Towards A Correct Usage of Cryptography in Semantic Watermarks for Diffusion Models
Jonas Thietke, Andreas Müller, Denis Lukovnikov, Asja Fischer, Erwin Quiring
TL;DR
The paper addresses the lack of rigorous cryptographic foundations and key-management in distribution-preserving semantic watermarks, particularly Gaussian Shading. It introduces a general $IND$-$CPA$-based framework and a formal game to prove lossless undetectability that extends to multi-image usage, applying it to Gaussian Shading and discussing PRC. The findings show that per-image nonces preserve generation quality and undetectability but are computationally and storage-wise inefficient, while PRC can be deployed efficiently and meets the lossless criteria. These results provide a stronger cryptographic basis for semantic watermark deployment and clarify how security, efficiency, and generation variety trade-offs shape practical design choices.
Abstract
Semantic watermarking methods enable the direct integration of watermarks into the generation process of latent diffusion models by only modifying the initial latent noise. One line of approaches building on Gaussian Shading relies on cryptographic primitives to steer the sampling process of the latent noise. However, we identify several issues in the usage of cryptographic techniques in Gaussian Shading, particularly in its proof of lossless performance and key management, causing ambiguity in follow-up works, too. In this work, we therefore revisit the cryptographic primitives for semantic watermarking. We introduce a novel, general proof of lossless performance based on IND\$-CPA security for semantic watermarks. We then discuss the configuration of the cryptographic primitives in semantic watermarks with respect to security, efficiency, and generation quality.