Key points
- CDG-KD is a single framework that both erases and forges an LLM watermark, purely through knowledge distillation, without ever touching the victim model’s weights or decoding process.
- The attack rides on watermark radioactivity, the tendency of a distilled student to inherit the statistical fingerprint of its watermarked teacher, and simply points that inheritance in either direction.
- A contrastive decoding step, guided by a probability threshold and a trained watermark discriminator, sorts tokens into watermark heavy and watermark light groups before the student ever learns from them.
- Across KGW, Unigram, and SynthID-Text watermarks, the scrubbed student’s detection p values land close to an unwatermarked baseline while accuracy on ARC Challenge, TruthfulQA, and TinyGSM8K stays within a few points of ordinary distillation.
- On harmful prompt sets, the spoofed student keeps a strong watermark signal while its rate of producing a non refused answer jumps from under ten percent to over sixty percent, raising the odds that a safety aligned provider gets blamed for content it never generated.
The core problem, and why it is not just an academic curiosity
Generative watermarking has become the default answer to a question every LLM provider eventually faces. If someone copies my model’s outputs, how do I prove it. Methods like KGW nudge token probabilities toward a hidden green list of words, so a detector running a statistical test on a suspicious document can flag it with a p value most readers would recognize from a science class. Sampling based schemes such as SynthID-Text take a different route, biasing the random choices made during generation rather than the probabilities themselves. Either way, the promise is the same. Generate text however you like, and a faint, checkable signature rides along for free.
A few years ago researchers noticed something else rides along too. When a smaller model is trained on a watermarked teacher’s outputs, a process everyone calls knowledge distillation, the student often keeps a detectable trace of the teacher’s watermark even though nobody told it to. This effect was first described for image classifiers by Sablayrolles and colleagues under the name radioactive data, then carried over to text generation, where it became known as watermark radioactivity. On the surface that sounds like good news for providers, since it means even a stolen or cloned model can sometimes still be traced. The paper reviewed here, Unified attacks to large language model watermarks by Xin Yi, Yue Li, Shunfan Zheng, Linlin Wang, Xiaoling Wang, and Liang He, argues the same mechanism is a liability once an attacker realizes they can steer it.
Two very different goals fall out of that realization. A scrubbing attack tries to make the student’s writing look completely unwatermarked, erasing the paper trail. A spoofing attack does the opposite, trying to make a student’s harmful output look strongly watermarked, so that if anyone notices, suspicion lands on the original safety aligned provider rather than the attacker who actually built and released the misbehaving model. Most prior defenses were built with only the first threat in mind. This paper treats both as two sides of the same coin.
Background, and why earlier attacks fell short
Watermarking methods for LLMs generally sort into two families. The KGW family, named after Kirchenbauer and colleagues’ 2023 paper, partitions the vocabulary into green and red token sets at each generation step and biases sampling toward green. Unigram, proposed by Zhao and colleagues, uses a single fixed green red split across the whole vocabulary instead of a rotating one, which turns out to matter a great deal later in this story. The Christ family, including SynthID-Text from Google DeepMind and earlier work by Christ, Gunn, and Zamir, instead manipulates the pseudo random numbers that drive sampling itself, leaving statistical fingerprints in the choices made rather than the raw probabilities.
On the attack side, Jovanović and colleagues showed that a watermark’s hidden pattern could be reverse engineered by querying a model repeatedly and comparing its watermarked and unwatermarked output distributions, a method the CDG-KD authors refer to as WS. That approach can scrub or spoof, which is exactly the dual capability this new paper wants, but it needs access to both a watermarked and an unwatermarked version of the same model’s next token distribution for the same prompt, an assumption that rarely holds against a real commercial API. Separately, Pan and colleagues demonstrated that a distilled student really can both inherit and later strip a watermark, but their method alters the sampling strategy at generation time, which adds latency, and it only ever addresses removal rather than forgery. CDG-KD’s contribution is closing that gap. It needs nothing but ordinary API access to the watermarked teacher, and it produces two separate, ready to deploy student models rather than one model that only knows how to do one thing.
