We sincerely thank you for your insightful comments and constructive feedback. Your review has helped us better refine and clarify our work.

W1.

No reference to watermarking history.

A1.

Thank you for the detailed and insightful feedback. We sincerely apologize for overlooking the part of history of classical digital watermarking and the well-established taxonomy used in the community. In the revised version, we will update the Related Work section to include classical literature you mentioned and adopt the long-standing terminology. Additionally, we will revise inaccurate claims about methods (e.g., LSB, DWT-DCT).

W2&Q1.

FPR=5% Is this watermarking? What is the impact of the FPR?

A2.

Thank you for your insightful comment. To address the your concern, we have conducted additional experiments under stricter operating points (e.g., FPR = $10^{-6}$) and confirmed that our method maintains strong performance. Benefiting from our high bit accuracy, our method maintains a strong forgery success rate even under a stricter evaluation setting (FPR = $10^{-6}$), which requires a much higher number of matching bits for a watermark to be considered valid. Specifically, our approach achieves an average success rate of over 80%, while the baseline method by Yang et al. fails almost entirely under the same criterion. The results are as follow:

W3&Q3.

1. The watermark distortion is not given in the text. What is the PSNR of the considered watermark embedding?
2. I can clearly see the attack artefacts in Fig. 9, 10, 11, 12 and Fig. 3 last line. Just look at flat, uniform regions, such as the sky.
3. I strongly disagree with line 244...

A3.

Thank you for your comment.

1. To clarify, we report the PSNR of the original watermarking schemes and our forgery on the MS‑COCO dataset below. For Stable Signature, we include the PSNR of its generated outputs, as it is not a post-processing method.

As shown in the table, the PSNR values of our forged images are very close to those of the original watermarking schemes. The largest difference is less than 5 dB.

2. You also mentioned visible traces in some forged samples from Amazon, especially in background regions such as the sky. While our forged images may exhibit slightly lower PSNR compared to the originals, we did not observe obvious visual artifacts in other watermarking schemes. To understand this better, we examined the original images watermarked by Amazon. We found that similar minor traces also appear in the originals, particularly in low-texture areas like sky or flat color regions.

3. We will also revise the inappropriate wording in line 244. Thank you for pointing it out.

W4&Q3.

1. Old attacks are based on averaging, as well as more elaborate processes such as PCA or ICA in Watermarking security.
2. Learn a proxy watermark detector from the observed watermarked images and run an adversarial example attack to add or remove watermarking.

A4.

Thank you for your comment.

1. Following [1], we used PCA and ICA to estimate the carriers of the watermark signal, and then applied an averaging method to forge the RivaGan watermark. As the results show, baseline remains difficult to successfully forgery even with techniques such as PCA and ICA. We believe this may be because RivaGan does not embed a constant watermark, which aligns with the reason you mentioned.

   Method	Dataset	PSNR	Forged bit-accuracy	FPR@5%
   RivaGAN	MS-COCO	30.23	53.73%	3.20%
   	CelebAHQ	30.16	54.92%	4.10%
   	ImageNet	31.12	50.11%	1.40%
   	Diffusiondb	30.51	48.49%	0.60%

2. We reviewed the learing proxy model based method you suggested and attempted to reproduce it. This approach [2] involves training 100 proxy watermark models (with different architectures and watermark messages), and then generating adversarial examples against these proxy models, hoping they will generalize to the real watermark model. However, this method is designed specifically for watermark removal, adapting this method for watermark forgery (i.e., generating targeted adversarial examples) would be challenging. In particular, practical forgery attack assumes no knowledge of the target watermark message, making it difficult to define an appropriate target watermark message for each proxy decoder within their framework. As noted in Reference [3], their reproduction of [2] also focused solely on watermark removal rather than forgery.

We also attempted to train a binary classifier to identify ... with architecture Restnet18 and Restnet34 as a proxy watermark detector and perform PGD attack, the results are as follow:

[1] Watermarking security: theory and practice.

[2] A Transfer Attack to Image Watermarks.

[3] The Efficacy of Transfer-based No-box Attacks on Image Watermarking: A Pragmatic Analysis.

W5.

1. As noted in Sect. 4.1, it would be better to write $x^w = x + w(x)$.
2. The argument of line 46 is not convincing... If the scheme is not SotA and just adds a constant watermark signal (like DCT-DWT), then a simple averaging reveals this secret signal.
3. This simple baseline, if well-executed (for instance, by removing low-frequency components before averaging), works well.

A5.

Thank you for your comment.

