Exercises — Watermarking and provenance
6.4.12 · D4· AI-ML › AI Safety & Alignment › Watermarking and provenance
Yeh page Watermarking and provenance ka self-test ladder hai. Har problem apna level clearly batata hai — L1 Recognition (kya tum ye words jaante ho?) se lekar L5 Mastery (kya tum kuch naya bana sakte ho?) tak. Pehle har ek ko paper pe solve karo, phir collapsible solution kholo.
Shuru karne se pehle, ek symbol jo hum har jagah use karte hain:

White bell woh hai jo unwatermarked text karta hai ( pe centred). Amber bell watermarked text hai (daayein shift hua). -score measure karta hai, bell-widths mein, ki ek sample white centre se kitna door hai.
Level 1 — Recognition
Problem 1.1
Har term ko uske ek-line kaam se match karo: (a) watermark, (b) provenance, (c) green list, (d) (watermark strength).
Recall Solution
- (a) watermark — ek chhupaaya hua, detectable signal jo content ke andar hi buna hota hai (copy/paste mein survive karta hai; metadata ki tarah yeh alag tag nahi hota).
- (b) provenance — poori history/chain-of-custody: kisne banaya, kab, kis tool se, kaunse edits ke saath.
- (c) green list — vocabulary ka woh subset jis taraf model ko kisi position pe nudge kiya jaata hai.
- (d) — woh number jo har green token ke logit (pre-softmax score) mein add hota hai; bada = zyada strong, zyada detectable, lekin lower-quality text.
Problem 1.2
Sahi hai ya galat: "Watermark aur C2PA metadata tag ek hi cheez hain kyunki dono prove karte hain ki content kahan se aayi."
Recall Solution
Galat. Dono provenance ko target karte hain, lekin watermark content ke andar embedded hota hai (choose kiye gaye words, perturbed pixels) isliye yeh tab bhi survive karta hai jab file copy ya re-save ho. C2PA metadata ek attached signed manifest hai jise re-upload karke strip kiya ja sakta hai. C2PA signature kaise banta hai yeh dekhne ke liye Cryptographic signatures dekho.
Problem 1.3
"No watermark" assumption ke andar, hum kitne fraction tokens ke green hone ki expect karte hain, aur exactly kyun?
Recall Solution
Exactly . Hash vocabulary ko roughly equal size ke do sets mein split karta hai, aur bina kisi bias ke model un tokens ko us split se independent choose karta hai — toh har token probability se green hota hai, jaise ek fair coin. Isliye white bell ke centre mein hota hai.
Level 2 — Application
Problem 2.1
Ek model tokens emit karta hai; . compute karo.
Recall Solution
. Usual threshold se upar hai, toh watermark detected (false-positive rate ).
Problem 2.2
Wahi , lekin yeh ek human essay hai jisme hai. compute karo aur decide karo.
Recall Solution
. Bahut chota — normal random wobble ke andar. No watermark detected. 200 mein se 104 green milna pure chance se bilkul ordinary hai.
Problem 2.3
Ek green token ke logit mein add karna. Renormalisation se pehle uska softmax weight roughly kitne factor se badhta hai?
Recall Solution
Softmax weight hai. add karne se yeh se multiply hota hai: ke liye: . Toh har green token ka raw weight denominator ke renormalise karne se pehle roughly 7.4× boost ho jaata hai.
Problem 2.4
mein se kitne green tokens chahiye taaki just mile?
Recall Solution
Solve karo : Toh tumhe 129 green tokens chahiye (round up, kyunki se milta hai).
Level 3 — Analysis
Problem 3.1
Ek watermarked 300-token text ka hai. Ek paraphraser use rewrite karta hai, tokens bachte hain. Maano ki surviving tokens mein green fraction original jaisi hi rehti hai. Original green count, surviving green count, aur naya nikalo.
Recall Solution
Original green count , se: Green fraction . Surviving green (240 tokens pe same fraction): . Naya : Watermark abhi bhi strongly detected hai (). Kam tokens ko shrink karte hain (denominator ka numerator se slow badhta hai agar fraction same rahe), lekin yahaan signal itna strong hai ki survive kar jaata hai.
Problem 3.2
Green-list construction use karke explain karo ki paraphrasing asliyat mein Problem 3.1 ke simplified assumption se zyada kyun hurt karta hai.
Recall Solution
Position pe green list previous token(s) se seed hoti hai: . Jab paraphraser change karta hai, toh position pe green list bhi change ho jaati hai — toh ek token jo tumne rakha tha woh bhi ab ek alag list ke against score hoga aur sirf chance se green hoga (50%). Ek edit isliye sirf us token ko nahi balki uske neighbour ki classification ko bhi corrupt kar deta hai. Real paraphrase attacks surviving green fraction ko 0.5 ki taraf wapas push karte hain, "unchanged" nahi, jo Problem 3.1 ka assumption optimistic banata hai. Yeh coupling wahi fragility hai jo Adversarial examples exploit karte hain.
