REVIEW 3 major objections 4 minor 35 references
Reviewed by Pith at T0; open to challenge.
T0 means a machine referee read the full paper against a public rubric. The mark states how deep the mechanical check went, never who wrote it. the ladder, T0–T4 →
T0 review · grok-4.5
A post-hoc, training-free multi-channel watermark embeds a 24-bit identifier into Python code and recovers it under formatting, syntactic, and structural attacks with formal robustness bounds.
2026-07-08 19:55 UTC pith:UWJW3SZJ
load-bearing objection A coherent 24-bit post-hoc code watermark with real engineering ambition; the headline numbers and formal bounds rest on site-density and joint-channel assumptions that the abstract does not stress-test. the 3 major comments →
Multi-Channel Spread-Spectrum Code Watermarking
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Multi-channel spread-spectrum watermarking is the first post-hoc, training-free code watermark that carries a 24-bit payload while providing formal robustness guarantees. Bits are placed in variable-naming conventions and in eight fixed pairs of behavior-preserving code patterns; a keyed pseudo-random permutation maps every site to a codeword bit so each bit accumulates multiple independent votes. Majority voting absorbs distributed corruption, and an outer Reed-Solomon code recovers the identifier when concentrated channel attacks defeat the vote, yielding provable bounds against formatting, syntactic, and structural attacks. On 1,750 Python files the method achieves 100 percent clean-detec
What carries the argument
The keyed multi-channel spread-spectrum encoder: a keyed pseudo-random permutation that assigns every independent, behavior-preserving embedding site (variable-naming conventions plus eight pairs of semantically equivalent patterns) to a codeword bit, so each payload bit receives multiple independent votes that majority voting and an outer Reed-Solomon code can recover.
Load-bearing premise
The method assumes that typical Python programs contain enough independent, behavior-preserving embedding sites across variable names and the eight fixed equivalent-pattern pairs for the multi-vote majority decoder and outer Reed-Solomon code to deliver the claimed 24-bit payload and attack resistance.
What would settle it
Measure the number of independent embedding sites on a large corpus of real-world Python packages; if many files yield fewer sites than needed for a 24-bit Reed-Solomon payload, or if an automated rewrite that jointly normalizes every channel while preserving behavior drives recovery below the claimed rates, the central claim fails.
If this is right
- Any third-party Python code can be watermarked after the fact with a 24-bit identifier large enough to distinguish many model configurations.
- Formatting, syntactic, and structural attacks that leave program behavior intact still leave enough residual votes for majority decoding and Reed-Solomon recovery.
- Clean detection incurs zero false positives on the evaluated corpora, supporting use for provenance and licensing checks.
- Embedding and detection finish in under 200 ms on CPU with no training data or GPU, allowing application at scale to existing codebases.
- Single-channel post-hoc baselines collapse under any one transform, while the multi-channel design retains high recovery under the same attacks.
Where Pith is reading between the lines
- If the same multi-channel construction ports to other languages that admit rich sets of behavior-preserving rewrites, post-hoc attribution could become a standard supply-chain check.
- An attacker who can jointly rewrite all embedding channels while preserving utility would force an explicit trade-off between stealth and payload size; measuring that trade-off on real adversarial rewrites would test the practical security margin.
- Pairing the 24-bit payload with a public registry of model identifiers would let independent auditors verify LLM provenance claims without trusting the original publisher.
- The majority-plus-outer-code design may transfer to other discrete media that contain multiple independent rewrite sites, such as configuration files or infrastructure-as-code.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript proposes multi-channel spread-spectrum watermarking, a post-hoc, training-free scheme that embeds a 24-bit identifier into Python source via variable-naming conventions and eight fixed pairs of semantically equivalent code patterns. A keyed pseudo-random permutation maps embedding sites to codeword bits so that each bit receives multiple independent votes; majority voting absorbs distributed errors and an outer Reed-Solomon code recovers the payload under concentrated channel attacks, yielding claimed formal robustness bounds for formatting, syntactic, and structural transforms. On 1,750 files drawn from CodeNet and from GPT-4.1 / Llama-4 generations the authors report 100 % clean detection with zero false positives, 97.6 % identifier recovery under eight variable renames, and 94.1 % recovery under 10 % random per-site corruption across a suite of 17 attacks, while the strongest post-hoc baseline collapses to 0 % under any single-transform attack. Embedding plus detection is stated to finish in under 200 ms on CPU with no training data or GPU.