How CDG-KD actually works
The framework runs in three stages, and each one earns its place in the pipeline.
Stage one, building a strong and a weak reference model
The attacker first distills an ordinary student model from the watermarked teacher using standard sample based knowledge distillation. Because of radioactivity, this student, called theta sub s in the paper, naturally inherits a moderate watermark signal without anyone trying to make that happen. The attacker then takes an existing paraphrase based scrubbing method, the paper tests Dipper, Pegasus, and Parrot, and uses it to further weaken that signal, producing a second reference model called theta sub a. Neither of these two models is the final product. They exist purely to give the next stage two different opinions to argue with.
Stage two, contrastive decoding with token level constraint fusion
This is the mechanical heart of the paper. At every generation step, the framework compares what the strongly watermarked model theta sub s would say next against what the weakly watermarked model theta sub a would say next, then mixes the two log probability distributions with a modulation weight beta.
Scrubbing direction, pulling toward the weak reference
$$P_{\theta_{scrub}}(x_t \mid x_{<t}) = \mathrm{softmax}\Big[(1+\beta)\log P_{\theta_a}(x_t \mid x_{<t}) – \beta \log P_{\theta_s}(x_t \mid x_{<t})\Big]$$Spoofing direction, pulling toward the strong reference
$$P_{\theta_{spoof}}(x_t \mid x_{<t}) = \mathrm{softmax}\Big[(1+\beta)\log P_{\theta_s}(x_t \mid x_{<t}) – \beta \log P_{\theta_a}(x_t \mid x_{<t})\Big]$$Applying that shift to every single token would wreck fluency, since plenty of tokens have nothing to do with the watermark at all and only a narrow contrastive nudge is safe to apply. So the authors add what they call token level constraint fusion, which keeps a candidate token only if two conditions both hold. First, a probability threshold lambda requires the token to still be reasonably likely under the contrastively adjusted distribution, so the sentence does not wander into nonsense. Second, a small trained discriminator scores how watermarked the sequence so far looks, and a gate function only lets a token through if that score moves in the direction the attack wants, blocked from flipping back and forth by checking two consecutive steps at once for stability.
The valid token subset at each step
$$\mathrm{valid} = \Big\{x_t : \log P_{\theta^*}(x_t \mid x_{<t}) \ge \lambda \max_w \log P_{\theta^*}(w \mid x_{<t}), \ \Gamma_{mode}(s_{t-1}, s_t) \le 0 \Big\}$$Everything outside that surviving set gets zeroed out and the remaining probability mass is renormalized. Run this process across a batch of prompts and two new datasets fall out, one full of text with the watermark deliberately corrupted, and one full of text with the watermark deliberately amplified.
Stage three, dual path distillation
The final step is almost anticlimactic after all that machinery. The corrupted dataset trains a fresh student model, called theta sub scrub, with ordinary cross entropy loss. The amplified dataset trains a second fresh student, theta sub spoof, the same way.
The two training objectives, both standard cross entropy
$$\mathcal{L}_{scrub} = -\mathbb{E}_{(x,y)\sim D_u}\sum_t \log P_{\theta_{scrub}}(y_t \mid y_{<t}, x)$$ $$\mathcal{L}_{spoof} = -\mathbb{E}_{(x,y)\sim D_w}\sum_t \log P_{\theta_{spoof}}(y_t \mid y_{<t}, x)$$Because the contrastive decoding work happens once, offline, while building the training data, the two resulting student models pay no extra cost at inference time. They generate exactly like any other fine tuned model. The paper backs this up with a small theoretical argument, showing the underlying divergence between the contrastive distribution and its intended target is convex in beta, which guarantees a useful nonzero beta exists whenever the initial nudge points in a helpful direction. It is a tidy justification for treating beta as tunable rather than fixed.
