T2SMark: Balancing Robustness and Diversity in Noise-as-Watermark for Diffusion Models

Thank you for your insightful comments on our work. Our responses to each of the points you raised are detailed below.

Re: Impact on applicability of controllable generation methods (Weakness 1)

Thank you for pointing it out! We will add a discussion on this to Section 5. However, not all controllable generation methods are affected. Our NaW method does not modify already sampled initial noise; instead, it replaces the original initial noise sampling logic with a pseudo-random one. The sampled noise still adheres to the original distribution and is indistinguishable from standard noise without the correct key.

To clarify, the following discussion is structured by the type of controllable generation method:

1. Methods that modify the initial noise sampling logic (e.g., require specific noise patterns): Our watermarking method would conflict with these, as we already replace the default sampling.
2. Methods that require only minor modifications to the initial noise: Our method remains applicable. For instance, with Golden Noise, its perturbation to the initial noise is minimal, far less than typical image distortions or inversion errors.
3. Methods that irreversibly alter the denoising process: Our method is incompatible here. InitNO, for example, performs gradient-based optimization at various denoising timesteps, which compromises the determinism of ODE-based sampling. This is why it cannot adapt to our method, as mentioned in Section 5. If an inversion method corresponding to InitNO's denoising process could be found, we believe our approach would still be applicable.

Re: Visual evidence is limited (Weakness 2)

Current NeurIPS 2025 policy does not allow us to provide additional visual evidence directly within the rebuttal or discussion phase. However, we are fully committed to including more example images in Appendix C if the paper is accepted, to clearly showcase both diversity and maintained image quality.

As compensation and to address your concern regarding diversity, we conducted a user study. We randomly selected 20 prompts for each of 25 participants. For every prompt, we presented a set of five images generated by different watermarking methods and also a non-watermarked baseline. Participants were then asked to choose the set they perceived as most diverse. Our results, presented below, largely align with our quantitative diversity measurements in the paper, which we hope alleviates your concerns:

Re: Lack of comparison of the time (Weakness 3)

We conducted a timing comparison for all inversion-based methods. Experiments were run on a system equipped with an AMD EPYC 7662 Processor and an NVIDIA RTX A6000 GPU. All inversion-based methods utilized FP16 precision and performed 10 inversion steps on an SD v2.1 model.

Re: The Empirical decision of the channel embedding channel of session key (Weakness 4)

The choice of channel is quite flexible, and Table 9 shows that performance differences are minimal. In our generalization experiments with SD v3.5M (Section 4.4), we did not specifically select channels, and its latent space has 16 channels, which is different from SD v2.1's 4 channels. For simplicity, we chose the first four channels to embed the session key and still achieved considerable results (see Table 3). More detailed experimental settings can be found in Appendix B.1.

Re: Rotation (Weakness 5)

In fact, rotation presents a notable challenge for NaW methods like GS, PRCW, and T2SMark since their designs lack explicit mechanisms to resist it, highlighting a key area for research. We will clearly point out this limitation in the paper.

The recent ICML 2025 paper, GaussMarker [1], offers a promising solution. They developed a novel dual-domain watermark, embedding NaW in the spatial domain and TRW in the frequency domain. They also train a network to recover rotated images for the spatial watermark. Since they successfully used GS as their spatial watermark, we are confident that integrating our method in place of their spatial domain watermark would similarly achieve strong resistance against rotation.

[1] GaussMarker: Robust Dual-Domain Watermark for Diffusion Models, ICML 2025.

Re: Comparisons with ROBIN and ZoDiac (Question 1)

We acknowledge the impressive fidelity to original images and competitive robustness of methods like ROBIN and ZoDiac. Thank you for these helpful references and we will include a discussion of them in the related work section.

However, these are 0-bit watermarking schemes, designed solely for detection, and they require gradient-based optimization. In contrast, by not needing to be strictly identical to the original image, training-free NaW methods can fully leverage the initial noise space to achieve a 256-bit capacity for traceability. Given these significant differences in design philosophy, a direct comparison would be unintuitive.