Significance. A practical 24-bit post-hoc watermark that requires neither model access nor training data would be a genuine advance for LLM-code provenance, licensing, and misuse accountability; existing generation-time schemes cannot be applied to third-party code and prior post-hoc methods carry at most a few bits. The multi-channel design that couples naming conventions with a small set of semantic pattern pairs, majority voting, and an outer RS code is a clean systems contribution. If the formal bounds and the headline empirical numbers hold under realistic adversaries, the work would be of clear interest to the community. The training-free, CPU-only runtime and the public attack suite are additional practical strengths that should be credited.
major comments (3)
- [Empirical evaluation / site statistics] The formal robustness claims and the 24-bit payload rest on the existence of a sufficient density of independent, behavior-preserving embedding sites (variable-naming conventions plus the eight pattern pairs) so that the keyed PR permutation supplies multiple votes per RS-protected bit. The manuscript does not report site-density statistics (sites per file, sites per channel, or the distribution of votes per bit) on the CodeNet or LLM-generated corpora. Without those measurements it is impossible to verify that the majority-vote + RS construction actually operates inside its design radius on the evaluated programs; if typical files are sparse the claimed recovery rates become corpus-specific rather than general.
- [Attack suite and robustness analysis] The attack model enumerates 17 transform types (bounded renames, per-site corruption, formatting, etc.) but does not include a joint, utility-preserving rewrite that simultaneously forces every pattern pair onto a canonical side while preserving semantics and readability (e.g., an AST-level style normalizer or multi-channel pretty-printer). Such an adversary can convert the independent-vote assumption into a burst error that exceeds the RS correction radius. Because the formal bounds and the headline numbers (97.6 % / 94.1 %) are stated against the listed suite, the absence of a joint-channel attack leaves the central robustness claim incompletely stress-tested.
- [Multi-channel encoding / majority-vote analysis] The independence argument underlying majority voting is asserted rather than measured. If the eight pattern channels are correlated under realistic coding styles (or under a single semantic-preserving rewrite), the effective number of independent votes per bit collapses and the RS outer code no longer guarantees the stated recovery probability. A quantitative independence or mutual-information analysis across channels on the evaluation corpora is required before the formal bounds can be accepted as load-bearing.
minor comments (4)
- [Introduction / experimental setup] The abstract and introduction repeatedly contrast the scheme with “the strongest post-hoc baseline” that falls to 0 % under any single-transform attack; the concrete identity, payload size, and implementation of that baseline should be stated once in the main text so that the comparison is reproducible without consulting the appendix.
- [Scheme description] Clarify the precise free parameters of the Reed-Solomon and majority-vote layers (block length, dimension, vote threshold) and whether they are fixed for all experiments or tuned per corpus; a short table would remove ambiguity.
- [Detection evaluation] The claim of “zero false positives” on 1,750 files is strong; a brief statement of the detection threshold and of how many non-watermarked files from the same distributions were tested would strengthen the false-positive claim.
- [Throughout] Minor typographic consistency: “spread-spectrum” is hyphenated in the title but appears both hyphenated and unhyphenated in the body; standardize.
