An Undetectable Watermark for Generative Image Models
Abstract: We present the first undetectable watermarking scheme for generative image models. Undetectability ensures that no efficient adversary can distinguish between watermarked and un-watermarked images, even after making many adaptive queries. In particular, an undetectable watermark does not degrade image quality under any efficiently computable metric. Our scheme works by selecting the initial latents of a diffusion model using a pseudorandom error-correcting code (Christ and Gunn, 2024), a strategy which guarantees undetectability and robustness. We experimentally demonstrate that our watermarks are quality-preserving and robust using Stable Diffusion 2.1. Our experiments verify that, in contrast to every prior scheme we tested, our watermark does not degrade image quality. Our experiments also demonstrate robustness: existing watermark removal attacks fail to remove our watermark from images without significantly degrading the quality of the images. Finally, we find that we can robustly encode 512 bits in our watermark, and up to 2500 bits when the images are not subjected to watermark removal attacks. Our code is available at https://github.com/XuandongZhao/PRC-Watermark.
Summary
- The paper introduces an undetectable PRC watermarking method using pseudorandom error-correcting codes integrated in latent diffusion models.
- The approach preserves high image fidelity while robustly resisting attacks like JPEG compression and adversarial perturbations.
- Experimental results demonstrate improved FID and CLIP scores over traditional watermarking techniques, setting a new benchmark.
An Undetectable Watermark for Generative Image Models
The paper "An Undetectable Watermark for Generative Image Models" (arXiv ID: (2410.07369)) introduces an innovative watermarking scheme designed for generative image models that promises undetectability without compromising image quality or robustness. This work addresses critical issues in watermarking by ensuring that the watermark is indistinguishable from un-watermarked images under efficient computational metrics. The scheme leverages pseudorandom error-correcting codes, making it a promising tool in counteracting AI-generated disinformation. Here, we explore the methodology, robustness, and implications of this undetectable watermarking approach.
Introduction to Undetectable Watermarks
With the proliferation of AI-generated content, watermarking becomes vital in flagging AI-generated images to prevent disinformation. Traditional watermarking schemes often degrade image quality, raising barriers to adoption. The newly proposed scheme termed as the pseudorandom code (PRC) watermark stands out by ensuring undetectability—meaning adversaries cannot efficiently differentiate between watermarked and non-watermarked images.
Figure 1: Examples of different watermarks applied to generated images, highlighting the undetectable nature of the PRC watermark.
Methodology
PRC and Watermarking Setup
The watermark utilizes latent diffusion models, which operate within a denoising framework to generate images from noise vectors. The PRC watermark introduces specific PRC-coded latents into this process, ensuring the preservation of semantic information while embedding the watermark.
Key Components:
- Pseudorandom Code (PRC): Embeds watermark at a semantic level using pseudorandom codes, ensuring robustness and undetectability.
- Sign-Based Encoding: Utilizes specific sign patterns in latent space, influenced by PRC, to encode watermarks while preserving image quality.
Implementation Details
The watermark is implemented within the latent diffusion framework, specifically targeting Stable Diffusion 2.1. Codewords generated from PRC are integrated into the initial noise of the image generation process, ensuring non-detectability and high fidelity.
Watermark Integration Process:
1 2 3 4 5 6 |
def PRCWat_Sample(key, message): codeword = PRC_Encode(key, message) latent = sample_latent() watermarked_latent = integrate_codeword(latent, codeword) image = generate_image(watermarked_latent, prompt) return image |
Quality and Detectability Evaluation
Experiments comparing PRC with traditional watermarking schemes demonstrate significant improvements in image quality metrics such as FID and CLIP scores. Unlike alternative methods which introduce noticeable artifacts, the PRC watermark maintains high perceptual fidelity, minimizing detection risks.
Figure 2: Robustness evaluation of different watermarking schemes showing significant resilience of PRC watermark under various attacks.
Robustness and Security
Attack Resistance
PRC watermark demonstrates substantial robustness across multiple attack scenarios, including JPEG compression and adversarial perturbations. Its effectiveness in maintaining watermark integrity under high-quality image retention is remarkable.
Figure 3: Robustness under strongest attacks, excluding embedding attacks.
Spoofing and Removal Attacks
The watermark's resistance to spoofing attacks further solidifies its position as a reliable choice for secure watermarking. Such robustness is achieved by maintaining undetectable parity checks within the encoded message, making it computationally expensive to spoof.
Implications and Future Work
The introduction of cryptographically secure PRC watermarks paves the way for watermarking methods in generative models that could facilitate widespread adoption. The development of such undetectable mechanisms is critical in regulatory and commercial contexts, especially when dealing with AI-driven image generation services. Future work may explore extending the algorithm to other generative models and further optimizing PRC constructions for improved undetectability.
Conclusion
The integration of undetectable watermarks into generative image models offers a transformative approach to preserving content authenticity. By coupling robustness with quality preservation, the PRC watermark addresses critical limitations in existing schemes, setting a benchmark for watermarking methodologies in computational imaging.