Re: Assumptions of the undetectability evaluation (Question 2)

We believe there might be a misunderstanding regarding our key assumptions. Our method employs two types of keys: a master key and a session key. The session key varies with every generation, while the master key remains fixed. We contend that the master key should not vary per user. In our threat model (Section 3.1), to trace the origin of an image, we extract the watermark content, which depends on the master key for decoding. If the master key varied per user, we would paradoxically need to know who generated the image before decoding the watermark, creating a contradiction.

We suspect your concern might pertain to the watermark content varying per user, which is indeed the case. However, we consider a more challenging scenario: an attacker seeking to train a classifier would most conveniently obtain sufficient watermarked image samples from a single user's API. In such a scenario, both the master key and watermark content would be fixed, providing the classifier with more consistent information to learn common features. This makes it a more challenging test for watermark undetectability. We will clarify this point clearly in the paper.

Regarding scenarios with randomized watermark instances (varying watermark content), GS, PRC, and T2SMark achieve comparable performance in our experimental setup, all hovering around 50% accuracy. This indicates that this scenario is indeed less challenging.

Re: Vulnerability to Gaussian noise and corresponding solutions (Question 3)

That is a good suggestion! You are right, error-correcting codes could indeed boost our method's robustness. We attempted to incorporate a 1-bit error-correcting Hamming code in the first stage. This increased bit accuracy under Gaussian noise from 0.8982 to 0.9068, while keeping the session key length constant. Multi-bit error-correcting codes like LDPC, might yield better results, but both ECC encoding and our watermarking method require redundancy. Given the limited capacity of the latent space, we found it challenging to balance the allocation of this redundancy between the two.

We observed that removing Gaussian noise in the pixel domain before inversion appears to be a simpler and more effective strategy than applying error correction after inversion. Specifically, we found that independent additive noise, including Gaussian noise, is surprisingly easy for a model to distinguish. Plus, removing this noise using traditional filtering methods before inversion is highly effective. To illustrate this, we trained a simple four-layer CNN for an experiment. Here are the results:

These results show that this plug-and-play module improves performance under Gaussian and Salt-and-Pepper noise, with only a marginal effect on other distortions. In fact, our classifier successfully detected the target noise with a 94.9% probability, while maintaining a low false positive rate of only 2.6%.

Thank you for your helpful feedback. We provide our responses to each point below.

Re: Reduction of the capacity (Weakness 1)

Our method’s moderation of theoretical capacity is a deliberate design choice, trading a largely academic ceiling, which no current method can practically approach, for substantial gains in real-world robustness. For example, when SD v2.1 generates images at a resolution of 512x512 pixels, the theoretical capacity limit for other NaW methods is determined by the latent space size, specifically 4×64×64 = 16,384 bits. Under our default settings, TTS reduces this upper limit to 8,192 bits by excluding those easy-flipping points. However, no existing method can maintain acceptable performance at such large capacities. In practical scenarios, methods typically operate at significantly lower capacities to ensure robustness. When compared at equivalent and practical capacities, our method consistently demonstrates superior robustness.

Re: Evaluation lacks direct fidelity metrics (Weakness 2)

We would like to clarify that our FID is computed between 1,000 generated images and 1,000 corresponding real images, ensuring semantic alignment.

PSNR is a relative metric that measures deviation from an original image. As a NaW method, we directly encode the watermark into the initial noise, meaning there is no strict "original image" for direct comparison. Instead, we assess image quality by evaluating the overall quality of the generated content. In this paper, we generated a total of 10,000 images, organized into 10 groups. Similar to GS, we performed t-tests on CLIP and FID scores against unwatermarked images for all methods. A smaller t-value indicates greater indistinguishability from unwatermarked images. The t-test results are provided in Table 1 and Table 3, with further details in Appendix B.3. We also offer results on additional datasets in Appendix B.5, which we believe is sufficiently convincing.