Simulated Author's Rebuttal
We thank the referee for a careful and constructive review. The three major comments correctly identify missing measurements and an incompletely stress-tested attack model that are needed to make the formal robustness claims fully load-bearing. We will revise the manuscript to (i) report site-density and votes-per-bit statistics on both corpora, (ii) add a joint multi-channel style-normalization attack and re-evaluate recovery under it, and (iii) quantify cross-channel dependence (correlation / mutual information) on the evaluation sets and restate the majority-vote analysis in light of those measurements. We do not claim that the current suite already covers a simultaneous canonicalizing rewrite; that gap is real and will be closed. The core systems contribution—keyed multi-channel spread-spectrum embedding with majority voting and an outer RS code, training-free 24-bit post-hoc payload, and the public attack suite—remains, and the empirical headline numbers will be re-reported against the expanded evaluation.
read point-by-point responses
-
Referee: The formal robustness claims and the 24-bit payload rest on sufficient density of independent embedding sites, but the manuscript does not report site-density statistics (sites per file, sites per channel, or votes-per-bit distribution) on CodeNet or LLM-generated corpora, so it is impossible to verify that majority-vote + RS operates inside its design radius.
Authors: We agree. The recovery rates on the evaluated corpora are consistent with adequate density in practice, but that is an indirect argument; the manuscript should state the site statistics explicitly so that readers can check that the design radius is met and can judge how corpus-specific the results are. In revision we will report, for both CodeNet and the GPT-4.1 / Llama-4 sets: (1) distribution of total embedding sites per file, (2) sites broken down by channel (naming conventions vs each of the eight pattern pairs), (3) the induced distribution of votes per RS-protected bit under the keyed PR permutation, and (4) the fraction of files that fall below the minimum vote multiplicity assumed by the formal bounds. Where files are sparse we will either exclude them under a stated density precondition or report recovery conditioned on density, so that the 24-bit claim is not overstated for short or site-poor programs. This is a straightforward measurement on the existing evaluation pipeline and will be added to the experimental section and appendix. revision: yes
-
Referee: The attack suite enumerates 17 transform types but omits a joint, utility-preserving rewrite that simultaneously forces every pattern pair onto a canonical side (e.g., AST-level style normalizer or multi-channel pretty-printer), which can turn independent votes into a burst error beyond the RS radius; absence of this attack leaves the central robustness claim incompletely stress-tested.
Authors: The referee is right: a simultaneous multi-channel canonicalizer is a natural and stronger adversary than the per-transform suite, and we did not evaluate it. The listed 17 attacks include bounded renames, per-site corruption, formatting, and single-pattern rewrites, but they do not force all eight pattern pairs (and naming) onto one side at once. Such a joint rewrite can induce a burst that majority voting cannot absorb and that may exceed the outer RS correction capability, so the 97.6% / 94.1% figures cannot be read as covering that adversary. In revision we will implement and report an AST-level multi-channel normalizer that (a) forces each of the eight pattern pairs to a fixed canonical side, (b) normalizes naming conventions to a single style, and (c) preserves semantics and basic readability. We will measure identifier recovery under this joint attack alone and in combination with residual random corruption, and we will revise the formal discussion to state clearly which bounds still hold and which degrade to the residual channels (if any) that the normalizer cannot erase without harming utility. We will not claim robustness against a full joint rewrite unless the new numbers support it. This is a genuine gap in the submitted evaluation, not a misreading of the suite. revision: yes
-
Referee: The independence argument underlying majority voting is asserted rather than measured. If the eight pattern channels are correlated under realistic coding styles or under a single semantic-preserving rewrite, effective independent votes per bit collapse and the RS outer code no longer guarantees the stated recovery probability. A quantitative independence or mutual-information analysis across channels on the evaluation corpora is required.
Authors: We agree that independence was asserted rather than measured, and that correlation under natural style or under a joint rewrite would reduce the effective number of votes and weaken the majority-vote analysis. The keyed PR permutation still spreads sites across codeword bits, so channel correlation does not automatically align all votes for a given bit, but it does reduce the diversity that the formal argument relies on; without measurements the load-bearing claim is incomplete. In revision we will compute, on both corpora: pairwise correlations and mutual information between channel-level bit observations (conditioned on the true payload bit where applicable), the empirical joint error patterns across channels under clean code and under the attack suite (including the new joint normalizer), and an effective-vote estimate (e.g., via bootstrap or simple dependence-adjusted majority models). We will restate the majority-vote and RS recovery bounds using these measured dependence figures rather than an independence assumption, and we will flag regimes where dependence makes the previous analytic radius optimistic. If measured dependence is high, we will either strengthen the outer code / reduce payload or qualify the formal claims accordingly. This analysis is necessary before the bounds can be treated as load-bearing. revision: yes
Circularity Check
No significant circularity: payload, detection, and robustness claims are evaluated on external corpora and attack transforms rather than reduced to fitted inputs or self-definition.