What the experiments actually show
The victim model in all experiments is GLM-4-9B-Chat, with LLaMA-3.2-1B and Qwen-2.5-1.5B as the student architectures. The team tested three watermark families, KGW at prefix lengths one, two, and three, Unigram, and SynthID-Text, and measured both detection strength through median p values and downstream usefulness through ARC Challenge, TruthfulQA, and TinyGSM8K.
The scrubbing results are the most striking part of the paper. Plain sample based distillation, labeled SKD in the tables, leaves KGW at prefix length one so detectable that its p value sits around two times ten to the negative ten, essentially a certainty. CDG-KD pushes that same setting up to roughly 0.35 on the C4 completion set, well inside the range where a real unwatermarked document would land. Unigram proves harder to shake off entirely, landing around 0.04, but that is still a dramatic improvement over the roughly five times ten to the negative thirty four SKD leaves behind.
| Watermark | Vanilla, no watermark | Plain distillation, SKD | CDG-KD, full method |
|---|---|---|---|
| KGW, prefix length 1 | 0.588 | 2.22e-10 | 0.348 |
| KGW, prefix length 2 | 0.500 | 6.85e-4 | 0.500 |
| Unigram | not applicable | 0.134 | 0.043 |
| SynthID-Text, N=2 | 0.303 | 7.72e-4 | 0.104 |
Usefulness holds up well too. On TruthfulQA, the CDG-KD student trained under the KGW prefix length one setting scores 42.0, a few points below the 45.3 that unattacked distillation reaches but comfortably above the 37.7 of a vanilla student with no distillation at all. Across every configuration the authors tried, the gap between CDG-KD and plain distillation, which they label delta, stays under about three and a half points, which is a small price for effectively erasing a supposedly permanent fingerprint.
The spoofing side flips the goal but tells a consistent story. GLM-4-9B-Chat itself, playing the safety aligned victim, refuses hard enough that its rate of giving a usable answer to harmful prompts from HarmfulQ and AdvBench sits under ten percent, while its watermark is naturally near certain to detect since it is, after all, the real watermarked model. A CDG-KD spoofed student built on the KGW prefix length one setting keeps a similarly strong watermark signal, with a p value around five times ten to the negative fifteen, while its rate of producing a non refused answer to those same harmful prompts climbs to roughly 94 percent. Read that pairing again. Strong watermark, high willingness to answer a harmful prompt, and none of it came from the actual victim model.
Key takeaway
The p value based detectors that most watermarking papers lean on turned out to be the least robust piece of the whole pipeline in this study. A discriminator trained directly to classify watermarked versus clean text stayed far more stable across attack conditions, which is a real hint to providers that hypothesis testing alone is not enough.Why the discriminator numbers matter more than they first appear
Buried in the analysis section is a finding that deserves more attention than a single table usually gets. The authors trained four separate discriminators, built on BERT, GPT-2, T5, and LLM2Vec, purely to classify whether a piece of text carries a given watermark, sidestepping the classic hypothesis test entirely. For Unigram, every single backbone hits above ninety percent classification accuracy, which the authors trace to its fixed, globally consistent green red split, a pattern that is comparatively easy to learn. KGW at longer prefix lengths is a tougher target for BERT, GPT-2, and T5, which land in the sixty to seventy percent range, yet LLM2Vec still reaches around 77 to 78 percent, suggesting it picks up on subtler token level regularities the others miss.
The more important comparison is between this discriminator approach and the standard p value test under attack conditions. The paper shows p value detection degrading sharply as the KGW prefix length grows, while discriminator accuracy stays comparatively steady across the same configurations, and holds especially well for SynthID-Text, where it settles around eighty percent in both scrubbing and spoofing settings. For anyone building or auditing a watermarking system, that is a genuinely actionable signal. A single statistical test is a fragile single point of failure, and a learned classifier trained on realistic attack data is a meaningfully sturdier backstop.
