Cryptanalysis of Pseudorandom Error-Correcting Codes

Pseudorandom error-correcting codes (PRC) is a novel cryptographic primitive proposed at CRYPTO 2024. Due to the dual capability of pseudorandomness and error correction, PRC has been recognized as a promising foundational component for watermarking AI-generated content. However, the security of PRC has not been thoroughly analyzed, especially with concrete parameters or even in the face of cryptographic attacks. To fill this gap, we present the first cryptanalysis of PRC. We first propose three attacks to challenge the undetectability and robustness assumptions of PRC. Among them, two attacks aim to distinguish PRC-based codewords from plain vectors, and one attack aims to compromise the decoding process of PRC. Our attacks successfully undermine the claimed security guarantees across all parameter configurations. Notably, our attack can detect the presence of a watermark with overwhelming probability at a cost of $2^{22}$ operations. We also validate our approach by attacking real-world large generative models such as DeepSeek and Stable Diffusion. To mitigate our attacks, we further propose three defenses to enhance the security of PRC, including parameter suggestions, implementation suggestions, and constructing a revised key generation algorithm. Our proposed revised key generation function effectively prevents the occurrence of weak keys. However, we highlight that the current PRC-based watermarking scheme still cannot achieve a 128-bit security under our parameter suggestions due to the inherent configurations of large generative models, such as the maximum output length of large language models.

💡 Research Summary

This paper presents the first concrete security analysis of the pseudorandom error‑correcting code (PRC) primitive introduced at CRYPTO 2024, focusing on its only known instantiation, LDPC‑PRC, and its use as a watermarking mechanism for large generative models. The authors design three distinct cryptographic attacks that break the two core security claims of PRC—undetectability (codewords must be indistinguishable from random vectors) and robustness (decoding must succeed despite bounded noise).

Attack I – Partial Secret‑Key Recovery uses a Meet‑in‑the‑Middle (MITM) strategy to recover a subset of the secret matrix P from the public matrix G. By targeting only half of the rows, the collision sets are reduced, yielding a time complexity of O(g·α·⌈n/2⌉·⌈t/2⌉), where α depends on the LDPC parameters (n, t). With realistic parameters (e.g., n ≈ 2¹⁶, t = 5) the attack runs in roughly 2²² operations. The recovered partial key enables the attacker to simulate the Decode algorithm and obtain a statistical advantage of ½ + α in distinguishing a PRC codeword from a uniform vector. Collecting enough samples therefore allows watermark detection with overwhelming probability at modest computational cost.

Attack II – Weak‑Key Distinguisher exploits a bias in the key‑generation routine. In practice, the public matrix G often contains duplicated rows because the random sampling does not achieve perfect uniformity. Empirical measurements show that for row weight t = 3 or 4, duplicate rows appear with probability close to 1. An adversary who observes many public keys can select a target key that contains duplicates, record the duplicate indices, and then test whether the corresponding positions in candidate vectors match. If the match count exceeds a predetermined threshold, the presence of a watermark is inferred with near‑certainty. This attack does not require any key recovery; it merely leverages the existence of “weak keys” to break undetectability.

Attack III – Noise‑Overlay Attack targets the robustness property. The Decode algorithm tolerates noise up to a fraction (½ − r − ¼)·r of the code length. The attacker first estimates the original Bernoulli‑distributed noise vector e used during encoding, then constructs an adversarial noise vector e′ such that the combined noise e + e′ exceeds the decoder’s threshold while preserving the overall error weight. Consequently, the decoder outputs ⊥ (failure) even though the perturbed output remains visually or linguistically indistinguishable from the original. Experiments show that with n ≈ 2¹⁷ the attack succeeds in 85‑95 % of trials, while standard quality metrics (perplexity for text, SSIM for images) degrade negligibly.

The authors validate these attacks on two real‑world systems: DeepSeek (a large language model) and Stable Diffusion (a generative image model). For the LLM case, the maximum token length (≈ 2¹⁵) limits the feasible code length, making the watermark effectively invisible to the original decoder and rendering the scheme impractical. For the image model, the attacks achieve near‑perfect success rates under several parameter configurations.

To mitigate the threats, three defensive measures are proposed: (1) choose larger security parameters (increase g·n, reduce t) to raise α and lower the probability of weak keys; (2) redesign the key‑generation algorithm to explicitly avoid duplicate rows, which reduces the weak‑key probability to ≈10⁻⁶; (3) increase the permissible noise weight, which would require n > 2²⁴ to reach 128‑bit security. However, the authors point out that current LLMs cannot output more than 2¹⁵ tokens, so achieving n > 2²⁴ is impossible in practice, leaving a security ceiling well below 128 bits.

In conclusion, while PRC offers an elegant theoretical combination of pseudorandomness and error correction, the concrete analysis shows that its existing LDPC‑based instantiation is vulnerable to practical cryptographic attacks. The attacks undermine both undetectability and robustness, and even the suggested mitigations cannot bridge the gap to 128‑bit security given the inherent constraints of generative models. The paper calls for future work on stronger code families, model‑aware key generation, and alternative constructions that can meet realistic security targets without sacrificing generation quality.