Invisible Image Watermarks Are Provably Removable Using Generative AI

We greatly appreciate your positive feedback and the opportunity to address your concern.

"While invisible watermarks are highly vulnerable, semantic watermarks are less affected by the proposed attacks."

The primary purpose of this paper is not to propose an attack that can remove any type of watermark. Our goal is to raise awareness about the vulnerability of all invisible watermarks to some extent. We believe we have successfully demonstrated this point and provided valuable insights into alternative solutions in light of these vulnerabilities. Therefore, this additional information should not be viewed as a weakness but rather as a significant contribution to the community. Our attack is important to motivate the community to study semantic watermarks.

Thank you again for your feedback, and we are looking forward to your stronger support!

Thank you for your thoughtful feedback. We appreciate the opportunity to clarify our contributions and address your concerns.

W1: Experiment settings and evaluation are not rigorous. The authors may consider profiling the quality and detectability tradeoff.

We appreciate your suggestion. We have conducted a comprehensive evaluation with various parameter settings for each attacking method. The results are now included in the attached rebuttal PDF.

Specifically, we have plotted the quality-detectability tradeoff for five watermark schemes across eight different attacking methods. The x-axis represents quality metrics (SSIM and PSNR, higher is better), while the y-axis shows the detection metric True Positive Rate at a fixed False Positive Rate (TPR@FPR=0.01, lower is better from an attacker's perspective). The strongest attacker should appear in the lower right corner of these plots. We used the same watermark settings as described in the original paper (Section 5, Watermark Setting).

Key findings

• Our proposed regeneration attack consistently outperforms other methods across all five watermarking scenarios.
• For DctDwtSvd, RivaGAN, and SSL watermarks, our regeneration attack instance 2 (VAE) achieves the best Pareto front of quality and attack detectability.
• Our regeneration attack instance 3 (diffusion model) performs best against Stable Signature and shows strong results across all scenarios. It offers the additional benefit of ease of use and can achieve good attacking results with different noise levels.

These results strongly support our claim that the regeneration attack is a very effective method for attacking various watermarks compared to strong baselines.

W2: Conclusion with insufficient support. It may be reasonable to argue that StegaStamp can successfully prevent image misuse and does not need a shift as the authors claimed.

We appreciate the reviewer's perspective on StegaStamp. Our conclusion in lines 13-14 is based on both theoretical analysis and empirical evidence:

• Theoretical guarantee: Our regeneration attack is proven to remove certain pixel-based invisible watermarks that perturb the image within a limited range of l2 distance. This guarantee applies to both existing and future watermarking techniques that fall within this category.
• StegaStamp specifics: As the reviewer noted, StegaStamp introduces "visible artifacts that are enough to raise human caution and suspect they are not original images". Figure 4 shows that the l2 distance for StegaStamp is quite large, making it not "invisible" if we set the l2 distance to be small.
• Empirical results: To address the reviewer's concerns, we have included the attacked images for different watermarks, including StegaStamp, in the attached PDF. These images demonstrate that our regeneration attack (diffusion model) produces high-quality results while successfully evading StegaStamp detection.

Our framework is self-consistent, and we have not hidden any results or overclaimed our conclusions. The additional visual examples provide further support for the effectiveness of our approach across different watermarking techniques.

W3: Inaccurate statements: "Invisible watermark safeguards images' copyrights … prevent people from misusing images … ". These are largely believed to be only possible applications.

We appreciate the reviewer's attention to detail. To clarify, these are not merely possible applications but are already in use in prominent real-world scenarios:

• Stable Diffusion [1], a widely used open-source image generation model, employs invisible watermarks to protect generated images.
• DeepMind [2] utilizes SynthID in images to safeguard copyrights and prevent image misuse.

These examples demonstrate that invisible watermarks are actively being used for copyright protection and preventing image misuse in real applications.

W3: Line 4 "The proposed attack method first adds random noise to an image…". According to Eq. 1, the proposed methods add noise to the latent feature of the image (attack instance 2 & 3), not the image itself.