Sentence level watermarks are not the easy fix they look like
It is tempting to assume the fix is simply switching to a sentence level scheme like SemStamp or its clustering based variant k-SemStamp, both of which resist paraphrasing attacks better than token level methods. The paper’s Table 11 complicates that story. Sentence level watermarking carries a huge computational cost, with SemStamp and k-SemStamp running roughly 35 and 24 times slower per forward pass than KGW respectively, which rules them out for anything latency sensitive. More surprisingly, their radioactivity is actually weaker in the useful direction. After plain sample based distillation, SemStamp’s p value only drops to about 0.386 and k-SemStamp’s to about 0.271, both still fairly close to a random baseline, compared to KGW at prefix length three landing near 0.134. A watermark that barely survives distillation in the first place is not much of a tracing tool no matter how attack resistant its detection test is.
Hyperparameters, generation length, and where the attack breaks down
The two knobs that matter most, beta and lambda, trade attack strength for text quality in a fairly predictable way. Pushing beta higher steadily reduces watermark detectability under scrubbing and increases it under spoofing, but past a point it starts visibly hurting TruthfulQA scores, and the authors settle on beta around 0.5 for scrubbing and 1.0 for spoofing under the KGW prefix length one setting, with the full grid documented in their appendix for every watermark and configuration they tested. Generation length matters too. Both attacks look weak on short outputs, but the gap between an unwatermarked baseline and the spoofed student’s detectability widens sharply once generations pass roughly 150 tokens, meaning a provider scanning only short snippets would likely miss the manipulation entirely.
The paper is refreshingly candid about where the method struggles. Spoofing attacks against KGW fail more often on low entropy text, meaning outputs where the model is already very confident about the next word, since there simply is not enough room in the probability distribution to nudge things around without breaking coherence. Sample based watermarks like SynthID-Text turn out to be the harder overall target, since the student has to reproduce an abstract sampling behavior rather than a surface level token preference, and the authors note attack success there depends heavily on using a high enough learning rate during the final distillation step.
Honest limitations of this study
The authors flag several constraints themselves, and it is worth taking them seriously rather than treating the paper as a finished threat model.
- Query budget is a real barrier in commercial settings. Building the 32,000 question and answer training corpus used here requires a substantial number of calls to the victim API, and providers that meter or rate limit access make that expensive, even though the distillation itself only needs to happen once per attacker rather than once per attack.
- Training time overhead is nontrivial. The contrastive decoding and discriminator guided stages add real cost during the offline attack phase, though the authors are careful to note the final scrub and spoof students run at ordinary speed once deployed, since no extra machinery survives into the released model.
- The study does not model an adaptive defender. Every result assumes a static watermark and a static detector. A provider that retrains its discriminator, adds output side filtering, or rotates its watermarking scheme in response to suspected theft was not tested here, and the authors point to emerging anti distillation research, including recent work on defensive output generation, as an open direction rather than a solved problem.
- All primary results come from a single teacher, GLM-4-9B-Chat, with a secondary check on Qwen2.5-1.5B in the appendix. Whether the same numbers hold for much larger frontier teachers or very different architectures is not established here.
Reference implementation, CDG-KD core mechanics in PyTorch
The snippet below is a compact, runnable stand in for the paper’s three core mechanics. It uses a toy vocabulary and random weights so it runs anywhere without a real checkpoint, and it has been executed end to end to confirm it produces no errors.
