Table of Contents
Fetching ...

Attack-Resistant Watermarking for AIGC Image Forensics via Diffusion-based Semantic Deflection

Qingyu Liu, Yitao Zhang, Zhongjie Ba, Chao Shuai, Peng Cheng, Tianhang Zheng, Zhibo Wang

TL;DR

The paper addresses the challenge of protecting copyrights for user-generated AIGC images in diffusion-based workflows by introducing PAI, a training-free inherent watermarking framework. PAI couples a user key to the generation process via initialization embedding and a key-conditioned deflection during early denoising, and uses DDIM inversion to derive a unified initialization-bias signal for ownership verification, attack detection, and semantic tamper localization. It provides a theoretical guarantee that only the valid key passes verification and demonstrates strong robustness across 12 attacks, high tamper localization performance, and low runtime overhead, outperforming state-of-the-art baselines. The approach is practical for real-world service providers and emphasizes reproducibility and ethics, offering a principled method for secure, forensic-ready AIGC provenance. In short, PAI delivers robust, provenance-aware watermarking that tightly binds identity to content while enabling precise forensic analysis without requiring retraining.

Abstract

Protecting the copyright of user-generated AI images is an emerging challenge as AIGC becomes pervasive in creative workflows. Existing watermarking methods (1) remain vulnerable to real-world adversarial threats, often forced to trade off between defenses against spoofing and removal attacks; and (2) cannot support semantic-level tamper localization. We introduce PAI, a training-free inherent watermarking framework for AIGC copyright protection, plug-and-play with diffusion-based AIGC services. PAI simultaneously provides three key functionalities: robust ownership verification, attack detection, and semantic-level tampering localization. Unlike existing inherent watermark methods that only embed watermarks at noise initialization of diffusion models, we design a novel key-conditioned deflection mechanism that subtly steers the denoising trajectory according to the user key. Such trajectory-level coupling further strengthens the semantic entanglement of identity and content, thereby further enhancing robustness against real-world threats. Moreover, we also provide a theoretical analysis proving that only the valid key can pass verification. Experiments across 12 attack methods show that PAI achieves 98.43\% verification accuracy, improving over SOTA methods by 37.25\% on average, and retains strong tampering localization performance even against advanced AIGC edits. Our code is available at https://github.com/QingyuLiu/PAI.

Attack-Resistant Watermarking for AIGC Image Forensics via Diffusion-based Semantic Deflection

TL;DR

The paper addresses the challenge of protecting copyrights for user-generated AIGC images in diffusion-based workflows by introducing PAI, a training-free inherent watermarking framework. PAI couples a user key to the generation process via initialization embedding and a key-conditioned deflection during early denoising, and uses DDIM inversion to derive a unified initialization-bias signal for ownership verification, attack detection, and semantic tamper localization. It provides a theoretical guarantee that only the valid key passes verification and demonstrates strong robustness across 12 attacks, high tamper localization performance, and low runtime overhead, outperforming state-of-the-art baselines. The approach is practical for real-world service providers and emphasizes reproducibility and ethics, offering a principled method for secure, forensic-ready AIGC provenance. In short, PAI delivers robust, provenance-aware watermarking that tightly binds identity to content while enabling precise forensic analysis without requiring retraining.

Abstract

Protecting the copyright of user-generated AI images is an emerging challenge as AIGC becomes pervasive in creative workflows. Existing watermarking methods (1) remain vulnerable to real-world adversarial threats, often forced to trade off between defenses against spoofing and removal attacks; and (2) cannot support semantic-level tamper localization. We introduce PAI, a training-free inherent watermarking framework for AIGC copyright protection, plug-and-play with diffusion-based AIGC services. PAI simultaneously provides three key functionalities: robust ownership verification, attack detection, and semantic-level tampering localization. Unlike existing inherent watermark methods that only embed watermarks at noise initialization of diffusion models, we design a novel key-conditioned deflection mechanism that subtly steers the denoising trajectory according to the user key. Such trajectory-level coupling further strengthens the semantic entanglement of identity and content, thereby further enhancing robustness against real-world threats. Moreover, we also provide a theoretical analysis proving that only the valid key can pass verification. Experiments across 12 attack methods show that PAI achieves 98.43\% verification accuracy, improving over SOTA methods by 37.25\% on average, and retains strong tampering localization performance even against advanced AIGC edits. Our code is available at https://github.com/QingyuLiu/PAI.
Paper Structure (36 sections, 34 equations, 15 figures, 10 tables)

This paper contains 36 sections, 34 equations, 15 figures, 10 tables.

Figures (15)

  • Figure 1: Comparison of SOTA image watermarking methods across 7 dimensions of robustness and functionality. Overall, PAI achieves balanced and superior results across all dimensions.
  • Figure 2: System model of our PAI.
  • Figure 3: The pipeline of our PAI. The initialization stage aims to calculate the initial noise $x_t$ for generation and verification processes. The deflection stage aims to use the user key ${K}$ to deflect the generative trajectory. $\eta$ is our implicit content-adaptive watermark.
  • Figure 4: Visualization of the second-order moment of the initialization bias.
  • Figure 5: Visualization of the initialization bias under attacks.
  • ...and 10 more figures