High payload robust watermarking of generative models with multiple triggers and channel coding

Download PDF

Jianwei Fei, Benedetta Tondi, Mauro Barni

Published: 06 Mar 2025, Last Modified: 16 Apr 2025WMARK@ICLR2025EveryoneRevisionsBibTeXCC BY 4.0
Track: long paper (up to 9 pages)
Keywords: Generative Model Watermarking, DNN Watermarking, Intellectual Property Right protection, Channel coding
Abstract: We present a robust and high-payload black-box multi-bit watermarking scheme for generative models. In order to embed a high payload message while retaining robustness against modifications of the watermarked network, we rely on the use of channel codes with strong error correction capacity (polar codes). This, in turn, increases the number of (coded) bits to be embedded within the network, thus challenging the embedding capabilities of the watermarking scheme. For this reason, we split the watermark bits into several chunks, each of which is associated with a different watermark triggering input. Through extensive experiments on the StyleGAN family of generative models, we show that the proposed method has excellent payload and robustness performance, allowing great flexibility to trade off between payload and robustness. Noticeably, our method demonstrates the capability of embedding over 100,000 coded bits for a net payload of up to 8192 bits while maintaining high image quality, with a PSNR exceeding 37 dB. Experiments demonstrate that the proposed high-payload strategy effectively improves the robustness of messages via high-performance channel codes, against white-box model attacks such as fine-tuning and pruning. Codes at: https://github.com/jumpycat/CCMark
Presenter: ~Jianwei_Fei1
Format: Maybe: the presenting author will attend in person, contingent on other factors that still need to be determined (e.g., visa, funding).
Funding: No, the presenting author of this submission does *not* fall under ICLR’s funding aims, or has sufficient alternate funding.
Anonymization: This submission has been anonymized for double-blind review via the removal of identifying information such as names, affiliations, and identifying URLs.
Submission Number: 30