Go to ICLR 2026 Conference homepageCollaborative Threshold Watermarking
Keywords: Threshold Watermarking, Federated Learning, Threshold Schemes, Model Watermarking
TL;DR: We introduce collabrative threshold watermarking, a trustless protocol that allows many clients to jointly embed and verify a model watermark while preventing any group of fewer than t colluding clients from detecting it.
Abstract: Consider $K$ clients who want to collaboratively train a machine learning model without sharing their data. Since each client invests considerable data and computational resources, they want the ability to verify their model's provenance by embedding a hidden signal in its weights, called a \emph{watermark}. Clients may not trust each other and want the ability to embed a \emph{robust} watermark that cannot be easily removed by any other client. A naive solution would be for each client to embed their own hidden watermark during training, but such a solution does not scale to many clients, as each client's contribution to the final model is bounded. We propose a trustless protocol that enables multiple clients to embed and verify a \emph{collaborative threshold} watermark so that only a subset of $t$ or more can verify the watermark's presence, and a subset of $<t$ clients learn nothing about the watermark beyond what can be inferred from the output of the protocol. We call such a solution $(t,k)$-threshold watermarking, and it enables many clients to establish ownership with limited accuracy degradation of the model, even for large $K$. We formalize threshold watermarking and propose model watermarking schemes in the white-box setting, where the verifier can access the weights of the suspect model. We empirically demonstrate robustness against both adaptive and non-adaptive attackers on image classification tasks on multiple datasets.
Supplementary Material: zip
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 9278
Loading