6.4.12 · HinglishAI Safety & Alignment

Watermarking and provenance

2,680 words12 min readRead in English

6.4.12 · AI-ML › AI Safety & Alignment

Watermarking Kya Hai?

Text Watermarking Kaise Kaam Karta Hai (Derivation)

Challenge yeh hai: Text discrete hai (words/tokens), images ki tarah continuous nahi. Hum seedha noise nahi add kar sakte. Hume ek aisi method chahiye jo:

  • Generation time par kaam kare (jab model tokens pick karta hai)
  • Text quality mein koi bada fark na aaye
  • Statistically detectable ho

Green-Red List Method (Kirchenbauer et al., 2023)

Step 1: Vocabulary ko partition karo

Har token position ke liye, pehle token(s) ko seed ki tarah use karo taaki vocabulary ko do sets mein hash kiya ja sake:

  • Green list (promoted tokens)
  • Red list (demoted tokens)

use karo partition ke liye: agar , to .

Yeh step kyun? Hume aisi randomness chahiye jo context par depend kare (taaki har position ke liye alag ho) lekin reproducible bhi ho (taaki baad mein verify kar sakein). Secret key ensure karta hai ki sirf authorized parties hi verify kar sakein.

Step 2: Sampling ko bias karo

Jab model token generate karta hai, sampling se pehle logits modify karo:

\text{logit}(w) + \delta & \text{if } w \in \mathcal{G}_t \\ \text{logit}(w) & \text{if } w \in \mathcal{R}_t \end{cases}$$ jahan $\delta > 0$ ==watermark strength== hai (typically $\delta = 2.0$). **Yeh step kyun?** Green tokens mein $\delta$ add karne se unki probability softmax ke zariye badh jaati hai: $$P(w) = \frac{e^{\text{logit}'(w)}}{\sum_{w'} e^{\text{logit}'(w')}}$$ Agar $\text{logit}'(w) = \text{logit}(w) + \delta$, to $P'(w) = P(w) \cdot e^\delta / Z$ jahan $Z$ ek normalization factor hai. $\delta=2$ ke liye, yeh probability ko $\sim e^2 \approx 7.4$ times boost karta hai. **Step 3: Detection** $N$ tokens ke kisi text ke liye, count karo ki kitne tokens apne respective green lists mein se hain: $$z = \frac{|\{t : w_t \in \mathcal{G}_t\}| - N/2}{\sqrt{N/4}}$$ **Yeh formula kyun?** Null hypothesis ke under (koi watermark nahi), har token ka 50% chance hai ki woh green ho (random partition). Yeh ek binomial distribution hai: - Mean: $\mu = N/2$ - Variance: $\sigma^2 = N \cdot (1/2) \cdot (1/2) = N/4$ $z$-score measure karta hai ki hum expected random baseline se kitne standard deviations upar hain. Watermarked text ke liye, $z \gg 0$ (typically $z > 4$ bahut strong evidence hai). ![[6.4.12-Watermarking-and-provenance.png]] >[!formula] Watermark Detection Threshold >$$z = \frac{n_{\text{green}} - N/2}{\sqrt{N/4}} = \frac{2n_{\text{green}} - N}{\sqrt{N}}$$ >Watermark detect karo agar $z > z_{\text{threshold}}$ (e.g., $z_{\text{threshold}} = 4$ deta hai $p< 0.003$ false positive rate). > >**Derived from**: Central Limit Theorem jo binomial distribution par apply hota hai. Jaise $N \to \infty$, green-list tokens ki distribution $\mathcal{N}(N/2, N/4)$ ke paas aati hai. ## Image Watermarking **Do main approaches hain**: ### 1. Latent Diffusion Watermarking Generation ke dauran latent space mein ek signal inject karo: $$z_t = z_t + \alpha \cdot w$$ jahan $w$ ek learned watermark pattern hai, $\alpha$ strength hai. **Yeh kaam kyun karta hai**: Decoder ko train kiya jaata hai taaki image generation process ke through yeh pattern preserve ho sake. Extraction ek trained neural network use karta hai jo output image mein pattern recognize karta hai. ### 2. Stable Signature (Meta ka approach) Pixel space mein imperceptible perturbations add karo jo image transformations ke baad bhi bachein: $$I' = I + \epsilon \cdot \text{sign}(\nabla_I L_{\text{detect}})$$ jahan $L_{\text{detect}}$ ek loss hai jo ensure karta hai ki ek detector network ek specific message extract kar sake. **Robustness**: JPEG compression, cropping, blurring, aadi ke against adversarially trained. >[!example] Text Watermarking Example >**Scenario**: GPT ek 200-token essay generate karta hai $\delta = 2.0$ watermark strength ke saath. >**Generation**: >- Token 1: Previous context → hash → 50% vocab green hai. "The" green hai (boosted), select hua. >- Token 2: "The" → naya hash → alag green list. "cat" green hai (boosted), select hua. >- ... (repeat) > >**Detection**: >- Green tokens count karo: 200 mein se 125 >- $z = (125 - 100) / \sqrt{50} = 25 / 7.07 \approx 3.54$ >- **Interpretation**: Random se 3.54 standard deviations upar → $p = 0.0002$ → watermark ka strong evidence. > >**Yeh detection kaam kyun karta hai**: Random text mein $\sim 100 \pm 7$ green tokens honge. 125 dekhna statistically bahut unlikely hai bina watermarking ke. >[!example] Attack Scenario: Paraphrasing >**Attack**: User watermarked text leta hai, use paraphrase karne ke liye doosre AI ko deta hai. > >**Sawaal**: Kya watermark survive karta hai? >**Analysis**: >- Agar paraphraser 40% tokens change kare, to 120 original tokens bacha rahe hain >- Unme se ~75 green the (agar original mein 125/200 the) >- Plus 40 naye tokens random 50% green ke saath → +20 >- Total: 160 tokens mein se 95 green >- $z = (95 - 80) / \sqrt{40} = 15/6.32 \approx 2.37$ >**Result**: Abhi bhi detectable hai, lekin weak. **Kyun**: Green-list positions pehle ke tokens par depend karti hain—jab tokens change karte hain, to positions bhi change hoti hain jo green tokens expect karti hain, aur signal ka kuch hissa toot jaata hai. > >**Mitigation**: Hashing ke liye longer context windows use karo (zyada robust) ya higher $\delta$ (stronger signal). >[!mistake] Galti: "Watermarks misuse rokta hai" >**Intuitive (galat) idea**: "Agar hum sab AI content watermark kar dein, to log fake news ke liye AI ka misuse nahi kar sakte." > >**Yeh sahi kyun lagta hai**: Detection = prevention, sahi hai na? > >**Haqeeqat yeh hai**: Watermarks sirf AI content create hone ke baad use *detect* karne mein help karte hain. Yeh nahi rokta: >- Koi watermark remove kare (adversarial attack) >- Open-source models jisme watermarking nahi hai >- AI ka private harmful content ke liye use (koi check nahi karta) > >**Fix**: Watermarks defense ki *ek layer* hain. Hume yeh bhi chahiye: >- Platform policies (publishing ke liye watermarking zaroori karein) >- Education (media literacy) >- Legal