Problem 3.3
Do texts dono ka hai. Text A ka hai, Text B ka hai. Kis ka green fraction zyada hai, aur yeh watermark strength ki zaroorat ke baare mein kya kehta hai?
Recall Solution
Dono ke liye solve karo:
- A: , fraction .
- B: , fraction . Text A ka fraction zyada hai (0.70 vs 0.60). Interpretation: short texts ko same confidence ke liye bahut stronger per-token bias chahiye, kyunki — long texts weak evidence free mein accumulate karte hain, short texts ko pe hard lean karna padta hai.
Level 4 — Synthesis
Problem 4.1
Design choice: tumhe tweets (avg 40 tokens) watermark karni hain. Tumhara kaisi green fraction guarantee kare, taaki ek typical tweet tak pahunche? Maano exactly hai.
Recall Solution
ke saath set karo: Tumhe roughly 82% tokens green chahiye har tweet mein — yeh ek aggressive bias hai, matlab bada aur noticeable quality loss. Synthesis insight: bahut short content ko watermark karna quality/detectability tradeoff ko brutal bana deta hai; aksar better hota hai ki ek account ke kai tweets aggregate karo (effective badhao) instead of ek tweet pe ko hammer karo.
Problem 4.2
Ek C2PA manifest sign karta hai. Ek attacker ek pixel change karta hai. Walkthrough karo ki kya toot ta hai aur kyun verification FALSE return karta hai, aur yeh watermarking aur signing kyun complementary hain isse jodo.
Recall Solution
- Verifier recompute karta hai. Ek single-pixel change bana deta hai (SHA256 avalanche-sensitive hai: ek bit flip karne se ~aadha output flip ho jaata hai).
- Stored signature sirf original ke against validate hoti hai. Toh .
- Complementarity: signature koi bhi tampering detect karta hai lekin trivially strip ho sakta hai (manifest delete karo). Watermark pixels ke andar rehta hai aur stripping survive karta hai, lekin sirf prove karta hai "AI ne banaya," nahi ki "exactly yeh file, unedited." Saath mein: signature = integrity + identity jab present ho; watermark = survivable origin signal. Dekho Cryptographic signatures aur Content moderation ki platforms dono kaise stack karte hain.
Level 5 — Mastery
Problem 5.1
Adaptive attacker. Ek attacker jaanta hai ki green list previous token se seed hoti hai lekin secret key nahi jaanta. Woh randomly fraction tokens ko synonyms se replace karta hai. Surviving green fraction ko model karo ke roop mein, jahan original green fraction hai. original tokens ke liye (kept count , length change ignore karo), largest nikalo jis tak detection () abhi bhi hold kare.
Recall Solution
Surviving tokens: . Green fraction . Factor karo: . ke saath: Attacker detection fail karne se pehle ≈21% tak tokens rewrite kar sakta hai. Steep decay (linear nahi!) key mastery point hai: har edit dono — fraction aur sample size — ko hurt karta hai, toh robustness intuition se zyada tezi se collapse hoti hai. Yeh bilkul wahi arms-race framing hai jo AI regulation mein hai.
Problem 5.2
Full synthesis. Do sentences mein argue karo ki watermarking akela provenance guarantee nahi kar sakta, kam se kam strength/quality tradeoff aur signatures ki strippability ka reference do.
Recall Solution
Watermarks paraphrase/compression mein decay karte hain aur, short ya creative text ke liye, itna bada demand karte hain ki quality suffer kare detection reliable hone se pehle (Problems 4.1, 5.1), toh koi bhi determined attacker ko threshold ke neeche drive kar sakta hai. Cryptographic signatures (Problem 4.2) integrity prove karte hain lekin removable hain, aur open-source models watermarking simply skip karte hain — toh real provenance ke liye ek layered system chahiye: embedded watermark + signed manifest + platform policy + Content moderation, koi bhi ek mechanism akela kaam nahi karega.
Recall Self-test recap
Poori detection story ek line hai ::: — effect size times evidence volume . Signatures aur watermarks complementary kyun hain ::: signatures integrity prove karte hain lekin strip ho jaate hain; watermarks stripping survive karte hain lekin sirf AI-origin prove karte hain, exact-file integrity nahi. Short content ko watermark karna mushkil kyun hai ::: , toh chota bada force karta hai aur text quality kharab ho jaati hai.