Identifying Models Behind Text-to-Image Leaderboards
Ali Naseh, Yuefeng Peng, Anshuman Suri, Harsh Chaudhari, Alina Oprea, Amir Houmansadr
TL;DR
This work reveals a fundamental vulnerability in voting-based text-to-image leaderboards: model anonymity can be reliably broken through embedding-space clustering, even without prompt control or training data. A simple, training-free centroid-based deanonymization using image embeddings (e.g., CLIP) achieves high accuracy across 22 models and 280 prompts, with a prompt-level distinguishability metric identifying prompts that maximize leakage. The authors also explore defenses via adversarial post-processing to perturb embeddings, quantify the associated trade-offs in image fidelity, and analyze the practical costs and implications for leaderboard design. Overall, the paper argues for stronger anonymization and evaluation protocols to preserve fairness and reliability in T2I leaderboards, while providing a concrete, scalable attack framework and measurable defense strategies.
Abstract
Text-to-image (T2I) models are increasingly popular, producing a large share of AI-generated images online. To compare model quality, voting-based leaderboards have become the standard, relying on anonymized model outputs for fairness. In this work, we show that such anonymity can be easily broken. We find that generations from each T2I model form distinctive clusters in the image embedding space, enabling accurate deanonymization without prompt control or training data. Using 22 models and 280 prompts (150K images), our centroid-based method achieves high accuracy and reveals systematic model-specific signatures. We further introduce a prompt-level distinguishability metric and conduct large-scale analyses showing how certain prompts can lead to near-perfect distinguishability. Our findings expose fundamental security flaws in T2I leaderboards and motivate stronger anonymization defenses.