1. We agree that the expression $x^w = x + w(x)$ is better, and we will revise our formulation in Section 4.1.

2. We acknowledge that the statement in line 46 may have been imprecise, and we will revise it accordingly. At the same time, we would like to clarify our original intention. We believe that using ImageNet samples as substitutes for the clean counterparts is another reason for the limited effectiveness of the baseline method. Even if the watermark signal is constant, using the true clean counterparts yields significantly better results compared to using unrelated natural images such as those from ImageNet. Additionally, for watermarking schemes such as DWT-DCT, even when the embedded message remains the same, the actual residual added to each image is not constant due to differences in the image content. This explains why the baseline averaging-based attack performs poorly in our setting. As you rightly mentioned, while such baselines can be effective on constant watermark signals, our method still demonstrates strong performance on more advanced, learning-based watermarking schemes.

3. To investigate the effect of removing low-frequency components, we applied Gaussian filtering prior to averaging, using kernel sizes of 7 and 13 with $\sigma$ values of 1 and 2, respectively, to suppress low-frequency components. The results on the DWT-DCT watermark are reported below.

   Dataset	PSNR(k=7)	Forged Bit-Acc (k=7)	FPR@5% (k=7)	PSNR (k=13)	Forged Bit-Acc (k=13)	FPR@5% (k=13)
   MS-COCO	36.19	50.64%	2.20%	32.47	50.17%	3.10%
   CelebAHQ	36.24	50.72%	2.20%	32.57	50.12%	2.80%
   ImageNet	36.67	50.64%	2.20%	32.94	49.99%	2.30%
   Diffusiondb	36.13	50.26%	2.30%	32.42	49.77%	2.90%

   We will continue to explore whether there are better parameter settings to improve the baseline’s performance. If you have any suggestions or insights, we would greatly appreciate your guidance.

Q4.

How the performances of the attack (sucess rate vs. distortion) vary with the number of observed watermarked contents?

A6.

Thank you for raising this important point. We evaluated our method using watermark datasets of 1,000, 5,000, and 10,000 images, as shown in the results below (with dataset sizes indicated in parentheses).

Thank you for your insightful comments and constructive feedback. We address your questions and concerns point by point below.

W1.

It remains uncertain whether WMCopier can effectively counter modern post-processing watermarks, such as TrustMark (2023) [1] and VINE (2025) [2]. To ensure a more comprehensive evaluation, experiments involving at least VINE should be included...

A1.

Thank you very much for pointing out several newly proposed watermarking algorithms.

We are also very interested in evaluating whether our method remains effective against these new watermarking schemes. Due to time constraints, we have only tested the effectiveness of our attack against the VINE (2025). The results are provided below, and we will include them (Table 1,Table 3,and Figure 5) in the updated version of our paper.

Our results on VINE were not as strong as those on other watermarking benchmarks. We attribute this to the fact that VINE is based on SDXL-Turbo, whose model size is significantly larger than that of typical watermarking algorithms. This enables it to embed longer watermarks with stronger robustness. As a result, our relatively lightweight diffusion model may struggle to approximate or replicate such complex watermark embeddings. We are considering employing more advanced diffusion architectures with greater capacity, which we leave for future work.

W2.

How long is the message in the test setting? Is it 32 bits? The ablation study on message pool sizes does not specify bit length.

A2.

Thank you for the question, and sorry for the confusion.

In our test setting, we follow the default message lengths of each watermarking scheme: 32 bits for DWT-DCT and RivaGAN, 30 bits for HiddeN, and 48 bits for Stable Signature. For the ablation study on message pool sizes, we used RivaGAN, whose default message length is 32 bits.

W3.

The method requires training one unconditional diffusion model for forging each watermarking method, which could be expensive compared with the baseline [3]. How many A100 GPU hours are required for forging one watermarking model?

A3.

Thank you for you comment.

Our method is indeed more expensive compared to baseline(a simple averaging based approach). However, baseline is largely ineffective in practice, achieving only around 11% average success rate and thus posing little real threat to deployed watermarking schemes. In contrast, our approach achieves strong performance using a minimal diffusion architecture. For 256×256 images, training the model requires approximately 40 A100 GPU hours. Given the potential value an adversary could gain by forging a provider’s watermark, this one‑time cost remains relatively modest.

W4.

Is the test set distinct from the training set? How well does this method generalize?

A4.

Sorry for the confusion.

1. We have considered the generalization issue in our main experiments by ensuring that the training and testing data come from different distributions. Specifically, we train the forgery model on AI-generated images from the DiffusionDB training set, and test it on both the DiffusionDB test set and three real-world datasets (MS-COCO, ImageNet, and CelebA-HQ) that differ significantly in distribution. Please see Section 5 for detailed dataset settings.

