state-of-the-art baseline under active removal attacks, while preserving 98.3% content similarity and 96.3% entity similarity.
As commercial large language models (LLMs) like GPT-4o, Claude 3.5 Sonnet, and Gemini Pro are increasingly deployed as downstream API services, providers face a growing threat: black-box model stealing. Adversaries can query these APIs, harvest input-output pairs, and train cheaper surrogate models that mimic proprietary capabilities, bypassing millions of dollars in R&D costs. While LLM watermarking has emerged as a defense, traditional approaches often degrade output quality, introduce factual inconsistencies, or are easily wiped out by simple paraphrasing attacks. In their paper "Robust LLM Watermarking with Minimal Semantic Distortion for IP Protection", Dang et al. (arXiv 2026) introduce SAFESEAL—a post-processing, key-conditioned watermarking technique that balances near-perfect semantic utility with robust adversarial resistance.
Threat Model
| Attacker | Black-box API access with query capabilities; has no access to the proprietary LLM's internal weights. |
| Victim | Proprietary commercial LLM services (e.g., corporate RAG pipelines, translation services, coding assistants). |
| Goal | Watermark Removal: Strip watermarks using paraphrasing/synonym replacement. Model Stealing: Fine-tune a surrogate model on API outputs to replicate behaviors. |
| Budget | Limited to standard API querying costs (typically 10,000 to 20,000 queries). |
Background / Problem Setup
Existing LLM watermarks broadly fall into two categories: in-processing methods (which modify logits during decoding) and post-processing methods (which modify already generated text). While "distortion-free" in-processing methods preserve next-token probability distributions, they do not guarantee semantic coherence or factual consistency. As described in Section D.5, small changes during autoregressive generation propagate through the sequence, leading to the cascade effect where outputs quickly drift into hallucinations, factual errors, or broken formatting.
Unlike prior works that treat watermarking as an purely statistical distribution-bias problem, SAFESEAL treats it as a semantic-preserving text transformation task.
Related Work Comparison
| Method | Phase | Generation Method | Detection Strategy | Entity-Preserving? | Multi-User/Key Support? |
|---|---|---|---|---|---|
| KGW (Kirchenbauer et al., ICML 2023) | In-processing | Logit manipulation (Green/Red lists) | Statistical z-test | No | No |
| EXP (Kuditipudi et al., TMLR 2023) | In-processing | Key mapping next-token | Statistical test | No | No |
| SynthID (Dathathri et al., Nature 2024) | In-processing | Tournament sampling | Statistical test | No | No |
| DTM (Munyer et al., IEEE Access 2024) | Post-processing | Word2Vec substitution | Model-based classifier | No | No |
| TW (Yang et al., arXiv 2023) | Post-processing | Binary token substitution | Statistical test | No | No |
| SAFESEAL (Dang et al., arXiv 2026) | Post-processing | Context-aware synonyms | Model-based contrastive | Yes | Yes |
Methodology
SAFESEAL utilizes a multi-step post-processing pipeline that separates entity preservation from watermark injection. Rather than blindly perturbing token logits, it selectively replaces low-risk linguistic tokens with high-similarity context-aware synonyms using a secret-key tournament mechanism.
[Raw LLM Output]
│
▼
[Named Entity Recognition] ──► Exclude Names, Places, Dates, Times
│
▼
[Part-of-Speech Tagging] ──► Identify Nouns, Verbs, Adjectives, Adverbs
│
▼
[Synonym Lookup Table Gen] ──► Mask word & generate synonyms via RoBERTa-base
│
▼
[Sentence Similarity Filter] ──► Keep synonyms where DistilBERT Sim ≥ δ (default 0.92)
│
▼
[Key-Conditioned Injection] ──► Cryptographic PRF-based Tournament Sampling
│
▼
[Watermarked Text]
1. Watermarkable Token Identification
First, SAFESEAL applies Named Entity Recognition (NER) via spaCy to identify entities (names, locations, dates, and times) and explicitly excludes them from watermarking. It then performs Part-of-Speech (POS) tagging to select candidates from flexible grammatical categories: nouns, verbs, adjectives, and adverbs (detailed in Table 7).