# -----------------------------------------------------------------------
# Educational reference implementation inspired by the CDG-KD framework
# described in Yi et al., "Unified attacks to large language model
# watermarks, spoofing and scrubbing in unauthorized knowledge
# distillation" (arXiv 2504.17480).
#
# This script is a compact, runnable illustration of the three ideas at
# the heart of the paper.
# 1. Contrastive distribution modulation between a strongly
# watermarked student and a weakly watermarked auxiliary model.
# 2. Token level constraint fusion combining a probability threshold
# with a learned watermark discriminator.
# 3. Dual path distillation losses for the scrub and spoof students.
#
# It uses a tiny toy vocabulary and randomly initialized layers so it
# runs anywhere without downloading real model weights. Swap in real
# tokenizers, checkpoints, and a proper discriminator dataset for
# actual research use.
# -----------------------------------------------------------------------
import torch
import torch.nn as nn
import torch.nn.functional as F
# -------------------------------------------------------------------
# 1. A minimal discriminator that scores how watermarked a sequence of
# token ids looks. In the paper this is a fine tuned BERT, GPT-2,
# T5, or LLM2Vec encoder. Here it is a tiny GRU head so the whole
# file trains in seconds on a laptop.
# -------------------------------------------------------------------
class WatermarkDiscriminator(nn.Module):
def __init__(self, vocab_size, embed_dim=32, hidden_dim=64):
super().__init__()
self.embed = nn.Embedding(vocab_size, embed_dim)
self.encoder = nn.GRU(embed_dim, hidden_dim, batch_first=True)
self.head = nn.Linear(hidden_dim, 1)
def forward(self, token_ids):
# token_ids has shape (batch, seq_len)
x = self.embed(token_ids)
_, h_n = self.encoder(x)
score = torch.sigmoid(self.head(h_n.squeeze(0)))
return score.squeeze(-1) # values in [0, 1], higher means more watermarked
# -------------------------------------------------------------------
# 2. A pair of toy causal language models standing in for the strongly
# watermarked student theta_s and the weakly watermarked auxiliary
# model theta_a described in the paper's model initialization step.
# -------------------------------------------------------------------
class TinyLM(nn.Module):
def __init__(self, vocab_size, embed_dim=32, hidden_dim=64):
super().__init__()
self.embed = nn.Embedding(vocab_size, embed_dim)
self.rnn = nn.GRU(embed_dim, hidden_dim, batch_first=True)
self.out = nn.Linear(hidden_dim, vocab_size)
def forward(self, token_ids):
x = self.embed(token_ids)
h, _ = self.rnn(x)
return self.out(h) # shape (batch, seq_len, vocab_size)
# -------------------------------------------------------------------
# 3. Contrastive distribution modulation, matching the scrub and spoof
# equations in the paper's contrastive decoding section. Mode
# "scrub" pulls toward the weak model, mode "spoof" pulls toward
# the strong model.
# -------------------------------------------------------------------
def contrastive_step(logits_strong, logits_weak, beta, mode):
log_p_strong = F.log_softmax(logits_strong, dim=-1)
log_p_weak = F.log_softmax(logits_weak, dim=-1)
if mode == "scrub":
mixed = (1 + beta) * log_p_weak - beta * log_p_strong
elif mode == "spoof":
mixed = (1 + beta) * log_p_strong - beta * log_p_weak
else:
raise ValueError("mode must be scrub or spoof")
return F.softmax(mixed, dim=-1)
# -------------------------------------------------------------------
# 4. Token level constraint fusion. Keeps a token only if it clears a
# probability threshold lambda against the top candidate and the
# discriminator gate agrees with the attack goal, then renormalizes
# over whatever survives.
# -------------------------------------------------------------------
def fuse_constraints(contrastive_probs, disc_scores_prev, disc_scores_now,
lam, tau, mode):
top_prob, _ = contrastive_probs.max(dim=-1, keepdim=True)
prob_mask = contrastive_probs >= (lam * top_prob)
if mode == "scrub":
gate_pass = torch.maximum(disc_scores_prev, disc_scores_now) <= tau
else:
gate_pass = torch.minimum(disc_scores_prev, disc_scores_now) >= tau
# disc_scores are one value per sequence here, so reshape to broadcast
# across both the seq_len and vocab_size dimensions of prob_mask.
gate_mask = gate_pass.view(-1, 1, 1).expand_as(prob_mask)
valid_mask = prob_mask & gate_mask
# Guarantee at least the top candidate survives so sampling never breaks.
fallback = F.one_hot(contrastive_probs.argmax(dim=-1),
num_classes=contrastive_probs.size(-1)).bool()
empty_rows = (valid_mask.sum(dim=-1, keepdim=True) == 0)
valid_mask = valid_mask | (empty_rows & fallback)
filtered = contrastive_probs * valid_mask
filtered = filtered / filtered.sum(dim=-1, keepdim=True).clamp(min=1e-8)
