Search papers, labs, and topics across Lattice.
The paper introduces SeedHijack, a novel supply-chain attack against LLM watermarking schemes that compromises the pseudo-random number generator (PRNG) used for green-list selection. This attack is blind, integrity-preserving, and orthogonal to content-side detection, allowing for amplification of the watermark signal without altering the generated text or triggering existing detectors. Experiments across various watermarking schemes and LLMs demonstrate that SeedHijack can significantly inflate the watermark z-score while remaining undetectable, highlighting the critical importance of PRNG integrity in cryptographic content-provenance systems.
LLM watermarks, meant to prove AI authorship, can be silently amplified by attackers who compromise the pseudo-random number generator, making models appear to generate more watermarked text than they actually do.
Cryptographic watermarking is a leading defense for attributing text generated by large language models (LLMs). Existing schemes, including KGW, Unigram, and DipMark, derive their security guarantees from the assumption that the underlying pseudo-random number generator (PRNG) is trustworthy. This work introduces SeedHijack, the first supply-chain attack on LLM watermarking that is simultaneously (i) blind -- requiring no knowledge of the watermark key, detector, or model logits, (ii) integrity-preserving -- amplifying rather than erasing the watermark signal, and (iii) orthogonal to detection -- the attack-induced bias is statistically independent of all content-side detector statistics, ensuring that amplification and evasion coexist without trade-off. Rather than perturbing generated text, SeedHijack replaces the PRNG at the supply-chain layer, biasing green-list selection without altering output tokens or degrading text quality. Across three watermarking schemes and three open-source LLMs, the attack triggers 0/6 state-of-the-art content-side statistical detectors while inflating the watermark z-score up to 2.42x (system-level defenses such as entropy-source attestation remain orthogonal and complementary). A quantum random number generator (QRNG) countermeasure is shown to fully neutralize the attack while preserving benign watermarking utility. These findings establish PRNG integrity as a first-class security requirement for cryptographic content-provenance systems.