Leveraging Optimization for Adaptive Attacks on Image Watermarks

We thank the reviewer for their comments and positive assessment of our paper. Please find detailed responses below.

The attack requires the knowledge of the watermarking algorithm.

Knowledge of the watermarking algorithm may only sometimes be given in a real-world attack (as outlined in our limitations on page 9). Still, it remains a valuable tool for the provider to test the robustness of a watermarking method. Robustness against adaptive attackers extends to robustness against non-adaptive attackers (as they have fewer capabilities). This forms our core argument for why studying a method’s robustness requires considering adaptive attacks. We will emphasize this argument in the revised paper.

The paper shows that generates a single surrogate key and can evade watermark verification which indicates that the private key seems to have little impact. Is it possible that the less impact comes from the high similarity between the surrogate generator and the watermark generator?

We thank the reviewer for this interesting question! Our work shows that an attacker can remove any watermark by generating a single surrogate key. If the KEYGEN procedure were sufficiently randomized, this should not be possible even if the attacker had access to the same generator as the defender. Our attacks assume less because we use a surrogate generator that is not the same, because the generator’s abuse by the attacker may otherwise not be well motivated, but show that these restricted attacks are still successful with only a single surrogate key. From these results, we conclude that the KeyGen procedure is not sufficiently randomized, which indicates a design flaw. We will add this to the revised paper’s discussion.

We are happy to respond to any further questions or suggestions the reviewer may have.

We thank the reviewer for their positive assessment of our work and comments which will help further improve our paper. Please find answers to all questions below.

Please improve readability. Please number all equations. Please discuss figures, tables and algorithms clearly in the text.

Thank you for bringing to our attention that some equations are not labeled. We will revise the paper to label all equations and ensure that all Figures, Tables, and Algorithms are discussed in the text.

Why is this topic important?

As stated in the introduction, high-quality image generators can be misused by untrustworthy users, leading to the proliferation of deepfakes and online spam. This is already a problem on social media [A] and has led to companies such as Google announcing their image watermark, such as SynthID [B]. Also, the US government has released an “AI executive order” [C] asking providers to watermark generated outputs. Watermarking needs to be robust; otherwise, attackers can easily evade it by removing the watermark from an image with imperceptible modifications. We propose a better method to test the robustness of watermarking methods using adaptive attacks that are designed against a specific watermarking method. We will include the above references in the revised paper.

What are the future work directions of this work?

The future direction of our work is to use our adaptive attacks to design watermarking methods that withstand them. Such a watermarking method’s claim to robustness is more convincing, as robustness to adaptive attacks extends to robustness against non-adaptive attacks. We will include this point in the revised paper’s discussion section.

Why is the comparative analysis limited?

We believe that we have mentioned all related work in this field. Our work is the first to instantiate adaptive attacks against image watermarking where the attacker knows the watermarking method but not the secret key or the message. Our attacks require no access to the provider’s watermark verification procedure (unlike other works, such as Jiang et al.). The proposed attacks can remove a watermark from a single image, regardless of which key-message pair was used to watermark it. We would appreciate it if the reviewer would further specify in what regards they believe our comparative analysis is limited. We will be happy to address it in the revised paper.

What is the complexity of the algorithms?

Thank you for this question. From a computational perspective, generating a surrogate watermarking key with methods such as RivaGAN or WDM is the most expensive operation, as it requires training a watermark encoder-decoder pair from scratch. Generating a key for these two methods takes around 4 GPU hours each on a single A100 GPU, which is still negligible considering the total training time of the diffusion model, which takes approximately 150-1000 GPU days [D]. The optimization of Adversarial noising takes less than 1 second per sample, and tuning the adversarial compressor’s parameters takes less than 10 minutes on a single GPU. We will revise the paper to include the measured running times in the Appendix of the revised paper.

We hope that we have addressed all of the reviewer’s questions and would kindly ask the reviewer to increase their score if these are the only questions.

[A] Barrett, Clark, et al. "Identifying and mitigating the security risks of generative ai." arXiv preprint arXiv:2308.14840 (2023).

[B] Sven Gowal and Pushmeet Kohli. Identifying ai-generated images with SynthID, 2023. URL https://www.deepmind.com/blog/identifying-ai-generated-images-with-synthid. Accessed: 2023-09-23.

[C] "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence." Federal Register, 2023, https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence. Accessed 4 Nov. 2023.

[D] Dhariwal, Prafulla, and Alexander Nichol. "Diffusion models beat gans on image synthesis." Advances in neural information processing systems 34 (2021): 8780-8794.

We appreciate the reviewer’s detailed comments and suggestions for further improvements of our work and will carefully incorporate them in the revised paper. Please find our point-by-point responses below.

Terminology issue between a "key" and a "message".

