The NeRF Signature: Codebook-Aided Watermarking for Neural Radiance Fields

TL;DR

The paper tackles copyright protection for Neural Radiance Fields (NeRF) by introducing NeRF Signature, a codebook-aided watermarking approach that embeds signatures directly into NeRF parameters without altering the core model structure. It combines a learnable signature codebook (CSE) with a joint pose-patch encryption scheme and a Complexity-Aware Key Selection (CAKS) to achieve high imperceptibility and robustness against image transformations and model-level attacks, while avoiding retraining for new signatures. A Distortion Layer is used during optimization to simulate degradations, enhancing resilience, and the workflow supports efficient embedding of any signature from a binary space of size $2^{N_{ ext{b}}}$. Experiments across four standard datasets show superior bit accuracy and visual fidelity compared with baselines, along with strong robustness to attacks and practical training-time advantages. The approach enables practical, scalable ownership verification and traceability for NeRF-based content in real-world settings.

Abstract

Neural Radiance Fields (NeRF) have been gaining attention as a significant form of 3D content representation. With the proliferation of NeRF-based creations, the need for copyright protection has emerged as a critical issue. Although some approaches have been proposed to embed digital watermarks into NeRF, they often neglect essential model-level considerations and incur substantial time overheads, resulting in reduced imperceptibility and robustness, along with user inconvenience. In this paper, we extend the previous criteria for image watermarking to the model level and propose NeRF Signature, a novel watermarking method for NeRF. We employ a Codebook-aided Signature Embedding (CSE) that does not alter the model structure, thereby maintaining imperceptibility and enhancing robustness at the model level. Furthermore, after optimization, any desired signatures can be embedded through the CSE, and no fine-tuning is required when NeRF owners want to use new binary signatures. Then, we introduce a joint pose-patch encryption watermarking strategy to hide signatures into patches rendered from a specific viewpoint for higher robustness. In addition, we explore a Complexity-Aware Key Selection (CAKS) scheme to embed signatures in high visual complexity patches to enhance imperceptibility. The experimental results demonstrate that our method outperforms other baseline methods in terms of imperceptibility and robustness. The source code is available at: https://github.com/luo-ziyuan/NeRF_Signature.

Figures (9)

• Figure 1: The embedding and verification of our NeRF Signature with an optimizable signature codebook. The NeRF owner first obtains a signature representation through the signature codebook with a selected secret signature (➀). Then, the watermarked model is created through element-wise addition between the signature representation and the original parameters while maintaining the model structure (➁). After sharing the watermarked model, the NeRF owner can render specific patches from a specific viewpoint using the secret key (➂). Finally, the signature can be extracted from these patches by an extractor (➃).
• Figure 2: Illustration of our training pipeline. (a) A signature representation $G_{\text{m}}$ is derived through a signature codebook according to the randomly selected signature $\mathbf{m}$. Subsequently, the watermarked grid $G^{\prime}$ is generated by directly adding the signature representation and original grid $G$ through a Codebook-aided Signature Embedding (CSE). (b) With a specific camera pose represented as pose key $\mathcal{T}$, we obtain an original image and a watermarked image by volumetric rendering from this pose, utilizing the original grid and the watermarked grid, respectively. A content loss $\mathcal{L}_{\text{content}}$ is computed by comparing the original image and watermarked image. (c) After a distortion layer, we use a patch key $\mathcal{S}$ to generate $N_{\text{b}}$ patches from the watermarked image. (d) We employ a signature extractor to extract one bit of signature from each patch. The signature loss $\mathcal{L}_{\text{signature}}$ is obtained by a cross-entropy error. The pose key $\mathcal{T}$ and the patch key $\mathcal{S}$ together form a complete key $\mathcal{K}=\{\mathcal{T}, \mathcal{S}\}$ for signature extraction.
• Figure 3: The threat model considered in our scenario. A NeRF owner generates the NeRF with signatures, and then the model is shared online. A malicious user obtains the shared model and spreads it without authorization. Finally, the NeRF owner can verify whether the model is generated by themselves.
• Figure 4: The CAKS scheme of our method. First, the NeRF owner chooses a camera pose as the pose key $\mathcal{T}$ and generates an image from this pose (➀). The rendered image is then uniformly divided into patches (➁). Subsequently, certain patches are discarded based on the grayscale values calculated by $Y(\cdot)$ (➂). Following that, patches with low complexity values are discarded using the complexity estimator $V(\cdot)$ (➃). Finally, the NeRF owner randomly selects $N_{\text{b}}$ patches as the final selection, and the positions of these patches form the patch key $\mathcal{S}$ (➄).
• Figure 5: Illustration of our workflow when the signature codebook $\mathcal{G}_{\text{w}}$ has been optimized. In the embedding stage, the NeRF owner can select $N$ signatures to embed into the to-be-protected model through the CSE, resulting in $N$ watermarked models with different embedded signatures. These models are shared online through different paths. In the verification stage, the NeRF owner first obtains specific patches by rendering the model through a key $\mathcal{K}$ for perspective and patch selection for the to-be-verified model. Then, an extractor extracts the signatures embedded in different to-be-verified models. By comparing these signatures with the originally embedded signatures, the NeRF owner can determine model ownership and trace the path through which the model is abused.