return filtered
# -------------------------------------------------------------------
# 5. Dual path distillation losses. Both are plain cross entropy
# against the corrupted (scrub) or amplified (spoof) targets that
# the contrastive decoding stage above produced.
# -------------------------------------------------------------------
def scrub_loss(student_logits, corrupted_targets):
return F.cross_entropy(
student_logits.reshape(-1, student_logits.size(-1)),
corrupted_targets.reshape(-1),
)
def spoof_loss(student_logits, amplified_targets):
return F.cross_entropy(
student_logits.reshape(-1, student_logits.size(-1)),
amplified_targets.reshape(-1),
)
# -------------------------------------------------------------------
# 6. A short training loop that fine tunes a fresh student on data
# produced by the constrained contrastive decoding step, matching
# the dual path attack stage of the pipeline.
# -------------------------------------------------------------------
def train_dual_path(student, teacher_data, epochs=3, lr=1e-3):
optimizer = torch.optim.AdamW(student.parameters(), lr=lr)
for epoch in range(epochs):
total_loss = 0.0
for input_ids, target_ids, mode in teacher_data:
optimizer.zero_grad()
logits = student(input_ids)
loss = scrub_loss(logits, target_ids) if mode == "scrub" else spoof_loss(logits, target_ids)
loss.backward()
optimizer.step()
total_loss += loss.item()
print(f"epoch {epoch + 1} average loss {total_loss / len(teacher_data):.4f}")
# -------------------------------------------------------------------
# 7. Evaluation helper. Reports the fraction of generations a
# discriminator flags as watermarked, standing in for the p value
# based detectors used throughout the paper's result tables.
# -------------------------------------------------------------------
@torch.no_grad()
def evaluate_watermark_rate(discriminator, generated_batches, threshold=0.5):
flagged = 0
total = 0
for batch in generated_batches:
scores = discriminator(batch)
flagged += (scores >= threshold).sum().item()
total += scores.size(0)
return flagged / max(total, 1)
# -------------------------------------------------------------------
# 8. Smoke test on dummy data so the whole pipeline can be checked in
# under a second, without any real corpus or checkpoint.
# -------------------------------------------------------------------
def run_smoke_test():
torch.manual_seed(0)
vocab_size, batch_size, seq_len = 50, 4, 12
strong_model = TinyLM(vocab_size)
weak_model = TinyLM(vocab_size)
discriminator = WatermarkDiscriminator(vocab_size)
fresh_student = TinyLM(vocab_size)
dummy_tokens = torch.randint(0, vocab_size, (batch_size, seq_len))
logits_strong = strong_model(dummy_tokens)
logits_weak = weak_model(dummy_tokens)
scrub_probs = contrastive_step(logits_strong, logits_weak, beta=0.5, mode="scrub")
spoof_probs = contrastive_step(logits_strong, logits_weak, beta=1.0, mode="spoof")
disc_prev = discriminator(dummy_tokens)
disc_now = discriminator(dummy_tokens)
scrub_final = fuse_constraints(scrub_probs, disc_prev, disc_now,
lam=0.2, tau=0.5, mode="scrub")
spoof_final = fuse_constraints(spoof_probs, disc_prev, disc_now,
lam=0.1, tau=0.5, mode="spoof")
scrub_targets = scrub_final.argmax(dim=-1)
spoof_targets = spoof_final.argmax(dim=-1)
teacher_data = [
(dummy_tokens, scrub_targets, "scrub"),
(dummy_tokens, spoof_targets, "spoof"),
]
train_dual_path(fresh_student, teacher_data, epochs=2, lr=1e-2)
rate = evaluate_watermark_rate(discriminator, [dummy_tokens, dummy_tokens])
print(f"discriminator flagged {rate * 100:.1f} percent of the dummy batch as watermarked")
print("smoke test finished without errors")
if __name__ == "__main__":
run_smoke_test()
Conclusion
What CDG-KD ultimately demonstrates is that watermark radioactivity, a property originally celebrated as a free extra layer of protection against model theft, is a double edged mechanism that an attacker can steer just as easily as a defender can rely on it. By separating the problem into a contrastive decoding step that isolates watermark relevant tokens and a plain distillation step that bakes the result into a fresh model, the authors turn what used to require inside access to a model’s logits or sampling process into something achievable with nothing more than ordinary API calls and a training budget.