Our terminology is the following: A watermarking key refers to secret random bits of information used in the randomized “detector” algorithm (called VERIFY in the paper) to detect a watermark. A message is a hidden signal in the image. This notation is inspired by related works [A, B] that also distinguish the terms “key” and “message" like our work. The Tree-Rings paper instead uses the word “key” to refer to a “message”, which we agree is confusing.

With our terminology, the key in Tree-Rings are the parameters of the diffusion model, the VERIFY function corresponds to the forward diffusion process, and the messages are initial noise vectors for the diffusion process in the frequency domain. We hope that this explanation and example clear up any confusion. We thank the reviewer for bringing this to our attention and will clarify it in the revised paper.

The proposed method is similar to that of Jiang et al. [5] in that it adversarially parameterizes image transformations to remove watermarks. The authors claim that the method of Jiang et al. requires access to a watermarking "key;" however, Jiang et al. propose attacks under the explicit assumption that the attacker does not have access to the ground-truth key/message [..]. On the other hand, if I am correct that the authors take "key" to mean "detector," this claim makes more sense in that Jiang et al. use full access (white-box) or query access (black-box) to the detector to craft attacks. The authors should clarify their statements about the prior work of Jiang et al. and the distinctions between their methods. And while additional experiments may not be feasible at this point for various reasons, I think the paper would be much stronger if it included comparisons between the proposed approach and either or both attack variants proposed by Jiang et al.

As the reviewer correctly points out, there are fundamental differences between our attacks and those proposed by Jiang et al.. The threats studied by Jiang et al. and those studied in our works are related since both undermine robustness but are orthogonal due to different threat models.

Jiang et al.: In all attacks, Jiang et al. assume some (at least indirect) access to the secret key (e.g., black-box access to VERIFY, whose response depends on the secret key). They craft an adversarial perturbation that fools the specific instance of the detector for one key-message pair, which is a special case of Eq. 1, where they optimize \theta_A with a single, fixed key \tau and message m (i..e, they remove the expectation term). In their black-box attacks, access to VERIFY is also limited, requiring them to instantiate gradient-free optimization or train surrogate decoders to extract the VERIFY functionality.

Our work: Our attacks make no assumptions about the key-message pair used by the provider since they optimize the expected evasion rate over any pair and any instance of the detector. Consequently, Jiang et al. should find “better” attacks (i.e., less visible ones) to evade detection since they make more assumptions about the optimization problem in some regards (optimize against one key-message pair with access to VERIFY) and fewer assumptions in other regards (no knowledge of the watermarking method in the black-box case). Still, unlike our work, their attacks require the attacker to access the provider’s secret key by calling VERIFY.

Both threats are orthogonal because robustness against our attacks does not imply robustness against Jiang et al. 's attacks and vice-versa. To defend against Jiang et al., a provider could restrict their access to the secret key (e.g., allowing only trusted users to access VERIFY or not replying to “similar” queries), but they would remain vulnerable to our attacks. Similarly, a defense against our attack may not defend against Jiang et al.’s attacks when the attacker has additional capabilities, such as access to the provider’s VERIFY procedure. Providers need to defend against both types of attacks independently.

We will highlight the differences between both types of attacks, extend the difference between our work to Jiang et al.’s work, and emphasize the necessity to defend against both threats in the revised paper.

[A] Zhao, Xuandong, et al. "Provable robust watermarking for ai-generated text." arXiv preprint arXiv:2306.17439 (2023).

[B] Christ, Miranda, Sam Gunn, and Or Zamir. "Undetectable Watermarks for Language Models." arXiv preprint arXiv:2306.09194 (2023).

I thank the authors for their detailed reply. I broadly agree with the authors' characterization of the differences between the proposed method and that of Jiang et al. I also appreciate the additional experiments performed against two-tailed detectors. I am willing to increase my score, but I'd like some clarification on points 1-3 below first. Point 4 is less important.

1. I still think the ResNet description is insufficient. For instance, line 6 of Algorithm 1 is doing a lot of heavy lifting. For each of the watermarking methods considered, how is the ResNet configured to extract the encoded message? Does it predict a vector corresponding to the watermark message? Is it trained with cross-entropy or mean squared error loss? This would be good to see in the appendix.

2. Regarding my comment:

If the attacker "does not need to invoke GKEYGEN" for TRW/WDM/RivaGAN, as stated in section 4.2, does this mean the attacker does not train a differentiable surrogate detector?...

From the authors' reply, it sounds like a ResNet-based surrogate detector network (or "key") is only trained for DCT and DCT-SVD. For the remaining methods (TRW, WDM, and RivaGAN) the authors presumably train the detector network (or "key") from scratch, as using a provided pre-trained detector network would constitute a white-box attack. So my understanding of the attack is as follows:

• For DCT/DCT-SVD the attacker must train a ResNet detector from scratch
• For WDM/RivaGAN the attacker must train a pair of watermark embedder/detector networks from scratch using the corresponding published architectures and training procedures
• For TRW the attacker uses a pretrained surrogate Stable Diffusion model

Can the authors confirm if this is correct?

