This project addresses a structural vulnerability in current watermarking schemes for large language models. We are proposing a modification to the prefix-free binary encoding tree used in the Christ-Gunn PRC construction, grouping semantically similar tokens into synonym clusters so that all cluster members share a common watermarked path from the root, with the intra-cluster token choice left free. Synonym substitutions change only the un-watermarked portion of the encoding, leaving the PRC signal intact by construction. Synonym clusters are derived offline from cosine similarity in a pre-trained embedding space, requiring no modification to the underlying language model. We evaluate the scheme against embedding-based synonym substitution, Dipper paraphrase, and GPT-4 rewriting, comparing against the standard Christ-Gunn scheme and SemaMark, and demonstrate improved robustness while preserving the PRC framework’s formal undetectability guarantee.

I am participating in SuperUROP to deepen my understanding of cryptography and its connections to machine learning security. My background in theoretical computer science and mathematics, along with prior exposure to coding theory, prepared me for this research. I hope to learn how to bridge formal cryptographic guarantees with practical robustness in real systems.