The conceptual shift here is subtle but important. Earlier attacks tended to treat scrubbing and spoofing as separate problems needing separate tools. This paper’s framing, that both attacks are really the same contrastive mechanism pointed in opposite directions, is the kind of unification that tends to reshape how a subfield thinks about a threat, not just how it patches one specific vulnerability.
The underlying idea, using a strong and a weak reference model to sculpt training data through constrained contrastive decoding, is not inherently limited to watermarking. Anywhere a provider embeds a detectable behavioral signature into a model’s outputs, whether for provenance, licensing enforcement, or content tracing, a similar attacker could in principle try the same recipe, which is worth keeping in mind for anyone building detection systems outside the watermarking literature specifically.
The honest limitations matter as much as the results. This is a controlled research study against a single teacher model, run without an adaptive defender in the loop, and the authors themselves are careful to frame it as a warning rather than a finished exploit against any specific production system. Query costs and the lack of adaptive defense testing both leave real room between what was demonstrated here and what a well resourced provider with active monitoring might actually face.
Even with those caveats, the paper lands a point that watermarking researchers will need to sit with. A detection mechanism that only works because a signal survives distillation cannot simultaneously claim that same survival property is impossible to exploit. The next generation of watermarking schemes will need to answer both threats at once, not just the one that happens to be easier to defend against.
Read the original research
CDG-KD comes from Xin Yi and colleagues at East China Normal University, posted to arXiv in April 2025 and revised through August 2025.
Frequently asked questions
What is watermark radioactivity in language models
It is the tendency of a smaller student model to keep a detectable trace of a watermark that was embedded in a teacher model’s outputs, even when the student was trained through ordinary knowledge distillation and nobody deliberately tried to copy the watermark over.
How is CDG-KD different from the earlier WS attack
WS, proposed by Jovanović and colleagues, needs access to both a watermarked and an unwatermarked version of a model’s output distribution for the same prompt. CDG-KD only ever needs text generated by the watermarked model itself, which matches how most commercial APIs are actually exposed.
Does scrubbing a watermark badly hurt the distilled model’s answers
Not much according to the paper’s own benchmarks. Across ARC Challenge, TruthfulQA, and TinyGSM8K, the scrubbed student typically lands within a few points of a normally distilled student, and well above a student that never saw the teacher’s outputs at all.
Why is a spoofing attack considered more dangerous than a scrubbing attack
Scrubbing just removes a paper trail. Spoofing actively manufactures one, generating harmful content that carries a strong version of the victim provider’s own watermark, which can shift blame and reputational damage onto a company that never produced the content in question.
Does the attack require access to the victim model’s weights or logits
No. The threat model in the paper is explicitly black box. The attacker only ever queries the victim through its normal API and works entirely from the text that comes back, with no access to internal parameters, gradients, or the decoding process.
What might actually make watermarks harder to steal through distillation
The paper points toward discriminator based detection, which held up more consistently than p value tests in its own experiments, alongside emerging anti distillation techniques designed to limit how much of a teacher model’s behavior a student can absorb in the first place.
This analysis is based on the published paper and an independent evaluation of its claims.

Pingback: 5 Shocking Mistakes in Knowledge Distillation (And the Brilliant Framework KD2M That Fixes Them) - aitrendblend.com
Pingback: 7 Revolutionary Breakthroughs in Graph-Free Knowledge Distillation (And 1 Critical Flaw That Could Derail Your AI Model) - aitrendblend.com
Pingback: 1 Revolutionary Breakthrough in AI Object Detection: GridCLIP vs. Two-Stage Models - aitrendblend.com