full rationale
The paper presents a constructive watermarking scheme (multi-channel embedding via naming conventions and eight fixed pattern pairs, keyed PR mapping of sites to codeword bits, majority vote, outer Reed-Solomon) and evaluates it empirically on CodeNet and LLM-generated Python files under 17 attack types. Clean detection (100% accuracy, 0 FP on 1,750 files), recovery rates under renames and per-site corruption, and comparisons to post-hoc baselines are measured outcomes on held-out external data, not quantities defined by fitting the detection metric or by renaming a known empirical pattern. Formal robustness bounds are derived from coding-theoretic majority-vote and RS correction radii under stated attack models; they are not uniqueness theorems imported from the authors' prior work, nor ansatzes smuggled via self-citation. The residual design risk (density of independent embedding sites; resistance to joint multi-channel rewrites) is an assumption about the domain, not a circular reduction of a claimed prediction to its inputs. No equation or claim reduces a "prediction" to a fitted constant by construction. Score 0 is therefore the honest finding.
Axiom & Free-Parameter Ledger
free parameters (3)
- payload_length_bits =
24
- num_semantic_pattern_pairs =
8
- reed_solomon_and_vote_parameters
axioms (4)
- domain assumption The eight pattern pairs and variable-naming convention flips are semantics-preserving for the evaluated Python programs.
- standard math A keyed pseudo-random permutation yields sufficiently independent site-to-codeword-bit assignments for majority voting to concentrate.
- domain assumption Majority voting plus an outer Reed-Solomon code deliver the claimed robustness bounds against formatting, syntactic, and structural attacks under the paper’s attack model.
- ad hoc to paper Attackers are modeled by the 17 listed transform types (including bounded renames and per-site corruption) rather than fully adaptive joint channel-destroying rewrites that preserve utility.
read the original abstract
Attributing code to the large language model that produced it is essential for provenance, licensing, and misuse accountability, yet no deployed watermark meets this need. Generation-time schemes require access to the producing model and cannot be applied to third-party code, while post-hoc schemes work on any code but carry at most 4 bits of payload, far too few to distinguish the many deployed model configurations. We present multi-channel spread-spectrum watermarking, the first post-hoc, training-free code watermark with a 24-bit payload and formal robustness guarantees. The scheme encodes bits in variable naming conventions and in eight pairs of semantically equivalent code patterns, and a keyed pseudo-random permutation maps every site to a codeword bit so that each bit receives multiple independent votes. Majority voting absorbs distributed corruption, while an outer Reed-Solomon code recovers the identifier when concentrated channel attacks defeat the vote, yielding provable robustness bounds for formatting, syntactic, and structural attacks. Across 1,750 Python files from CodeNet and from GPT-4.1 and Llama-4 generations, the watermark achieves 100% clean-detection accuracy with zero false positives. Under 17 attack types, it recovers the identifier at 97.6% accuracy under 8 variable renames and 94.1% under 10% random per-site corruption, while the strongest post-hoc baseline collapses to 0% under any single-transform attack. Embedding and detection together take under 200 ms on CPU without training data or GPU.
Figures
Reference graph
Works this paper leans on
-
[1]
Elaine Barker. 2020. Recommendation for Key Management: Part 1 – General. NIST Special Publication 800-57 Part 1 Rev. 5. https://csrc.nist.gov/pubs/sp/800/ 57/pt1/r5/final
work page 2020
-
[2]
Mihir Bellare and Phillip Rogaway. 1993. Random Oracles are Practical: A Para- digm for Designing Efficient Protocols. InCCS ’93, Proceedings of the 1st ACM 12 Multi-Channel Spread-Spectrum Code Watermarking Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Conference on Computer and Communications Security, Fairfax, Virginia, USA, November 3-5, 199...