3. The actual objective functions for each watermark are not specified in the paper. The VERIFY portion of the objective function will presumably differ from method to method depending on the key and message format -- for example RivaGAN's detector predicts a vector corresponding to the embedded message, while TRW requires measuring the similarity between predicted and known diffusion noise patterns in Fourier space. Again, this would be nice to see in the appendix, as the formulation of an appropriate objective function is a crucial part of any adversarial attack.

4. Regarding my comment on the hypothetical surrogate binary classifier attack, I agree that such an attack would operate with less knowledge of the watermark than the proposed method, and should be expected to perform worse. That said, the adversarial attack literature is littered with examples of supposedly naive attacks outperforming more informed baselines due to simplified optimization [1]. I think it would be very interesting to see how such a naive baseline fares, but I don't think such an experiment would be critical to the paper given that the proposed method is already effective.

[1] F. Tramer, N. Carlini, W. Brendel, and A. Madry, "On adaptive attacks to adversarial example defenses," in Proc. NIPS, 2020, pp. 1–44.

We appreciate that the reviewer thinks we provided a “fresh perspective” and for their suggestions to improve our paper further. Please find our detailed response below.

The motivation and importance of the proposed method are not clear enough, e.g., what problems did the previous works exist?

Watermarking can only effectively control image generator misuse if it is robust. Watermarking methods that claim robustness have been proposed, but we refute their claims and show that their approach to testing robustness is flawed. These methods demonstrate robustness by testing their watermark against attacks that know nothing about the watermarking method, such as JPEG compression, blurring, etc. The issue is that these attacks could perform better if they knew more about the method used to watermark the image, and this leads to a cat-and-mouse game where defenses that claim robustness are proposed, only to be broken later by better (adaptive) attacks.

An attacker who only knows the watermarking method’s algorithmic descriptions, which we refer to as (KEYGEN, EMBED, and VERIFY), can instantiate far more powerful attacks. As our paper shows, instantiating such attacks requires no handcrafting but can be done by leveraging optimization. We define robustness as an objective function, which makes our method generally applicable to any watermarking method proposed in the future. Robustness against adaptive attacks extends to robustness against non-adaptive attacks, which makes studying the former interesting. In cryptography, this principle is known as Kerckhoff’s principle, where an algorithm’s security should not rely on obscurity. Previous works did not consider such adaptive, learnable attackers. We will expand on this discussion in the revised paper.

Experiment section should expand the scope of discussion, compare with more advanced methods, and provide in-depth discussions.

We will gladly expand the scope of discussion and add comparisons with advanced methods, but we kindly ask for clarification about the methods the reviewer refers to. To our knowledge, there are no strong, comparable attacks without access to the secret watermarking key, as evidenced by watermarking papers [A,B] that only evaluate against attacks such as JPEG compression and quantization. We would greatly appreciate it if the reviewer could point us to “more advanced methods” or detail what part of the discussion we should focus on more in-depth, and we would be happy to revise our paper.

1. ABSTRACT: The text should include more details to the proposed methodology, numerical results achieved, and comparison with other methods
2. The conclusions should be improved such that the authors add some analytical terms.

We thank the reviewer for their suggestions and will revise the abstract and conclusion of the revised paper as requested.

2. Could you tell me the limitations of the proposed method? How will you solve them? Please add this part to the manuscript.

We describe our method's limitations to attacking real systems in Section 6. In essence, an adaptive attacker requires access to a (less capable) surrogate generator and the algorithmic description of the watermarking method (meaning KEYGEN, EMBED, and VERIFY). As stated in the paper, we took a best-effort approach. We used the least capable public diffusion model (Stable Diffusion v1.1) to remove watermarks from the most capable public diffusion model (Stable Diffuson v2.0). We also discuss in the paper that the watermarking algorithm may only sometimes be released. Still, the provider relies on security through obscurity and remains vulnerable to attacks by anyone to whom this information is released.

Furthermore, Section 6 also describes limitations on the attacks that we consider and that more powerful attacks may exist that could be considered in future work.

3. The abbreviations must appear at the very first place that the terminology is introduced and the way of introducing the terms must be consistent throughout the manuscript from abstract to conclusion.

We apologize for any confusion if an abbreviation was used before defining it. We are happy to revise and clarify the paper if the reviewer could point us to the specific abbreviations that have caused confusion.

We are happy to resolve any other questions the reviewer may have. If these are the only concerns, we kindly ask the reviewer to consider increasing their score.

[A] Wen, Yuxin, et al. "Tree-Ring Watermarks: Fingerprints for Diffusion Images that are Invisible and Robust." arXiv preprint arXiv:2305.20030 (2023).

[B] Zhao, Yunqing, et al. "A recipe for watermarking diffusion models." arXiv preprint arXiv:2303.10137 (2023).