TraceMark-LDM: Robust Watermarking in LDMs

Updated 5 February 2026

TraceMark-LDM is an authenticatable watermarking framework for latent diffusion models that embeds watermarks via binary-guided rearrangement of Gaussian random variables.
It integrates encoder fine-tuning and structured partitioning of latent variables to embed a 256-bit identifier while preserving the natural Gaussian distribution.
The framework achieves superior robustness with >95% bit accuracy under various attack scenarios, all without detectable degradation in image quality metrics.

TraceMark-LDM is an authenticatable watermarking framework for Latent Diffusion Models (LDMs) that integrates binary-guided rearrangement of Gaussian random variables to achieve forensic attribution of AI-generated images, while maintaining non-destructive image quality. By encoding multi-bit watermarks directly in the stochastic generation process and coupling this with fine-tuning of LDM encoders, TraceMark-LDM attains robust, high-capacity, and near-invisible watermarking superior to existing state-of-the-art methods, even under intensive content distortion or re-generation scenarios (Luo et al., 30 Mar 2025).

1. Latent Diffusion Models and the Watermarking Problem

LDMs, such as Stable Diffusion v2.1, utilize a VAE encoder $E$ to compress images $I$ into a low-dimensional latent $z_0$ . A forward diffusion process transforms $z_0$ into $z_T\sim\mathcal{N}(0,I)$ , and a reverse denoising chain (DDPM/DDIM) reconstructs $z_0$ , which is then decoded by $D$ to output pixels. Conventional watermarking approaches—embedding identifiers into pixels or intermediate noise—perturb latent Gaussian priors, causing measurable declines in image fidelity (increased FID, decreased CLIP-Score) and vulnerability to post-processing. The central technical challenge is to invisibly encode a $k$ -bit identifier within $z_T$ 's sampling, preserving the marginal $\mathcal{N}(0,I)$ and thereby retaining image quality and reliable recovery post-attack.

2. TraceMark-LDM Embedding Pipeline

TraceMark-LDM encodes a $k$ -bit watermark $m$ via structured rearrangement of latent variables during image generation, involving partitioning, rearrangement based on bit values, and postprocessing to conceal the watermark.

2.1 Sampling and Partitioning

The algorithm samples $z\sim\mathcal{N}(0,I)$ with latent dimension $r=c\cdot h\cdot w$ , and partitions $z$ into negative ( $N$ ) and non-negative ( $P$ ) subsets.

2.2 Binary-Guided Rearrangement

Quartile partitions $N_1\subset N$ , $P_1\subset P$ are extracted as the largest (absolute value) elements. For each watermark bit $b_j$ , a “large-element” sequence $z_l$ is formed by cycling through bits and selecting an element from $N_1$ if $b_j=0$ , $P_1$ if $b_j=1$ , repeating $m$ until $z_l\in\mathbb{R}^{r/2}$ is assembled. The rearrangement operator $R_l(z, b_j)$ selects unused elements accordingly.

2.3 Group Rearrangement of Small Elements

Remaining elements $R$ are sorted; most negative/positive halves ( $R_n$ , $R_p$ ) are split into $k/2$ disjoint groups $G_n$ and $G_p$ . Each group's sum signals the bit: $g_j$ chosen from $G_n$ encodes $b_j=0$ $(\sum g_j<0)$ , from $G_p$ for $b_j=1$ $(\sum g_j>0)$ . Concatenation yields $z_s\in\mathbb{R}^{r/2}$ .

2.4 Interleaving, Permutation, and Generation

The sequences $z_l$ and $z_s$ are interleaved to yield $z_m$ ; a secret key-dependent permutation $\pi(m)$ is applied, producing $z_{wt}$ . This watermarked noise then passes through the LDM denoising chain to reconstruct $z_0$ , which is decoded to the final image $I_{wm}$ .

2.5 Encoder Fine-Tuning

DDIM inversion and VAE encoding introduce extraction errors. Fine-tuning the encoder $E_\theta$ (decoder $D$ fixed) is performed: generating $I=D(z_0)$ , applying random distortions $A$ to $I$ , and optimizing

$\mathcal{L}_{inv}(\theta) = \mathbb{E}[\|z_0 - E_\theta(I')\|^2],$

$\mathcal{L}_{sim}(\theta) = \mathbb{E}[LPIPS(D(z_0), D(E_\theta(I')))],$

with $\mathcal{L}(\theta) = \mathcal{L}_{inv} + \lambda \mathcal{L}_{sim}$ , $\lambda=1$ , for 100 epochs ( $\sim$ 200 images, distortions: median, JPEG, blur, noise, resize). This approach reduces bit-flip rates during extraction under attack.