Re: Figure 1 lacks quantitative support (Weakness 3)

Thank you for pointing it out! Our original intention was to visually convey how our method achieves a superior balance compared to two SOTA approaches, but the absence of specific quantitative data can indeed be misleading. We have modified the figure following your suggestion. Unfortunately, due to conference regulations, we cannot provide it immediately. We commit to updating this illustration in the camera-ready version if our paper is accepted.

Re: Further estimation of the diversity (Question 1)

In the context of measuring diversity, we employ LPIPS in a non-standard manner. While LPIPS usually measures the direct visual distance between two images (where a smaller value means more similarity and often better visual quality), we calculate it differently for diversity. For $P$ prompts, and for each prompt generating $N$ images, we compute the visual distance for all $C_N^2$ possible pairs. We then average these distances for each prompt and finally average across all $P$ prompts, formally:

$D = \frac{1}{P}\sum_{i=1}^{P} \frac{1}{C_N^2} \sum_{j,k,1\leq j<k \leq N} d(X_{i,j}, X_{i,k})$

If the average distance between multiple images generated for the same prompt is small, we consider them similar and thus lacking diversity. Conversely, a larger average distance indicates better diversity. The function d can also be replaced by other distance metrics like CLIP-Image similarity, where a larger value indicates more similarity; therefore, a smaller value would indicate better diversity. Specific results are in the table below.

We also conducted a user study. We randomly selected 20 prompts for each of 25 participants. For every prompt, we provided a set of five images generated by different watermarking methods and a non-watermarked baseline. Participants were asked to choose the set they perceived as most diverse. Our results, consistent with the quantitative diversity measurements in the paper, are shown below, and we hope this addresses your concerns.

Our conclusions on diversity align with previous work. PRC, as a cryptographically undetectable watermark, exhibits diversity nearly comparable to unwatermarked images, while GS shows the lowest diversity due to its fixed key. Our undetectability experiments (Section 4.3) further support this, as the classifier easily distinguishes between GS and unwatermarked images by learning common features.

Inception Score calculates class diversity within an image set, making it more suitable for unconstrained generation. Since we use fixed prompts for each method, Inception Score appears unable to reflect the specific diversity in our context.

Thank you for your constructive feedback and detailed evaluation. We have addressed each of the points raised in our responses below.

Re: Contributions besides the TTS sampling (Question 1 & Weakness 1)

T2SMark's improvements go beyond TTS sampling. T2SMark enhances watermark randomness through its two-stage framework. We also would like to make it clearer: our session key is not generated from the master key; instead, it is independently randomized in every generation. This leads to better generation diversity compared to GS (quantitative data is in Table 1; furthermore, in Figure 8, GS-generated images consistently show a black shadow in the bottom-left region, a problem not seen with other methods). In terms of security, T2SMark is also notably harder to detect than GS (Table 2).

Re: Theoretical analysis of TTS sampling (Question 2 & Weakness 2)

Due to main paper page limitations, our detailed theoretical analysis of TTS is provided in Appendix A, explaining why TTS leads to stronger robustness.

Regarding diversity, while the random region in TTS does offer some compensatory effects, the primary contribution comes from our two-stage framework. This is because the codewords reside in the tail regions, where they possess higher energy. For instance, a 16-bit session key can still provide 65,536 random variations for the codeword, even when the master key and watermark remain fixed. An ablation study on the two-stage framework, demonstrating its considerable improvement in diversity, is included in our supplementary materials.

Concerning the threshold determination, we set it empirically rather than by calculation (Appendix B.2). This approach is taken because real-world noise environments can be complex and may not perfectly align with theoretical assumptions. Specifically, we iterated through various Gaussian distribution quantiles and chose a value that demonstrates favorable performance. Moreover, the truncation threshold (τ) performs poorly only at extreme values and maintains similar performance across most of its range, demonstrating robustness. Our generalization experiments (Section 4.4) further support this: we achieved SOTA performance (Table 3) on new architectures without any empirical hyperparameter re-tuning.

Re: Vulnerability to Gaussian Noise (Question 3 & Weakness 3)

TTS is a general enhancement that improves watermark performance across all distortions. Gaussian noise impacts our method more significantly due to our two-stage framework, where the session key in the first stage must be perfectly recovered; even a single bit error can lead to decoding failure.

