Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Proof-of-Authorship for Diffusion-based AI Generated Content

De Zhang Lee, Han Fang, Ee-Chien Chang

Abstract

Recent advancements in AI-generated content (AIGC) have introduced new challenges in intellectual property protection and the authentication of generated objects. We focus on scenarios in which an author seeks to assert authorship of an object generated using latent diffusion models (LDMs), in the presence of adversaries who attempt to falsely claim authorship of objects they did not create. While proof-of-ownership has been studied in the context of multimedia content through techniques such as time-stamping and watermarking, these approaches face notable limitations. In contrast to traditional content creation sources (e.g., cameras), the LDM generation process offers greater control to the author. Specifically, the random seed used during generation can be deliberately chosen. By binding the seed to the author's identity using cryptographic pseudorandom functions, the author can assert to be the creator of the object. We refer to this stronger guarantee as proof-of-authorship, since only the creator of the object can legitimately claim the object. This contrasts with proof-of-ownership via time-stamping or watermarking, where any entity could potentially claim ownership of an object by being the first to timestamp or embed the watermark. We propose a proof-of-authorship framework involving a probabilistic adjudicator who quantifies the probability that a claim is false. Furthermore, unlike prior approaches, the proposed framework does not involve any secret. We explore various attack scenarios and analyze design choices using Stable Diffusion 2.1 (SD2.1) as representative case studies.

Proof-of-Authorship for Diffusion-based AI Generated Content

Abstract

Recent advancements in AI-generated content (AIGC) have introduced new challenges in intellectual property protection and the authentication of generated objects. We focus on scenarios in which an author seeks to assert authorship of an object generated using latent diffusion models (LDMs), in the presence of adversaries who attempt to falsely claim authorship of objects they did not create. While proof-of-ownership has been studied in the context of multimedia content through techniques such as time-stamping and watermarking, these approaches face notable limitations. In contrast to traditional content creation sources (e.g., cameras), the LDM generation process offers greater control to the author. Specifically, the random seed used during generation can be deliberately chosen. By binding the seed to the author's identity using cryptographic pseudorandom functions, the author can assert to be the creator of the object. We refer to this stronger guarantee as proof-of-authorship, since only the creator of the object can legitimately claim the object. This contrasts with proof-of-ownership via time-stamping or watermarking, where any entity could potentially claim ownership of an object by being the first to timestamp or embed the watermark. We propose a proof-of-authorship framework involving a probabilistic adjudicator who quantifies the probability that a claim is false. Furthermore, unlike prior approaches, the proposed framework does not involve any secret. We explore various attack scenarios and analyze design choices using Stable Diffusion 2.1 (SD2.1) as representative case studies.
Paper Structure (68 sections, 10 theorems, 21 equations, 6 figures, 3 tables)

This paper contains 68 sections, 10 theorems, 21 equations, 6 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background and Notations
  3. Latent-Diffusion model
  4. VAE Autoencoder
  5. Image Similarity Function
  6. Pseudorandom function family (PRF)
  7. Statistical Testing
  8. Estimation of $q$
  9. Summary of notations
  10. Proof-of-Authorship Framework
  11. Phases
  12. Registration
  13. Generation
  14. Contention
  15. Judge
  16. ...and 53 more sections

Key Result

Theorem 1

Under Assumption A2, and standard MLE regularity assumptions, let $\alpha \in (0,1)$ and $\delta \in (0,1)$ and consider a fixed threshold $T$. Let $\hat{q} = \Pr[{\widehat{W}} \ge T]$, where $\widehat{W}$ is estimated over $n$ independently and identically distributed samples drawn from a distribut

Figures (6)

  • Figure 1: The similarity score between the original and distorted image is $T = 8.6$. For any forger who is unable to break the pseudorandom function, the probability of generating an image whose similarity score with the contested image meets or exceeds $T$ in a single attempt is at most $2^{-50}$. This implies that the identity cryptographically bound to original image is likely not forged, and therefore corresponds to the legitimate author.
  • Figure 2: An illustration of the generation phase for the POA $\langle m, e, r \rangle$. A pseudorandom function $f_i$ (e.g. HMAC-SHA3) deterministically maps the POA to a seed that initializes the starting point. The random free bits $r$ enable sampling from different locations, preserving diversity in the generated outputs.
  • Figure 3: An illustration of the contention phase in our POA framework. The left depicts the VAE latent generated from the POA $\langle m, e, r \rangle$, compared against the VAE latent of the contested image (right). A similarity score is computed from the two latents (Section \ref{['subsection:similarity']}) and evaluated by the probabilistic adjudicator to determine whether the POA corresponds to the contested image.
  • Figure 4: Empirical distribution of KS distances, which observes that the fitted sub-exponential distribution closely approximates the distribution of the similarity scores.
  • Figure 5: Distribution of the ratio between pairwise $\ell_2$ distances of generated latents and the corresponding $\ell_2$ distances between their starting points.
  • ...and 1 more figures

Theorems & Definitions (17)

  • Theorem 1
  • Definition 1
  • Theorem 1
  • proof : Proof Sketch
  • Lemma 1
  • Lemma 2
  • Theorem 2
  • Theorem 3
  • proof
  • Theorem : Theorem \ref{['thm:poa_ppt']} restated
  • ...and 7 more