3. Watermark Extraction and Authentication

Upon receiving a possibly attacked image $I^*$ :

Encode $z_0'=E_{finetuned}(I^*)$ ;
Apply DDIM inversion to recover $z_{wt}'$ ;
Unshuffle via $\pi^{-1}$ to reconstruct $z_m'$ ;
De-interleave into $z_l'$ and $z_s'$ ;
Decode $z_l'$ : $\hat b_j^{(l)}=0$ if $p<0$ , $1$ otherwise;
Decode $z_s'$ : $\hat b_j^{(s)}=\text{sign}\left(\sum_{x\in g} x\right)$ ;
Merge streams and repeat voting over repetitions to obtain final recovered $m'$ ;
Authenticate: compare $m'$ against user signatures. Attribution accepted if Hamming similarity $>\tau$ (threshold for FPR= $10^{-6}$ ).

4. Experimental Results and Benchmarking

The backbone is Stable Diffusion v2.1 ( $512\times512$ images, latent $4\times64\times64$ ). Sampling uses DPM-Solver ($50$ steps, guidance $7.5$), inversion by DDIM ($50$ steps, null prompt, guidance $1$). Attacks simulated include median filter ( $k=3$ –$19$), JPEG ( $Q=10$ –$90$), Gaussian blur ( $r=2$ –$10$), Gaussian noise ( $\sigma=0.05$ –$0.25$), salt-&-pepper ( $p=0.05$ –$0.4$), resize ($0.1$–$0.9$), VAE regen (quality $1$–$5$), and diffusion regen ($300$–$700$ DDPM steps). Watermark length is $k=256$ bits, repeated $\approx r/(2k)$ times.

Metric	Baseline	TraceMark-LDM	Statistical Test
FID	24.90	24.96	$t=0.773$ ( $<2.101$ )
CLIP Score	0.3647	0.3649	$t=0.372$ ( $<2.101$ )
Attribution (benign)	—	100% bit acc.	TPR@ $10^{-6}$ ≈ 1.0

TraceMark-LDM demonstrates no statistical degradation of image quality. Robustness is sustained at $\geq 96\%$ bit accuracy across distortions, $99.4\%$ accuracy under salt-and-pepper $p=0.4$ , $96.7\%$ under VAE regen $q=5$ , $74.1\%$ under diffusion regen with $700$ steps—the latter remains highest among compared methods.

5. Comparative Analysis with State-of-the-Art Methods

TraceMark-LDM is contrasted with prominent LDM watermarking approaches:

Posterior-image methods (DwtDct, RivaGAN): degrade FID ( $t\gg2.1$ ) and lack robustness to distortions beyond mild JPEG.
In-generation methods (Stable Signature, Latent Watermark): require costly U-Net fine-tuning or suffer quality loss for high-capacity embedding ( $>32$ bits).
Initial-noise methods (Tree-Rings, Gaussian Shading): cause distributional distortions or operational inefficiency (e.g., slow ChaCha20 encryption).

TraceMark-LDM achieves performance-lossless watermark embedding (no observable FID/CLIP drop), supports multi-bit capacity ($256$ bits), maintains $\gtrsim 95\%$ bit accuracy under all attacks, exceeds $70\%$ under extreme re-generation, and entails only moderate overhead (100-epoch encoder fine-tune, no per-image encryption or U-Net retraining). These properties yield superior bit-accuracy versus robustness trade-off (cf. Table I, Table III in source).

6. Context and Implications

TraceMark-LDM addresses the forensic attribution requirement for AI-generated content—a concern of increasing societal and legal significance. By integrating watermarking into the generative sampling step and developing resilience to post-processing and re-generation, the framework suggests a paradigm wherein provenance can be guaranteed with minimal operational disruption and strong resistance to adversarial attacks. A plausible implication is that similar binary-guided rearrangement and encoder fine-tuning methodologies could be extended to other generative architectures reliant on latent Gaussian sampling, offering broad utility in AIGC attribution and copyright protection domains (Luo et al., 30 Mar 2025).

Markdown Report Issue Upgrade to Chat

References (1)

TraceMark-LDM: Authenticatable Watermarking for Latent Diffusion Models via Binary-Guided Rearrangement (2025)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to TraceMark-LDM.