2. As shown in Table 1, our method maintains high PSNR and forged bit accuracy even when evaluated on test sets that are significantly different from the training data (e.g., human faces in CelebA-HQ), demonstrating its strong generalization ability.

We thank you for your positive feedback and we have carefully addressed the raised concerns in the responses below.

W1&Q1.

Some image watermarks, such as the PRC watermark, instead vary this message. It is not clear whether the attack would work here.

A1.

Thank you for your comment. We are still conducting experiments on the PRC watermark and will update the results as soon as they are available. In the meantime, we have performed similar experiments on watermarking schemes with varied messages as a potential defense, as described in Appendix E.2. In particular, we varied the watermark message over 10, 50, and 100 values. We found the success rate of our attack decreased as message diversity increased, dropping to approximately 87%, 77%, and 75%, respectively. However, we also found that increasing the number of watermarked images in the training set significantly mitigates this performance drop. For example, when the number of watermarked samples was increased to 20,000, the attack success rate recovered to around 90%. Please refer to Tables 7 and  8 for detailed results. We hope this helps address your concern.

Q2.

How does the attack success vary with the size of the dataset of watermarked images?

A2.

Thank you for raising this important point.

We evaluated our method using watermark datasets of 1,000, 5,000, and 10,000 images, as shown in the results below (with dataset sizes indicated in parentheses). We will add it in our revision.

Q3.

While query access to a watermarked image generator would help the attacker in theory, it’s not clear to me how the attacker can actually use this access. In developing your attack, did you gain any insight on what kinds of queries would be helpful for the attacker to make in that setting?

A3.

Thank you for the insightful question.

The most direct way to access watermarked images is to use the image generation service provided by the AI company. For example, in our attack on Amazon's watermarking scheme, we used their product Titan text-to-image model, in the same way as a normal user. The detailed setup is described in Appendix C.2.

Based on our empirical observations, using a diverse set of prompts instead of repeatedly using a single prompt tends to yield better attack performance. This is likely because diverse image content helps the diffusion model better isolate the watermark signal, which remains relatively consistent across samples. We are currently further exploring effective query strategies, and we believe this represents an important and promising direction for future research.

Thank you very much for your valuable comments. Below, we carefully address each of your concerns in detail.

W1&W5.

1. The paper does not compare WMCopier with semantic watermarking approaches and compare their approach with Black-Box Forgery Attacks on Semantic Watermarks for Diffusion Models (Müller et al., 2024-- CVPR2025), which effectively forges semantic watermarks in a black-box settings...such a comparison is necessary to contextualize WMCopier’s strengths and limitations.

2. Semantic watermarking is now well-established rather than as claimed “early-stage”.

A1.

Thank you for raising this issue.

1. We previously evaluated attacks against the semantic watermarking method Treering, as discussed in Appendix E.1. At that time, we were unable to attack it successfully. Upon revisiting our experiments, we realized that this was due to a mistake. We had overlooked that Treering uses a different definition of the true positive rate (TPR). After correcting this issue, we found that our attack can successfully break the Treering watermark without any parameter tuning. The FPR threshold is set according to the default used in the Treering paper, and we will release the updated model checkpoints on Treering soon. Our attack results and the comparison with Müller’s black-box attack are as follows:

   Watermark Scheme	Dataset	PSNR ↑ (Müller)	FPR@0.01 ↑ (Müller)	PSNR ↑ (Ours)	FPR@0.01 ↑ (Ours)
   Treering	MS-COCO	26.14	100.00%	32.72	100.00%
   	CelebAHQ	25.22	100.00%	31.52	100.00%
   	ImageNet	26.82	100.00%	32.99	100.00%
   	Diffusiondb	25.19	100.00%	32.78	100.00%

   As shown above, our method achieves a consistently higher image quality while maintaining the same success rate(FPR).

   Their method is primarily tailored for semantic watermarking and has not been validated on invisible watermarking schemes, making its general applicability unclear. In contrast, our method has demonstrated effectiveness on both semantic and invisible watermarks. While their approach is relatively lightweight in terms of computation, our WMCopier involves training a diffusion model, which introduces some computational cost. However, this cost is modest (e.g., 40 A100 GPU hours for 256×256 images), and enables broader applicability and higher success rates across a range of watermarking schemes.

2. Regarding the use of the term "early-stage," our intention was to refer to watermarking methods that have emerged in the past two to three years and are still relatively few in number. We appreciate you pointing this out and will revise the wording to use a more accurate and appropriate expression.

W2.

It is unclear whether the proposed method requires training a separate diffusion model for each watermarking scheme.

A2.

Thank you for your comment.

