ROBIN: Robust and Invisible Watermarks for Diffusion Models with Adversarial Optimization

TL;DR

ROBIN addresses ownership verification for diffusion-generated content by embedding a robust watermark in an intermediate diffusion state $x_t$ and actively guiding the remaining steps to conceal it in the final image $x_0$. It pairs a watermark $w_i$ with a hiding prompt $w_p$ via adversarial optimization, and verifies watermark presence by reversing the generation to the implantation point $t_{injection}$ and extracting from the frequency domain, using a threshold on the L1 distance $D(w,w')$. Empirical results on latent and pixel-domain diffusion models show superior robustness to common image manipulations and improved invisibility compared with prior methods, without requiring retraining. The work provides open-source code and demonstrates practical applicability to diverse diffusion frameworks for secure content attribution.

Abstract

Watermarking generative content serves as a vital tool for authentication, ownership protection, and mitigation of potential misuse. Existing watermarking methods face the challenge of balancing robustness and concealment. They empirically inject a watermark that is both invisible and robust and passively achieve concealment by limiting the strength of the watermark, thus reducing the robustness. In this paper, we propose to explicitly introduce a watermark hiding process to actively achieve concealment, thus allowing the embedding of stronger watermarks. To be specific, we implant a robust watermark in an intermediate diffusion state and then guide the model to hide the watermark in the final generated image. We employ an adversarial optimization algorithm to produce the optimal hiding prompt guiding signal for each watermark. The prompt embedding is optimized to minimize artifacts in the generated image, while the watermark is optimized to achieve maximum strength. The watermark can be verified by reversing the generation process. Experiments on various diffusion models demonstrate the watermark remains verifiable even under significant image tampering and shows superior invisibility compared to other state-of-the-art robust watermarking methods. Code is available at https://github.com/Hannah1102/ROBIN.

Figures (10)

• Figure 1: The watermark optimization and implantation of ROBIN. A robust watermark is added at an intermediate state of generation, and an additional prompt guiding signal is optimized to direct the model towards hiding the embedded watermark in the generated image. The image watermark and guiding signal are optimized adversarially to improve robustness and invisibility.
• Figure 2: The impact of introducing frequency domain disturbances at different diffusion steps on the predicted noise. Timestep 1000 signifies the Gaussian noise state and step 0 represents the final generated image. The Uncondition curve (orange) and the Condition curve (gray) nearly overlap in both figures. Guidance is the amplified difference of Uncondition and Condition. Full is the addition of Uncondition and Guidance.
• Figure 3: The generated images with Tree-Ring and ROBIN watermarks.
• Figure 4: Ablation experiments on embedding point and watermark strength.
• Figure 5: Generated images under different watermark strengths. The top row is the result of the Tree-Ring scheme and the bottom row is the result of ROBIN.