MetaSeal: Defending Against Image Attribution Forgery Through Content-Dependent Cryptographic Watermarks

TL;DR

MetaSeal addresses the problem of misattribution in the era of AI-generated content by introducing content-dependent watermarks with cryptographic verification. It binds the image semantics to a Visual Attribution Signature encoded as a structured visual pattern and embedded via an invertible neural network in the frequency domain, enabling exact signature recovery and public verification without relying on detectors. The approach achieves high payload capacity with a 88× increase over baselines while maintaining image quality and robustness to benign transformations, and it provides visual tamper evidence as well as strong forgery resistance against adaptive attacks. By combining semantic binding, cryptographic security, and structured visual encoding, MetaSeal offers a practical, provable defense against image misattribution and establishes a new standard for attribution in a landscape of widespread AI generation.

Abstract

The rapid growth of digital and AI-generated images has amplified the need for secure and verifiable methods of image attribution. While digital watermarking offers more robust protection than metadata-based approaches--which can be easily stripped--current watermarking techniques remain vulnerable to forgery, creating risks of misattribution that can damage the reputations of AI model developers and the rights of digital artists. The vulnerabilities of digital watermarking arise from two key issues: (1) content-agnostic watermarks, which, once learned or leaked, can be transferred across images to fake attribution, and (2) reliance on detector-based verification, which is unreliable since detectors can be tricked. We present MetaSeal, a novel framework for content-dependent watermarking with cryptographic security guarantees to safeguard image attribution. Our design provides (1) \textbf{forgery resistance}, preventing unauthorized replication and enforcing cryptographic verification; (2) \textbf{robust self-contained protection}, embedding attribution directly into images while maintaining robustness against benign transformations; and (3) \textbf{evidence of tampering}, making malicious alterations visually detectable. Experiments demonstrate that MetaSeal effectively mitigates forgery attempts and applies to both natural and AI-generated images, establishing a new standard for secure image attribution. Code is available at: https://github.com/Tongzhou0101/MetaSeal.

Figures (14)

• Figure 1: Attackers can forge watermarked images that falsely attribute harmful or manipulated content to a model, risking developer reputation.
• Figure 2: Training performance of HiDDeN with 512-bit messages: loss optimizes image fidelity while recovery accuracy remains low (unconverged BER).
• Figure 3: The inference process of MetaSeal. Embedding: Semantic features are extracted to generate a cryptographic signature using the private key $\mathsf{sk}$, which is encoded into a visual pattern and embedded into the image using an invertible neural network (INN, trained with Eq. \ref{['eq:inn_loss']}). The resulting watermarked image may undergo transformations such as JPEG compression. Extraction: The embedded secret is recovered using the same INN and then decoded to verify attribution using the public key $\mathsf{pk}$. The secret is embedded in the frequency domain using discrete wavelet transform (DWT) and Inverse Wavelet Transform (IWT) for improved robustness and imperceptibility.
• Figure 4: $\texttt{MetaSeal}\xspace$ achieves the best performance between payload and recovery accuracy on DIV2K.
• Figure 5: As the payload increases for DwtDctSvd, its VerAcc drops significantly, while MetaSeal maintains perfect recovery and verification accuracy.

Theorems & Definitions (1)

• Definition 1: Visual Attribution Signature