Estimating near-verbatim extraction risk in language models with decoding-constrained beam search

A. Feder Cooper; Mark Lemley; Christopher De Sa; Lea Duesterwald; Allison Casasola; Jamie Hayes; Katherine Lee; Daniel E. Ho; Percy Liang

Estimating near-verbatim extraction risk in language models with decoding-constrained beam search

A. Feder Cooper, Mark Lemley, Christopher De Sa, Lea Duesterwald, Allison Casasola, Jamie Hayes, Katherine Lee, Daniel E. Ho, Percy Liang

Published: 04 Jun 2026, Last Modified: 04 Jun 2026ICML MemFM 2026 Workshop OralEveryoneRevisionsBibTeXCC BY 4.0

Keywords: probabilistic extraction, near-verbatim extraction

TL;DR: We make estimating near-verbatim probabilistic extraction computationally tractable, revealing novel insights about extraction risk

Abstract: Probabilistic extraction is tractable only for verbatim memorization, and misses near-verbatim instances that pose similar privacy and copyright risks. Quantifying near-verbatim extraction risk is expensive: the set of near-verbatim suffixes is combinatorially large, and reliable Monte Carlo (MC) estimation can require ${\approx}\,100{,}000$ samples per sequence. To mitigate this cost, we introduce decoding-constrained beam search, which yields deterministic lower bounds on near-verbatim extraction risk at a cost comparable to ${\approx}\,20$ MC samples per sequence. Across experiments, our approach surfaces information invisible to verbatim methods: many more extractable sequences, substantially larger per-sequence extraction mass, and patterns in how near-verbatim extraction risk manifests across model sizes and types of text.

Email Sharing: We authorize the sharing of all author emails with Program Chairs.

Data Release: We authorize the release of our submission and author names to the public in the event of acceptance.

Submission Number: 3

Loading