This work not only provides a viable tool against disinformation but also stimulates further research in cryptographically secure watermarking technologies that maintain generative model performance while ensuring content integrity.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Explain it Like I'm 14
Overview
This paper is about a new way to put an invisible “watermark” into AI‑generated images so we can tell they were made by AI, without hurting how the images look. The watermark is designed to be undetectable to anyone who doesn’t have a secret key, and it’s hard to remove without making the image look worse.
Think of it like writing with invisible ink across the whole “DNA” of the picture. Only someone with the right light (the key) can spot it, and trying to scrub it out smears the picture.
Key Objectives
The paper asks and answers a few big questions in simple terms:
- Can we watermark AI images in a way that doesn’t reduce image quality or variety at all?
- Can the watermark be undetectable to outsiders (even clever attackers), but detectable by someone with a secret key?
- Can the watermark survive common “removal” tricks like compression, cropping, or adding noise?
- Can the watermark carry useful information, like who made the image or when?
How It Works (Explained Simply)
To explain the method, here are the main ideas with everyday analogies:
Generative images and “noise”
Modern image generators like Stable Diffusion start from random “static” (like TV snow) and gradually turn it into a clean picture guided by your text prompt. That starting static is called a “latent.” It’s just a big list of random numbers.
A secret pattern that looks like randomness
The authors use a tool from cryptography called a pseudorandom error‑correcting code (PRC).
- “Pseudorandom” means it looks exactly like randomness to anyone without the key.
- “Error‑correcting” means even if parts get messed up, you can still recognize or recover the message—like how your phone still understands you in a noisy room.
They use the PRC to pick a secret pattern in the signs (+/−) of the starting random numbers. To everyone else, those signs look like ordinary randomness.
Putting the watermark in
Instead of using totally random static, the system:
- Draws random numbers like usual (same magnitudes),
- But sets the plus/minus signs to match the secret PRC pattern.
Because signs in true random noise are already 50/50, this “signed” noise looks indistinguishable from normal random noise to anyone without the key.
Detecting the watermark
To check an image, the system tries to “reverse” the image generator to estimate the starting static (this is called inversion). Then it checks whether the signs match the secret PRC pattern. Thanks to error correction, it still works even if the reverse step isn’t perfect.
Why it’s undetectable (to outsiders)
Undetectable here means: no efficient method (including AI classifiers) can tell watermarked images from normal ones without the key, even after many tries. Because the watermark hides inside the natural randomness of the starting static, it doesn’t change the distribution of images in any way that tools can reliably pick up. That also means it doesn’t harm image quality under any common metric.
Robustness to removal
Common attacks (like JPEG compression, noise, resizing, or even specially trained removal models) usually fail to erase the watermark unless they visibly damage the image. Since the watermark is “spread out” across the whole latent space (the image’s internal “DNA”), small local tweaks don’t remove it.
Main Findings and Why They Matter
The authors tested their method on Stable Diffusion 2.1 and compared it to several popular watermarking methods (both post‑processing schemes that edit images after generation, and in‑processing schemes that affect the generation itself). They looked at:
- Image quality: using standard scores like FID, CLIP Score, and Inception Score. In simple terms, these measure how good and realistic images look and how well they match the text prompt.
- Variety: using LPIPS, which checks if different outputs from the same prompt still look meaningfully different (important for creative uses).
- Detectability by outsiders: training a classifier (ResNet18) to try to spot the watermark without the key.
- Robustness: trying many watermark removal attacks and checking whether the watermark survives without the image getting noticeably worse.
Key results:
- Quality preserved: Their watermark is the only one tested that consistently keeps image quality and variety the same as normal images across all metrics.
- Hard to learn: A neural network could not learn to detect their watermark without the key and only achieved random‑guess performance, while it could detect other watermarks.
- Robust to attacks: Many removal attempts failed unless they made the images clearly worse (for example, very heavy JPEG compression made images blurry and still didn’t fully remove the watermark).
- Can carry data: The watermark can encode information. It robustly carried 512 bits (like a user ID, timestamp, or signature), and up to about 2500 bits when no attack was applied.
They also let users set a target false positive rate (FPR), like 1%, with a mathematical guarantee that it won’t be higher. False positive means mistakenly calling a normal image “watermarked.”
Implications and Potential Impact
- Practical safety: Platforms could use this to catch large‑scale AI‑generated misinformation while keeping personal creativity intact. If only trusted platforms hold the detection key, they can filter harmful content without affecting everyday users.
- No trade‑off with quality: Because the watermark is provably undetectable to outsiders, it doesn’t lower image quality or variety—solving a major reason why watermarks haven’t been widely adopted.
- Flexible and easy to deploy: No extra model training is needed. It plugs into existing diffusion model pipelines.
- Trusted attribution: Since it can carry a message (like a signature), it could help trace content back to its source in a privacy‑respecting way.
In short, this work shows we can have strong, stealthy, and robust watermarks for AI images that protect the public without hurting image quality or user experience.
Collections
Sign up for free to add this paper to one or more collections.