We thank the reviewer for pointing out this potential source of confusion. To clarify:

The regeneration attack is a family of attacks with multiple instances:

• Instance 1 adds noise directly to the image.
• Instances 2 and 3 add noise to the latent feature of the image.

To improve clarity, we will revise the statement to: "adds random noise to an image or its latent feature..."

Q1

We have added an example of the RivaGAN watermark with our regeneration attack in the attached PDF to further illustrate the theoretical guarantee's applicability across different watermarking techniques.

Q2

We acknowledge the reviewer's point about the need for more comprehensive visualizations. We have now included a complete set of attack visualizations for all methods on the different watermarks considered in our paper. These can be found in the attached PDF.

Q3

Regarding DiffPure, we appreciate the suggestion to include it as a baseline. While DiffPure is conceptually similar to our regeneration attack instance 3 (diffusion model), we have conducted additional experiments to compare their performance:

Using the RivaGAN watermark as an example, we fixed TPR<0.05 at FPR=0.01 for both regeneration and DiffPure attacks, then compared PSNR:

• Regen-Diff: PSNR = 23.33
• DiffPure: PSNR = 23.07

These results demonstrate that our Regeneration-Diffusion approach achieves better image quality while maintaining the same level of watermark removal effectiveness.

---

We hope these clarifications and additional results address the reviewer's concerns and further strengthen our paper's contributions. We are grateful for the opportunity to improve our work and would be happy to provide any additional information or clarifications if needed.

---

[1] https://github.com/Stability-AI/stablediffusion

[2] https://deepmind.google/technologies/synthid/

Thank you for your valuable feedback. We appreciate the opportunity to address the specific points raised and provide further clarification.

1. Calibration of $\sigma$ and Attack Performance

"Relies on the upper bound $L \geq L_{x,w}$ to effectively calibrate $\sigma$… this could potentially affect the attack performance or image quality since the attacker normally has no access to the decoding scheme, thus unable to verify the performance of the attack."

Access to the decoding scheme is not necessary for calibrating $\sigma$. Although we cannot calibrate by verifying if an attack is successful, we can still choose the optimal $\sigma$ through a binary search. Typically, the quality of the attacked image degrades as $\sigma$ increases, allowing us to use binary search to find the largest $\sigma$ that maintains acceptable image quality. Additionally, we discuss controlling a certain degree of Certified Watermark Freeness (CWF) a priori in Appendix lines 522-529. Here is the original content for your reference:

• "Our guarantee in Theorem 1 depends on the specific watermark injected into a specific image instance through the unknown local Lipschitz parameter $L_{x,w}$. Specifying a fixed CWF level requires a uniform upper bound of $L_{x,w}$ independent of $x$ and $w$. For example, when the embedding $\phi$ is trivial (identity map), we can take $L_{x,w} \leq 1$. When $\phi$ involves lower pass filtering, such as a Fourier transform that removes all high-frequency components except the top $k$ dimensions, we can bound $L_{x,w} \leq \sqrt{k}/n$, where $n$ is the number of pixels. Generally, any linear transformation with a bounded operator norm is suitable."

2. Balancing Robustness and Visibility of Semantic Watermarks

"How do you envision balancing the robustness of semantic watermarks with their increased visibility in practical applications? Are there any strategies you are exploring to minimize the visual impact while maintaining robustness under regeneration attacks?"

We appreciate your interest in future developments. Yes, we are actively exploring methods to enhance the robustness of post-hoc watermarking. One promising approach involves leveraging powerful image editing techniques to add or remove unimportant subjects or alter textures. These modifications are visible but appear as normal image content without the watermark key.

3. Visualization or LPIPS Curve for Figure 5

"Specifically, a visualization for Figure 5 or an LPIPS curve might be helpful for understanding the preservation of semantic content."

We have included a visualization image in the Rebuttal PDF. This visualization demonstrates that the semantically meaningful content remains preserved.

---

Overall, we hope these clarifications address your concerns and demonstrate the strength and potential of our approach. We appreciate your consideration and look forward to your stronger support.