We believe this sensitivity to Gaussian noise is an inherent characteristic of diffusion models (considering their training methodology). The suggestion of robust optimization during the inversion process is a valuable direction for future work. However, such optimization might involve substantial computational complexity, and we currently lack concrete ideas for its implementation. A naive approach involves fine-tuning the model in an adversarial environment, though this would obviously compromise generation quality.

Alternatively, we found that independent additive noise, including Gaussian noise, is readily distinguishable by a model, and applying traditional filtering methods before inversion is quite effective at removing it. To illustrate this, we trained a four-layer CNN for an experiment, yielding the following results:

These results show that this plug-and-play module improves performance under Gaussian and Salt-and-Pepper noise while having only a marginal effect on other distortions. In our experiment, the classifier successfully detected the target noise with a 94.9% probability, with a false positive rate of only 2.6%.

Re: Further estimation of the diversity (Question 4)

In the context of measuring diversity, we employ LPIPS in a non-standard manner. While LPIPS usually measures the direct visual distance between two images (where a smaller value means more similarity and often better visual quality), we calculate it differently for diversity. For $P$ prompts, and for each prompt generating $N$ images, we compute the visual distance for all $C_N^2$ possible pairs. We then average these distances for each prompt and finally average across all $P$ prompts, formally:

$D = \frac{1}{P}\sum_{i=1}^{P} \frac{1}{C_N^2} \sum_{j,k,1\leq j<k \leq N} d(X_{i,j}, X_{i,k})$

If the average distance between multiple images generated for the same prompt is small, we consider them similar and thus lacking diversity. Conversely, a larger average distance indicates better diversity. The function $d(·)$ can also be replaced by other distance metrics like CLIP-Image similarity, where a larger value indicates more similarity; therefore, a smaller value would indicate better diversity. Specific results are in the table below.

We also followed your suggestion and conducted a user study. We randomly selected 20 prompts for each of 25 participants. For every prompt, we provided a set of five images generated by different watermarking methods and a non-watermarked baseline. Participants were asked to choose the set they perceived as most diverse. Our results, consistent with the quantitative diversity measurements in the paper, are shown below, and we hope this addresses your concerns.

Our conclusions on diversity align with previous work. PRC, as a cryptographically undetectable watermark, exhibits diversity nearly comparable to unwatermarked images, while GS shows the lowest diversity due to its fixed key. Our undetectability experiments (Section 4.3) further support this, as the classifier easily distinguishes between GS and unwatermarked images by learning common features.

Re: Can T2SMark preserve similarity to non-watermarked results? (Question 5)

Yes, T2SMark successfully preserves the similarity between watermarked and non-watermarked generated results. We performed t-tests on CLIP and FID scores, just like GS did, and our results indicate a very small difference between our watermarked images and their unwatermarked counterparts.

In contrast, GS's diversity is actually quite limited. Our visual results in Appendix C show that GS-generated images consistently have similar layouts, often with a black shadow in the bottom-left area, a problem absent in our method. Additionally, the results in table above further confirm GS's relatively poor diversity. This lack of diversity can significantly affect user experience, especially when users generate multiple images from the same prompt and expect varied outputs to choose from. If the images share similar layouts, it considerably diminishes their selection options and overall satisfaction.

Re: Can the proposed method be extended to the Diffusion Transformer method? (Question 6)

Yes! We have shown our method's compatibility with the Diffusion Transformer architecture in our generalization experiments (Section 4.4). There, we compared our approach with other inversion-based methods on SD 3.5M, which is based on the Diffusion Transformer. Our results demonstrate that our method still achieves state-of-the-art performance on this architecture.

Thank you for your time and valuable feedback on our submission. We have carefully considered each point raised and address them individually below.

Re: Vulnerability to Gaussian noise and corresponding solutions (Weakness 1 & Question 1)

We acknowledge T2SMark's vulnerability to Gaussian noise. While this is a limitation, it is important to note that our method's performance gap compared to baseline methods under Gaussian noise is marginal (only 0.53% lower than GS, shown in Table 10).

