An Undetectable Watermark for Generative Image Models

TL;DR

This work introduces the PRC watermark, the first undetectable watermark for generative image models, built on a pseudorandom error-correcting code that subtly embeds a signal in the latent space of diffusion models. It achieves provable undetectability under efficient adversaries, preserves image quality across standard metrics, and demonstrates robustness against watermark-removal attacks. The approach enables encoding long messages (up to 2500 bits without removal) and can be applied to VAEs as a demonstration of generality. Empirical results on Stable Diffusion 2.1 show superior perceptual quality preservation and resilience compared with existing watermarking schemes, with practical implications for attribution and disinformation policing.

Abstract

We present the first undetectable watermarking scheme for generative image models. Undetectability ensures that no efficient adversary can distinguish between watermarked and un-watermarked images, even after making many adaptive queries. In particular, an undetectable watermark does not degrade image quality under any efficiently computable metric. Our scheme works by selecting the initial latents of a diffusion model using a pseudorandom error-correcting code (Christ and Gunn, 2024), a strategy which guarantees undetectability and robustness. We experimentally demonstrate that our watermarks are quality-preserving and robust using Stable Diffusion 2.1. Our experiments verify that, in contrast to every prior scheme we tested, our watermark does not degrade image quality. Our experiments also demonstrate robustness: existing watermark removal attacks fail to remove our watermark from images without significantly degrading the quality of the images. Finally, we find that we can robustly encode 512 bits in our watermark, and up to 2500 bits when the images are not subjected to watermark removal attacks. Our code is available at https://github.com/XuandongZhao/PRC-Watermark.

Figures (15)

• Figure 1: Examples of different watermarks applied to the image generated with the prompt: "red dead redemption 2, cinematic view, epic sky, detailed, concept art, low angle, high detail, warm lighting, volumetric, godrays, vivid, beautiful, trending on artstation, by jordan grimmer, huge scene, grass, art greg rutkowski". For post-processing watermark methods, the watermarks directly perturb the un-watermarked image. Notably, the StegaStamp watermark introduces visible blurring artifacts.
• Figure 2: Top: Training a model to detect the watermark without the key. Bottom: Training a model to distinguish between watermarked images generated with different watermarking keys.
• Figure 3: Robustness under the strongest attacks, excluding the embedding attack. We show all points from the corresponding plot in \ref{['figure:robustness-sweep']} for which there is no other point with a higher FID and TPR. In the figure on the right, we only include the in-processing watermarks. The TPR for the PRC watermark drops after the FID reaches 75; this corresponds to the JPEG 20 attack, of which we give an example in \ref{['figure:jpeg20-example']}.
• Figure 4: Example images under the JPEG 20 attack with a PSNR of 28.39. Notice the blurriness and lack of detail in the attacked image.
• Figure 5: Robustness of various watermarking schemes. PSNR and SSIM are used to measure the similarity between a single original image and attacked image. FID is used to measure distance between the distribution of un-watermarked images and attacked images. The vertical dotted red line in the FID plots is the FID for un-perturbed watermarked images. Note that the strange behavior of the FID for certain watermarks under the Regen-Diffusion attack can be explained by the attack simply correcting its own errors.

Theorems & Definitions (4)

• Theorem 1: Undetectability
• Theorem 2: False positive rate
• proof
• proof