-
[3]
Brown, Dawn Song, Úlfar Erlingsson, Alina Oprea, and Colin Raffel
Nicholas Carlini, Florian Tramèr, Eric Wallace, Matthew Jagielski, Ariel Herbert- Voss, Katherine Lee, Adam Roberts, Tom B. Brown, Dawn Song, Úlfar Erlingsson, Alina Oprea, and Colin Raffel. 2021. Extracting Training Data from Large Lan- guage Models. In30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, Michael D. Bailey and Rachel ...
work page 2021
-
[4]
Mark Chen, Jerry Tworek, Heewoo Jun, Qiming Yuan, Henrique Pondé de Oliveira Pinto, Jared Kaplan, Harri Edwards, Yuri Burda, Nicholas Joseph, Greg Brockman, Alex Ray, Raul Puri, Gretchen Krueger, Michael Petrov, Heidy Khlaaf, Girish Sastry, Pamela Mishkin, Brooke Chan, Scott Gray, Nick Ryder, Mikhail Pavlov, Alethea Power, Lukasz Kaiser, Mohammad Bavarian...
work page internal anchor Pith review Pith/arXiv arXiv 2021
-
[5]
Soohyeon Choi, Ali Alkinoon, Ahod Alghuried, Abdulaziz Alghamdi, and David Mohaisen. 2025. Attributing ChatGPT-Transformed Synthetic Code. In45th IEEE International Conference on Distributed Computing Systems, ICDCS 2025, Glasgow, United Kingdom, July 21-23, 2025. IEEE, 89–99. doi:10.1109/ICDCS63083.2025. 00018
-
[6]
Soohyeon Choi and David Mohaisen. 2025. Attributing ChatGPT-Generated Source Codes.IEEE Trans. Dependable Secur. Comput.22, 4 (2025), 3602–3615. doi:10.1109/TDSC.2025.3535218
-
[7]
Soohyeon Choi, Yong Kiam Tan, Mark Huasong Meng, Mohamed Ragab, Soumik Mondal, David Mohaisen, and Khin Mi Mi Aung. 2025. I Can Find You in Seconds! Leveraging Large Language Models for Code Authorship Attribution.CoRR abs/2501.08165 (2025). doi:10.48550/ARXIV.2501.08165
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2501.08165 2025
-
[8]
PUGeo-Net: A Geometry-centric Network for 3D Point Cloud Upsampling
Christian S. Collberg and Clark D. Thomborson. 2002. Watermarking, Tamper- Proofing, and Obfuscation-Tools for Software Protection.IEEE Trans. Software Eng.28, 8 (2002), 735–746. doi:10.1109/TSE.2002.1027797
work page internal anchor Pith review Pith/arXiv arXiv doi:10.1109/tse.2002.1027797 2002
-
[9]
Cox, Joe Kilian, Frank Thomson Leighton, and Talal Shamoon
Ingemar J. Cox, Joe Kilian, Frank Thomson Leighton, and Talal Shamoon. 1997. Secure spread spectrum watermarking for multimedia.IEEE Trans. Image Process. 6, 12 (1997), 1673–1687. doi:10.1109/83.650120
-
[10]
Batu Guan, Yao Wan, Zhangqian Bi, Zheng Wang, Hongyu Zhang, Pan Zhou, and Lichao Sun. 2024. CodeIP: A Grammar-Guided Multi-Bit Watermark for Large Language Models of Code. InFindings of the Association for Computational Linguistics: EMNLP 2024, Miami, Florida, USA, November 12-16, 2024 (Findings of ACL), Yaser Al-Onaizan, Mohit Bansal, and Yun-Nung Chen (...
