6.4.12 · D4AI Safety & Alignment

Exercises — Watermarking and provenance

2,148 words10 min readBack to topic

This page is a self-test ladder for Watermarking and provenance. Every problem states its level — from L1 Recognition (do you know the words?) up to L5 Mastery (can you build something new?). Work each one on paper first, then open the collapsible solution.

Before we start, one symbol we lean on everywhere:

Figure — Watermarking and provenance

The white bell is what unwatermarked text does (centred at ). The amber bell is watermarked text (shifted right). The -score measures, in bell-widths, how far a sample sits from the white centre.


Level 1 — Recognition

Problem 1.1

Match each term to its one-line job: (a) watermark, (b) provenance, (c) green list, (d) (watermark strength).

Recall Solution
  • (a) watermark — a hidden, detectable signal woven into the content itself (survives copy/paste; unlike metadata it isn't a separate tag).
  • (b) provenance — the full history/chain-of-custody: who made it, when, with what tool, what edits.
  • (c) green list — the subset of the vocabulary the model is nudged toward at a given position.
  • (d) — the number added to the logit (pre-softmax score) of every green token; larger = stronger, more detectable, but lower-quality text.

Problem 1.2

True or false: "A watermark and a C2PA metadata tag are the same thing because both prove where content came from."

Recall Solution

False. Both target provenance, but a watermark is embedded in the content (words chosen, pixels perturbed) so it survives when the file is copied or re-saved. C2PA metadata is an attached signed manifest that can be stripped by re-uploading. See Cryptographic signatures for how the C2PA signature itself is made.

Problem 1.3

Under the "no watermark" assumption, what fraction of tokens do we expect to be green, and why exactly that number?

Recall Solution

Exactly . The hash splits the vocabulary into two sets of (roughly) equal size, and without any bias the model picks tokens independently of that split — so each token is green with probability , like a fair coin. That is why sits at the centre of the white bell.


Level 2 — Application

Problem 2.1

A model emits tokens; . Compute .

Recall Solution

. Above the usual threshold , so watermark detected (false-positive rate ).

Problem 2.2

Same , but this is a human essay with . Compute and decide.

Recall Solution

. Tiny — well inside normal random wobble. No watermark detected. Getting 104 green out of 200 by pure chance is completely ordinary.

Problem 2.3

Adding to a green token's logit. By roughly what factor does its softmax weight grow before renormalisation?

Recall Solution

Softmax weight is . Adding multiplies it by : For : . So each green token's raw weight is boosted about 7.4× before the denominator renormalises everything back to a probability distribution.

Problem 2.4

How many green tokens (out of ) are needed to just hit ?

Recall Solution

Solve : So you need 129 green tokens (round up, since gives ).


Level 3 — Analysis

Problem 3.1

A watermarked 300-token text has . A paraphraser rewrites it, leaving tokens. Suppose the green fraction among surviving tokens stays the same as the original. Find the original green count, the surviving green count, and the new .

Recall Solution

Original green count from , : Green fraction . Surviving green (same fraction over 240 tokens): . New : Watermark still strongly detected (). Fewer tokens shrinks (the in the denominator gets smaller slower than the numerator would if fraction held), but here the signal is strong enough to survive.

Problem 3.2

Explain, using the green-list construction, why paraphrasing actually hurts more than the simplified Problem 3.1 assumes.

Recall Solution

The green list at position is seeded by the previous token(s): . When a paraphraser changes , the green list at position changes too — so even a token you kept is now scored against a different list and is green only by chance (50%). One edit therefore corrupts not just that token but its neighbour's classification. Real paraphrase attacks push the surviving green fraction back toward 0.5, not "unchanged," making Problem 3.1's assumption optimistic. This coupling is the same fragility exploited by Adversarial examples.

Problem 3.3

Two texts both give . Text A has , Text B has . Which has the higher green fraction, and what does that say about needed watermark strength?

Recall Solution

Solve for each:

  • A: , fraction .
  • B: , fraction . Text A has the higher fraction (0.70 vs 0.60). Interpretation: short texts need a much stronger per-token bias to reach the same confidence, because — long texts accumulate weak evidence for free, short texts must lean hard on .

Level 4 — Synthesis

Problem 4.1

Design choice: you must watermark tweets (avg 40 tokens). What green fraction does your need to guarantee, so that a typical tweet reaches ? Assume exactly.

Recall Solution

Set with : You need about 82% of tokens green per tweet — an aggressive bias, meaning a large and noticeable quality loss. Synthesis insight: watermarking very short content forces a brutal quality/detectability tradeoff; often it's better to aggregate across many tweets from one account (raising effective ) than to hammer on one tweet.

Problem 4.2

A C2PA manifest signs . An attacker changes one pixel. Walk through what breaks and why verification returns FALSE, tying it to why watermarking and signing are complementary.

Recall Solution
  1. Verifier recomputes . A single-pixel change makes (SHA256 is avalanche-sensitive: one bit flips ~half the output).
  2. The stored signature only validates against the original . So .
  3. Complementarity: the signature detects any tampering but is trivially stripped (delete the manifest). The watermark stays inside the pixels and survives stripping, but only proves "an AI made this," not "exactly this file, unedited." Together: signature = integrity + identity when present; watermark = survivable origin signal. See Cryptographic signatures and Content moderation for how platforms stack both.

Level 5 — Mastery

Problem 5.1

Adaptive attacker. An attacker knows the green list is seeded by the previous token but not the secret key. They randomly replace a fraction of tokens with synonyms. Model surviving green fraction as , where is the original green fraction. For original tokens (kept count , ignoring length change), find the largest for which detection () still holds.

Recall Solution

Surviving tokens: . Green fraction . Factor: . With : The attacker can rewrite up to ≈21% of tokens before detection fails. The steep decay (not linear!) is the key mastery point: each edit hurts both the fraction and the sample size, so robustness collapses faster than intuition suggests. This is exactly the arms-race framing in AI regulation.

Problem 5.2

Full synthesis. In two sentences, argue why watermarking alone cannot guarantee provenance, referencing at least the strength/quality tradeoff and the strippability of signatures.

Recall Solution

Watermarks decay under paraphrase/compression and, for short or creative text, demand a so high that quality suffers before detection is reliable (Problems 4.1, 5.1), so any determined attacker can drive below threshold. Cryptographic signatures (Problem 4.2) prove integrity but are removable, and open-source models simply skip watermarking — so real provenance needs a layered system: embedded watermark + signed manifest + platform policy + Content moderation, never any single mechanism.

Recall Self-test recap

The whole detection story is one line ::: — effect size times evidence volume . Why signatures and watermarks are complementary ::: signatures prove integrity but strip off; watermarks survive stripping but only prove AI-origin, not exact-file integrity. Why short content is hard to watermark ::: , so tiny forces a large and wrecks text quality.