frameworks (kuch contexts mein unmarked AI content ke liye liability) > >Watermarks ko seatbelts ki tarah socho: kuch galat hone par help karte hain, lekin accident nahi rokta. >[!mistake] Galti: "Watermarks quality degrade nahi karte" >**Intuitive (galat) idea**: "Logits mein $\delta = 2$ add karna bahut chhota hai, insaan notice nahi karega." > >**Yeh sahi kyun lagta hai**: 50k tokens ki vocabulary mein, 25k ko $\delta=2$ se bias karna negligible lagta hai. > >**Haqeeqat yeh hai**: Quality *sach mein* degrade hoti hai, khaaskar: >- Poetry/creative writing (restricted word choice) >- Technical content (kam precise terms force karna) >- Choti vocabularies wali languages > >**Measurement**: Perplexity 5-15% tak badhti hai. Human evaluators 20-30% cases mein "thoda zyada awkward" phrasing notice karte hain. >**Tradeoff**: Lower $\delta$ → better quality lekin harder detection. Higher $\delta$ → easy detection lekin worse quality. Optimal $\delta$ use case par depend karta hai (chatbot vs. creative writing). ## Provenance Systems ### C2PA (Coalition for Content Provenance and Authenticity) Cryptographically-signed metadata attach karne ka ek standard: $$\text{Manifest} = \{ \text{content}, \text{author}, \text{timestamp}, \text{edits}, \text{signature} \}$$ **Signing kaise kaam karta hai**: 1. Content hash karo: $h = \text{SHA256}(\text{content})$ 2. Private key se sign karo: $s = \text{Sign}_{\text{private}}(h)$ 3. $(h, s, \text{public\_key})$ ko metadata ki tarah attach karo 4. Verification: $\text{Verify}_{\text{public}}(h, s) = \text{TRUE/FALSE}$ **Yeh kaam kyun karta hai**: Cryptographic signatures ensure karte hain ki agar content YA metadata change ho, to verification fail ho jaaye. Yeh prove karta hai "yeh content is source se is time par aaya." **Limitation**: Platforms aur cameras/tools sab ko adopt karna zaroori hai. Metadata strip kiya ja sakta hai (though woh khud detect ho jaata hai—"signature kyun nahi hai?"). >[!example] Provenance Chain Example >**Scenario**: Ek news photo multiple edits se guzarti hai. > >**Step 1**: Camera image capture karta hai → C2PA manifest ke saath sign karta hai >- Manifest: {content_hash: 0x3f2a.., device: "Canon EOS R5", timestamp: 2026-07-01T00:30:00Z, signature: 0x8b4c...} > >**Step 2**: Editor crop karta hai aur color adjust karta hai → chain mein add karta hai >- New manifest: {previous_hash: 0x3f2a..., edits: ["crop(100,100,500)", "brightness(+10)"], editor: "Adobe Photoshop", timestamp: 2026-07-01T02:15:00Z, signature: 0x2d9f...} > >**Step 3**: AI resolution upscale karta hai → chain mein add karta hai >- New manifest: {previous_hash: 0x2d9f..., edits: ["ai_upscale(model=Gigapixel)"], timestamp: 2026-07-01T02:45:00Z, signature: 0x7e1a...} > >**Verification**: Har step ki signature authenticity confirm karta hai. Viewer poora history dekhta hai: "Original photo → human ne crop ki → AI-upscaled." Trust bana rehta hai kyunki kuch bhi chhupaaya nahi gaya. ## Watermarks ke Types | Type | Method | Robustness | Quality Impact | |------|------------|-------------| | ==Statistical== (text) | Biased token sampling | Medium (paraphrase se vulnerable) | Low-Medium | | ==Latent== (images) | Generation space mein embedded | High (transforms ke baad bhi bachta hai) | Very Low | | ==Perceptual== (images) | Pixel-space perturbations | Very High (adversarially trained) | Low | | ==Cryptographic== Signed hashes/metadata | Perfect (jab tak strip na ho) | None (alag) | ## Watermarking Mushkil Kyun Hai **Fundamental tension**: $$\text{Detectability} \propto \text{Signal Strength} \propto \text{Quality Degradation}$$ Hum chahte hain high detectability aur zero quality loss—lekin information theory kehti hai dono ek saath perfectly nahi ho sakte. **Attack surface**: 1. **Removal attacks**: Adversarial networks watermarks hatane ke liye train hoti hain 2. **Substitution attacks**: Watermarked content ko non-watermarked version se replace karo 3. **Collusion attacks**: Multiple models ke outputs mix karo taaki watermarks dilute ho jaayein 4. **Evasion**: Seedha aisi models use karo jisme watermarks nahi hain (open-source) **Arms race**: Watermark designers unhe robust banate hain → attackers weaknesses dhundhte hain → designers patch karte hain → attackers adapt karte hain. Koi "perfect" watermark nahi hai, sirf "abhi ke liye kaafi acha" hai. >[!recall]- Ek 12-saal ke bachche ko explain karo >Socho tum cookies bana rahe ho ek special cookie cutter se jo neeche ek tiny mark chhodta hai—jaise ek star pattern. Jab tum cookie ko normally dekho, to woh nazar nahi aata. Lekin magnifying glass use karo, to wahan hai! > >AI content ko watermark karna kuch aisa hi hai. Jab ek AI koi story likhta hai ya picture banata hai, hum usme ek secret pattern daal sakte hain. Insaan nahi bata sakta ki woh wahan hai, lekin special computer programs dekh ke keh sakte hain "Haan, yeh AI ne banaya hai!" > >Hume yeh kyun chahiye? Socho agar koi AI se fake