-
[11]
Binyuan Hui, Jian Yang, Zeyu Cui, Jiaxi Yang, Dayiheng Liu, Lei Zhang, Tianyu Liu, Jiajun Zhang, Bowen Yu, Kai Dang, An Yang, Rui Men, Fei Huang, Xingzhang Ren, Xuancheng Ren, Jingren Zhou, and Junyang Lin. 2024. Qwen2.5-Coder Technical Report.CoRRabs/2409.12186 (2024). doi:10.48550/ARXIV.2409.12186
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2409.12186 2024
-
[12]
Jungin Kim, Shinwoo Park, and Yo-Sub Han. 2026. Marking Code Without Breaking It: Code Watermarking for Detecting LLM-Generated Code. (2026), 3990–4002. https://aclanthology.org/2026.findings-eacl.207/
work page 2026
-
[13]
John Kirchenbauer, Jonas Geiping, Yuxin Wen, Jonathan Katz, Ian Miers, and Tom Goldstein. 2023. A Watermark for Large Language Models. InInternational Conference on Machine Learning, ICML 2023, 23-29 July 2023, Honolulu, Hawaii, USA (Proceedings of Machine Learning Research), Andreas Krause, Emma Brunskill, Kyunghyun Cho, Barbara Engelhardt, Sivan Sabato,...
work page 2023
-
[14]
Taehyun Lee, Seokhee Hong, Jaewoo Ahn, Ilgee Hong, Hwaran Lee, Sangdoo Yun, Jamin Shin, and Gunhee Kim. 2024. Who Wrote this Code? Watermarking for Code Generation. InProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), ACL 2024, Bangkok, Thailand, August 11-16, 2024, Lun-Wei Ku, Andre Martins, a...
-
[15]
Vladimir I Levenshtein et al. 1966. Binary codes capable of correcting deletions, insertions, and reversals. 10, 8 (1966), 707–710
work page 1966
-
[16]
Boquan Li, Zheming Fu, Mengdi Zhang, Peixin Zhang, Jun Sun, and Xingmei Wang. 2024. Efficient and Universal Watermarking for LLM-Generated Code Detection. (2024). https://api.semanticscholar.org/CorpusID:267627184
work page 2024
-
[17]
1970.The art of computer programming
M Donald MacLaren. 1970.The art of computer programming. Volume 2: Seminu- merical algorithms (Donald E. Knuth). Vol. 12. SIAM. 306–308 pages
work page 1970
-
[18]
Victor S. Miller. 1985. Use of Elliptic Curves in Cryptography. InAdvances in Cryptology - CRYPTO ’85, Santa Barbara, California, USA, August 18-22, 1985, Proceedings (Lecture Notes in Computer Science), Hugh C. Williams (Ed.). Springer, 417–426. doi:10.1007/3-540-39799-X_31
-
[19]
OpenAI. 2023. GPT-4 Technical Report.CoRRabs/2303.08774 (2023). doi:10. 48550/ARXIV.2303.08774
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[20]
Hammond Pearce, Baleegh Ahmad, Benjamin Tan, Brendan Dolan-Gavitt, and Ramesh Karri. 2022. Asleep at the Keyboard? Assessing the Security of GitHub Copilot’s Code Contributions. In43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, May 22-26, 2022. IEEE, 754–768. doi:10.1109/ SP46214.2022.9833571
-
[21]
Neil Perry, Megha Srivastava, Deepak Kumar, and Dan Boneh. 2023. Do Users Write More Insecure Code with AI Assistants?. InProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS 2023, Copen- hagen, Denmark, November 26-30, 2023, Weizhi Meng, Christian Damsgaard Jensen, Cas Cremers, and Engin Kirda (Eds.). ACM, 2785–2799....
-
[22]
Fips Pub. 2012. Secure hash standard (shs). 2012 pages
work page 2012
-
[23]
CodeNet: A Large-Scale AI for Code Dataset for Learning a Diversity of Coding Tasks
Ruchir Puri, David S. Kung, Geert Janssen, Wei Zhang, Giacomo Domeniconi, Vladimir Zolotov, Julian Dolby, Jie Chen, Mihir R. Choudhury, Lindsey Decker, Veronika Thost, Luca Buratti, Saurabh Pujar, and Ulrich Finkler. 2021. Project CodeNet: A Large-Scale AI for Code Dataset for Learning a Diversity of Coding Tasks.CoRRabs/2105.12655 (2021). https://arxiv.o...