We attribute this sensitivity primarily to the inherent nature of diffusion models (considering their training process), and our two-stage watermarking framework's cascading errors could amplify this effect. Given the diversity gains from our two-stage approach, we consider this a justifiable trade-off.

As for mitigation, any general method for improving robustness (e.g., adding error-correcting codes) can alleviate this. To specifically address the issue of additive noise like Gaussian and Salt-and-Pepper, we found that such noise is readily distinguishable by a simple model. Furthermore, applying traditional filtering methods before inversion proves highly effective at removing this noise.

To demonstrate this, we trained a four-layer convolutional neural network for noise detection. If the target noise is detected, the image is first filtered and then inverted. The results are as follows:

These results indicate that this plug-and-play module improves performance under Gaussian and Salt-and-Pepper noise with only a minimal impact on other distortions. In our experiments, the classifier successfully detected the target noise with a 94.9% probability while maintaining a low false positive rate of only 2.6%.

Re: Scalability of the session key (Weakness 2 & Question 2)

Regarding the statement "a 16-bit key provides sufficient entropy," our original intent was to refer to its sufficiency for generating diversity. For individual users, ensuring distinct session keys allows for the generation of up to $2^{16}=65,536$ images without repeating a codeword, thereby guaranteeing diversity. While enterprise users might require a larger keyspace, our method still maintains competitive performance with 24-bit and even 32-bit keys.

For traceability, the session key serves as the crucial seed for a pseudo-random number generator used in the second-stage decryption. Even a minor alteration to this seed will cause the pseudo-random sequence to diverge significantly, rendering the second-stage decoded watermark meaningless. Therefore, perfect recovery of the session key is paramount for successful traceability.

Regarding detection, we designed this functionality to operate in the first stage, which inherently protects it from the impact of cascading errors. As shown in Table 7, detection performance exhibits very minimal variation with changes in session key length.

Re: More visual results (Question 3)

Current NeurIPS 2025 policy does not allow us to provide additional visual evidence directly within the rebuttal or discussion phase. However, we are fully committed to including more example images, particularly those with embedded text, in Appendix C if the paper is accepted, to clearly showcase both diversity and maintained image quality.

As compensation and to address your concern regarding diversity, we conducted a user study. We randomly selected 20 prompts for each of 25 participants. For every prompt, we presented a set of five images generated by different watermarking methods and also a non-watermarked baseline. Participants were then asked to choose the set they perceived as most diverse. Our results, presented below, largely align with our quantitative diversity measurements in the paper, which we hope alleviates your concerns:

Regarding SSIM and PSNR, these are relative metrics that measure differences from an original image. As a NaW method, T2SMark encodes watermarks directly into the initial noise; thus, there is not a strict "original image" counterpart to compare against. Instead, image quality is assessed by evaluating the overall quality of the generated content. In this paper, we generated a total of 10 sets comprising 10,000 images. Similar to GS, we performed t-tests on CLIP and FID scores against unwatermarked images for all methods. A smaller t-value indicates greater indistinguishability from unwatermarked images. The t-test results are provided in Table 1 and Table 3, with further details in Appendix B.3. Appendix B.5 also offers results on additional datasets. We believe this provides sufficient evidence of maintained image quality.

Re: Empirical tuning of parameters (Weakness 3)

For practical deployment, our hyperparameters offer a broad selection range. Our experiments show the truncation threshold (τ) performs poorly only at extreme values (too large, reducing redundancy; too small, leading to bit flips and degrading to normal sampling). It maintains similar performance across most of its range (Table 8), and we did not pick the absolute optimal threshold. Similarly, the chosen session key channel has limited impact (Table 9).

Our generalization experiments (Section 4.4) further support this: we achieved SOTA performance (Table 3) on new architectures without any empirical hyperparameter re-tuning. More detailed experimental settings about it can be found in Appendix B.1.

Dear Reviewer eVQe, we are pleased to have addressed your questions. Thank you for your positive evaluation of our work!