2. Lookup Table Generation
For each selected linguistic token $ t_i $, a lightweight language model $ \mathcal{A} $ (RoBERTa-base, 125M parameters) generates context-aware synonym candidates. The target token is masked within its context window $ C $, and $ \mathcal{A} $ generates candidates mapped to:
The candidates are filtered using WordNet to eliminate antonyms, duplicates, and grammatically incorrect terms.
3. Substitution Candidate Selection
To ensure semantic preservation, SAFESEAL filters out synonyms that alter the overarching sentence structure. It utilizes DistilBERT (67M parameters) to compute the sentence-level cosine similarity $ S_{ij} $ between the original sentence and the candidate-substituted sentence. Synonyms are kept only if:
4. Key-Conditioned Watermark Injection
For the remaining valid synonyms, SAFESEAL converts similarities into sampling probabilities:
Where $ \alpha > 0 $ controls the utility-detectability trade-off. Using a private cryptographic key $ k $, context $ h $, and round index $ r $, a Pseudo-Random Function (PRF) generates reproducible scores:
These scores drive a multi-round tournament sampling selection to output the final watermarked text $ y^{wm} $.
5. Key-Conditioned Contrastive Detection
Rather than relying on fragile statistical tests, SAFESEAL trains a robust key-conditioned contrastive detector using RoBERTa-large (356M parameters). The detector processes both the text $ y $ and the provider's key $ k $.
- Text representation is pooled into $ h_y \in \mathbb{R}^H $.
- Key $ k $ is converted via PRF to $ v \in [0, 1]^H $, scaled to $ \tilde{v} $, and mapped through a frozen MLP to $ h_k \in \mathbb{R}^H $.
- Features are fused to capture alignments and mismatches:
The model is optimized using binary cross-entropy loss $ \mathcal{L}{det} $ and a symmetric InfoNCE contrastive loss $ \mathcal{L}{con} $ over matched text-key pairs:
Key Results
1. General Watermark Utility & Detectability
As shown in Section 5.2, SAFESEAL preserves text utility while ensuring competitive detection rates across standard LLM generation tasks.
| Method | BERTScore (Utility) ↑ | Entity Similarity ↑ | Detection Rate (Clean) ↑ | Detection Rate (Dipper Attack) ↑ |
|---|---|---|---|---|
| No Watermark | 1.000 | 1.000 | 0.0% | 0.0% |
| KGW | 0.932 | 0.210 | 85.3% | 12.6% |
| SynthID | 0.941 | 0.220 | 82.1% | 11.2% |
| TW | 0.951 | 0.704 | 99.8% | 2.7% |
| LW | 0.985 | 0.650 | 33.0% | 14.0% |
| SAFESEAL (Ours) | 0.978 | 0.963 | 98.2% | 71.1% |
2. Resistance to Model Stealing Attacks
Under realistic API model stealing scenarios where an adversary queries 10k or 20k samples to train a surrogate model (evaluated on LLaMA-2 outputs in Table 3), SAFESEAL retains detectable traces where other baselines degrade to near-zero performance:
| Watermark Method | Baseline BERTScore ↑ | Baseline Detection Rate ↑ | After 10k Stealing Attack DR ↑ | After 20k Stealing Attack DR ↑ |
|---|---|---|---|---|
| TW | 0.966 | 85.5% | 4.4% | 5.4% |
| LW | 0.985 | 33.0% (Hit Rate) | 14.0% (Hit Rate) | 16.0% (Hit Rate) |
| SAFESEAL (Ours) | 0.977 | 98.2% | 68.3% | 72.8% |
3. Factual/Entity Distortion
Table 4 highlights the real-world impact of entity preservation. Traditional in-processing watermarks rewrite critical metrics and names:
- Original (No WM): "Nasdaq dropped 0.7 percent. The report from the Commerce Department..."