work page internal anchor Pith review Pith/arXiv arXiv 2021
-
[24]
Wenjie Qu, Dong Yin, Zixin He, Wei Zou, Tianyang Tao, Jinyuan Jia, and Jiaheng Zhang. 2024. Provably Robust Multi-bit Watermarking for AI-generated Text via Error Correction Code.CoRRabs/2401.16820. doi:10.48550/ARXIV.2401.16820
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2401.16820 2024
-
[25]
Irving S Reed and Gustave Solomon. 1960. Polynomial codes over certain finite fields.Journal of the society for industrial and applied mathematics8, 2 (1960), 300–304
work page 1960
-
[26]
Baptiste Rozière, Jonas Gehring, Fabian Gloeckle, Sten Sootla, Itai Gat, Xi- aoqing Ellen Tan, Yossi Adi, Jingyu Liu, Tal Remez, Jérémy Rapin, Artyom Kozhevnikov, Ivan Evtimov, Joanna Bitton, Manish Bhatt, Cristian Canton-Ferrer, Aaron Grattafiori, Wenhan Xiong, Alexandre Défossez, Jade Copet, Faisal Azhar, Hugo Touvron, Louis Martin, Nicolas Usunier, Tho...
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2308.12950 2023
-
[27]
Vinu Sankar Sadasivan, Aounon Kumar, Sriram Balasubramanian, Wenxiao Wang, and Soheil Feizi. 2025. Can AI-Generated Text be Reliably Detected? Stress Testing AI Text Detectors Under Various Attacks.Trans. Mach. Learn. Res.2025 (2025). https://openreview.net/forum?id=OOgsAZdFOt
work page 2025
-
[28]
Gustavo Sandoval, Hammond Pearce, Teo Nys, Ramesh Karri, Siddharth Garg, and Brendan Dolan-Gavitt. 2023. Lost at C: A User Study on the Security Implications of Large Language Model Code Assistants. In32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, Joseph A. Calandrino and Carmela Troncoso (Eds.). USENIX Associat...
work page 2023
-
[29]
2010.2: Recommended elliptic curve domain parameters
SEC SECG. 2010.2: Recommended elliptic curve domain parameters. Version 2.0. Technical Report
work page 2010
-
[30]
Claude E. Shannon. 1948. A mathematical theory of communication.Bell Syst. Tech. J.27, 3 (1948), 379–423. doi:10.1002/J.1538-7305.1948.TB01338.X
-
[31]
Michael Soha and Zachary J McDowell. 2016. Monetizing a meme: YouTube, content ID, and the Harlem Shake.Social Media+ Society2, 1 (2016), 2056305115623801
work page 2016
-
[32]
Sourcery AI. 2024. Sourcery: Automated Python Refactoring. https://sourcery.ai
work page 2024
-
[33]
Yue Wang, Weishi Wang, Shafiq R. Joty, and Steven C. H. Hoi. 2021. CodeT5: Identifier-aware Unified Pre-trained Encoder-Decoder Models for Code Under- standing and Generation. InProceedings of the 2021 Conference on Empirical Methods in Natural Language Processing, EMNLP 2021, Virtual Event / Punta Cana, Dominican Republic, 7-11 November, 2021, Marie-Fran...
-
[34]
Borui Yang, Wei Li, Liyao Xiang, and Bo Li. 2024. SrcMarker: Dual-Channel Source Code Watermarking via Scalable Code Transformations. InIEEE Symposium on Security and Privacy, SP 2024, San Francisco, CA, USA, May 19-23, 2024. IEEE, 4088–4106. doi:10.1109/SP54263.2024.00097
-
[35]
Ruisi Zhang, Neusha Javidnia, Nojan Sheybani, and Farinaz Koushanfar. 2025. Ro- bust and Secure Code Watermarking for Large Language Models via ML/Crypto Codesign.CoRRabs/2502.02068 (2025). doi:10.48550/ARXIV.2502.02068 A Full Baseline Comparison Tables Table 13 provides the complete per-dataset attack results for ACW [16], SrcMarker-Py, and our system ac...
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2502.02068 2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.