news stories likhwaye aur dikhaye ki woh real hain. Ya kisi ki fake videos banaye jisme woh kuch aisa bol rahe hain jo unhone kabhi kaha hi nahi. Watermarks hume jaanne mein help karte hain ki "yeh AI se aaya hai" taaki hum fool na hoon. > >Lekin tricky part yeh hai: bure log watermarks hatane ki koshish karte hain, jaise cookie ke neeche se star pattern wash karna. To watermarks banane wale logo ko bahut clever hona padta hai aur pattern itni acchi jagah chhupaana padta hai ki woh wash bhi na ho, chahe koi kitni bhi koshish kare. >[!mnemonic] WATERMARK >**W**hy: AI ko human se alag karo >**A**lgorithm: token/pixel selection ko bias karo >**T**rade-off: detectability vs. quality >**E**vasion: attacks use hatane ki koshish karte hain >**R**obustness: modifications ke baad bhi bachta hai >**M**etadata: alag approach (C2PA) >**A**rms race: continuous improvement >**R**egulation: legally required ho sakta hai >**K**ey: verification ke liye secret parameter ## Real-World Applications 1. **Education**: AI-written essays detect karo 2. **News media**: Image authenticity verify karo 3. **Legal**: Document provenance prove karo 4. **Social media**: AI-generated content label karo 5. **Copyright**: AI-created art usage track karo ## Open Problems - **Adversarial robustness**: Kya hum watermarks ko unremovable bana sakte hain? - **Multi-modal**: Text+image+audio ko ek saath watermark karein? - **Privacy**: Watermarks model ya user ke baare mein info leak kar sakte hain - **Standardization**: Industry-wide adoption chahiye (abhi fragmented hai) --- ## Connections - [[Model fingerprinting]] - related technique jo identify karta hai ki kaunse model ne content banaya - [[AI-generated content detection]] - broader problem jisme watermarking help karta hai - [[Adversarial examples]] - techniques jo watermarks attack karne ke liye use hoti hain - [[Cryptographic signatures]] - watermarks ka complement provenance ke liye - [[Content moderation]] - watermarks platforms ko policies enforce karne mein help karte hain - [[AI regulation]] - watermarking legally mandated ho sakta hai - [[Information theory]] - watermark capacity ki fundamental limits --- ## #flashcards/ai-ml AI content mein watermark kya hota hai? :: Ek detectable signal jo AI-generated content mein embed kiya jaata hai jo modifications ke baad bhi bachta hai, humans ko nazar nahi aata, aur provenance prove karta hai. Green-red list watermarking method kaise kaam karta hai? ::: Vocabulary ko green (promoted) aur red (demoted) lists mein partition karo previous tokens + secret key ke basis par, generation ke dauran green logits ko δ se boost karo, green tokens count karke detect karo. Watermark detection ke liye z-score formula kya hai? ::: z = (n_green - N/2) / sqrt(N/4), jahan n_green green tokens ki count hai aur N total tokens hain. Random baseline se standard deviations measure karta hai. Watermarks perfect kyun nahi ho sakte (fundamental limit)? ::: Information theory: detectability signal strength ke proportional hai, jo quality degradation ke proportional hai. Teeno ko ek saath maximize nahi kar sakte. AI content mein provenance kya hai? ::: Content ka poora history: kisne banaya, kab, kis tool se, aur kya modifications ki gayin—"chain of custody." C2PA kya hai? ::: Coalition for Content Provenance and Authenticity—content ka origin aur edit history prove karne ke liye cryptographically-signed metadata attach karne ka ek standard. Watermarks par teeno attacks ke naam batao :: (1) Removal attacks (adversarial networks), (2) Substitution attacks (non-watermarked se replace karo), (3) Collusion attacks (multiple model outputs mix karo). Text watermarks ke liye paraphrasing ek challenge kyun hai? ::: Tokens change karne se positions change ho jaati hain jo green tokens expect karti hain (hash pehle ke tokens par depend karta hai), watermark signal ka kuch hissa toot jaata hai aur detection z-score kam ho jaata hai. Watermarks aur metadata mein kya fark hai? ::: Metadata easily strip kiya ja sakta hai; watermarks content mein hi bun jaate hain aur cropping ya compression jaise modifications ke baad bhi bachte hain. Watermark detection mein z-score of 4 ka kya matlab hai? ::: Expected random baseline se 4 standard deviations upar, jo p < 0.00003 false positive rate ke barabar hai—watermarking ka bahut strong evidence. ## 🖼️ Concept Map ```mermaid flowchart TD P[Provenance chain of custody] -->|enables trust in| C[AI content problem] W[Watermarking] -->|proves| P W -->|embedded in| CN[Content itself] CN -->|survives| M[Modifications] W -->|imperceptible unlike| MD[Metadata can be stripped] W -->|implemented via| GR[Green-Red list method] GR -->|Step 1 partition| V[Vocabulary hashed by prev token] V -->|uses| K[Secret key seed] GR -->|Step 2 bias logits| D[Add delta to green tokens] D -->|boosts probability via| S[Softmax sampling] GR -->|Step 3| DET[Detection z-score] DET -->|counts| G[Green list tokens over N] ```