Multi-Channel Spread-Spectrum Code Watermarking
Summary
A novel multi-channel spread-spectrum watermarking system is introduced for attributing code generated by large language models. This post-hoc, training-free scheme offers a 24-bit payload and formal robustness guarantees, addressing limitations of prior methods that either require model access or provide minimal payload. It embeds bits using variable naming conventions and eight pairs of semantically equivalent code patterns, employing a keyed pseudo-random permutation, majority voting, and a Reed-Solomon outer code for error correction. Tested on 1,750 Python files from CodeNet, GPT-4.1, and Llama-4, the system achieved 100% clean-detection accuracy with zero false positives. It demonstrated 97.6% recovery accuracy under 8 variable renames and 94.1% under 10% random per-site corruption, outperforming baselines. Embedding and detection processes complete in under 200 ms on CPU, requiring no training data or GPU.
Key takeaway
For AI Security Engineers or teams needing to attribute LLM-generated code for provenance, licensing, or security, you should consider implementing multi-channel spread-spectrum watermarking. This system provides a 24-bit payload and strong robustness against common code transformations, operating efficiently on CPU without training. It offers a practical solution for verifying code origin, especially where generation-time watermarking is not feasible, despite the inherent limitation against full LLM regeneration attacks.
Key insights
Multi-channel spread-spectrum watermarking provides robust, high-payload, post-hoc attribution for LLM-generated code without training.
Principles
- Combine independent semantic-preserving modifications.
- Distribute watermark bits across all available sites.
- Layer error correction for diverse attack types.
Method
Normalize code, extend single-word variables, normalize structural channels, extract sites, then use a keyed pseudo-random permutation to assign sites to codeword bits. Transform sites to embed bits, then apply Reed-Solomon encoding.
In practice
- Use t=8 for heavy rename attacks.
- Prefer t=2 for structural or random per-site corruption.
- Implement a centralized detection service for verification.
Topics
- Code Watermarking
- Large Language Models
- Model Attribution
- Spread-Spectrum Techniques
- Reed-Solomon Codes
- Post-hoc Watermarking
- Software Security
Code references
Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, AI Engineer, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.