- KGW: "Nasdaq lost 0.7 percent... rate in the first quarter, down from a previously estimated 4.4 percent pace." (Factual alteration)
- SynthID: "Nasdaq lost 0.4 percent. The U.S. Commerce Department said Friday..." (Factual alteration)
- SAFESEAL: "Nasdaq fell 0.7 percent. The report from the Commerce Department showed that the U.S. economy grew..." (Semantics preserved, entities intact)
Limitations & Open Questions
1. Latency Overhead
While SAFESEAL is significantly faster than vocabulary-wide search methods like EXP, the use of auxiliary neural networks for candidate verification adds computational delay. As shown in Table 5(c), SAFESEAL adds an average of +3.42 seconds of mean latency per generation over unwatermarked text:
| Method | Mean Latency Overhead (s) |
|---|---|
| No Watermark | 4.71s (Base) |
| SynthID | +0.23s |
| TW | +1.97s |
| SAFESEAL (Ours) | +3.42s |
| KGW | +13.71s |
| EXP | +297.28s |
This overhead makes SAFESEAL ideal for batch API tasks (summarization, bulk translation, content generation) but poses challenges for latency-critical real-time chat UI outputs.
2. Low-Entropy and Low-Diversity Domains
In highly constrained generation domains—such as code synthesis, mathematical reasoning, or structured JSON outputs—the lookup table generation is severely restricted. If a sentence has a small number of valid synonyms (where similarity $ S_{ij} \geq 0.92 $), SAFESEAL skips watermarking to preserve utility, resulting in lower detection rates for extremely short or rigid outputs.
What Practitioners Should Do
1. Isolate and Preserve Entities Prior to Logit Adjustments
When deploying any API-level watermarking pipeline, utilize a high-performance NER tool (such as spaCy’s en_core_web_sm or Stanza) to identify sensitive token indices. Enforce rules that prevent your decoding strategies from altering tokens flagged as ORG, PERSON, GPE, DATE, or CARDINAL.
2. Move From Global Logit Biasing to Post-Hoc Synonym Substitution
If downstream utility is critical, replace active logit-biasing watermarks (like KGW) with a parallelized post-processing module. You can execute synonym screening as an asynchronous microservice immediately after response generation:
# Conceptual pipeline for post-hoc watermarking
import spacy
from transformers import pipeline
nlp = spacy.load("en_core_web_sm")
synonym_generator = pipeline("fill-mask", model="roberta-base")
def generate_watermark_candidates(text):
doc = nlp(text)
entities = [ent.text for ent in doc.ents]
for token in doc:
if token.pos_ in ["NOUN", "VERB", "ADJ", "ADV"] and token.text not in entities:
# Mask the token and generate semantic synonyms
masked_sentence = text.replace(token.text, "<mask>", 1)
candidates = synonym_generator(masked_sentence)
# Filter and apply key-conditioned tournament selection...
3. Deploy Multi-Key Classifiers for Cross-Provider Scenarios
If you serve multiple enterprise clients, avoid using a single global watermark key. Train a multi-class contrastive detector using the symmetric InfoNCE loss defined in Section 4.2. This allows you to uniquely map leaked data back to the exact client API key that generated it.
The Takeaway
SAFESEAL proves that LLM watermarking does not need to be a zero-sum trade-off between semantic quality and detection strength. By moving the watermarking process to post-processing, excluding factual entities, and framing detection as a model-based contrastive classification task, SAFESEAL delivers robust IP protection that survives both active evasion attempts and surrogate model distillation.
Den's Take
I've always been highly skeptical of in-processing LLM watermarks. Manipulating logits during token generation inevitably triggers a cascade of subtle hallucinations—a absolute dealbreaker if you are deploying models for highly deterministic enterprise tasks. SAFESEAL's post-processing approach is a breath of fresh air because it treats watermarking as a semantic-preserving optimization problem. Preserving named entities with 96.3% accuracy is exactly what practitioners actually need to maintain data integrity.
This has immediate, massive implications for corporate IP defense. If an adversary attempts to clone a highly specialized model—for instance, running a model distillation attack to siphon a proprietary medical-coding LLM, resulting in a $15M R&D exfiltration incident—SAFESEAL provides the robust forensic trail required to prove theft in court.
This work directly builds on the challenges we mapped out in Security in the Fine-Tuning Lifecycle of Large Language Models: Threats, Defenses,Evaluation, and Future Directions, where we explored how easily proprietary capabilities leak during downstream distillation and why model provenance defenses must be robust against active optimization attacks. While SAFESEAL raises the bar significantly, my concern is that adversaries will adapt by building synonym-aware paraphrasers specifically optimized to scrub these exact patterns. The cat-and-mouse game in model extraction defense is far from over, but this is a formidable shield for builders.