Our approach does require training a separate diffusion model for each watermarking scheme. However, as discussed in our threat model, we assume the reasonable scenario that service providers do not frequently change the watermarking scheme in practice. The cost of performing our attack is also modest: for 256 × 256 images, training our attack model takes roughly 40 A100‑GPU hours. Given the potential value an adversary could gain by forging a provider’s watermark, this one‑time cost remains relatively modest.

W3.

As shown in the paper (Table 3), the forged watermarks exhibit significantly lower robustness to common image distortions than genuine ones, making them easy to break or reveal through routine post-processing and undermining the attack’s practicality in real-world use.

A3.

Thank you for your comment.

We agree that forged watermarks sometimes achieve slightly lower bit‑accuracy than genuine ones after common image distortions; in our experiments, this gap is typically less than 10 percentage points. However, such a small gap is difficult to exploit in practice. Any detection threshold low enough to catch most forged images would likely also reject many genuine watermarked images that have undergone compression or noise, thereby reducing the true positive rate required for robustness. For example, a genuine watermark that has been JPEG-compressed may yield a similar bit-accuracy as a forged watermark under the same distortion. We further analyze this in Appendix D.2, where we plot ROC curves for distinguishing between genuine and forged watermarks under typical distortions. The resulting AUCs are close to 0.5, indicating that the robustness gap is insufficient for reliably filtering out forgeries.

W4.

The paper lacks systematic evaluation of how this overfitting affects generalizability to images outside the training distribution.

A4.

Thank you for your comment. This is also something we consider important.

Therefore, we have considered the generalization issue in our main experiments by ensuring that the training and testing data come from different distributions. To evaluate generalization, we train the forgery model on AI-generated images from the DiffusionDB training set and test it on both the DiffusionDB test set and three real-world datasets (MS-COCO, ImageNet, and CelebA-HQ) that differ significantly in distribution. Please see Section 5 for detailed dataset settings. Thanks to our shallow diffusion design and subsequent refinement step, our method performs consistently well across all datasets as shown in Table 1 of the main paper.

Thank you for your detailed and constructive feedback. We have carefully addressed your concerns below and hope our responses help clarify the points raised.

1.

Thank you for your suggestion. In the revised version, we will clearly state the training and evaluation setup in a more prominent location, such as below Table 1, as you suggested.

2.

We sincerely appreciate your understanding and your thoughtful suggestion. As this experiment was initiated after receiving your comments, the available time has been somewhat limited, and we kindly hope for your understanding regarding this timing. We are working hard to complete the Gaussian Shading evaluation and will include the results in the revised version if available, or follow up with an update shortly thereafter.

3.

We would like to clarify that the discrepancy in PSNR originates from an error in Müller et al.’s earlier reporting, not from our evaluation. The authors have since acknowledged this issue in their official GitHub repository and corrected it in a commit dated May 30. You can find their explanation, along with a comparison of the incorrect and corrected PSNR values (from ~30 to ~23), in the associated issue discussion and commit message.

In their CVPR camera-ready version (May 2025), Müller et al. reported a PSNR of ~30. However, in the updated arXiv version (June 2025), the PSNR dropped to around 23–24, which is consistent with our results. We investigated this discrepancy and confirmed that we had used the correct official code with default settings for Stable Diffusion 2.1 base. The earlier PSNR calculation in their code was incorrect and led to inflated results.

We would also like to reiterate the advantages of our method over Müller et al.'s.

• First, Müller et al.'s method requires approximately 25-40 minutes to forge a single image on an NVIDIA A100 GPU with over 30 GB of memory usage, as reported in their paper. To provide a fair comparison, we tested our method under the same hardware and memory constraints. In this setting, our model is able to process 10 images in 192 seconds total, achieving significantly higher throughput.

• Second, Müller et al.'s method is specifically tailored for semantic watermarks. To evaluate its generalizability, we tested it on invisible watermarking using Stable Signature, which has the same spatial resolution (512×512) as TreeRing. Due to the extremely long runtime of their method per image, we randomly sampled 50 images per dataset for evaluation. Results show that their method is largely ineffective on invisible watermarks, while our method remains highly effective. | Dataset | PSNR (Müller) | Forged Bit-Accuracy (Müller) | FPR@1e-6 (Müller) | PSNR (Ours) | Forged Bit-Accuracy (Ours) | FPR@1e-6 (Ours) | |-------------|------------------|-------------------------------|---------------------|----------------|-------------------------------|--------------------| | MS-COCO | 25.66 | 45.70% | 0.00% | 31.29 | 98.04% | 94.60% | | CelebA-HQ | 24.73 | 51.23% | 0.00% | 30.54 | 96.04% | 100.00% | | ImageNet | 25.91 | 47.71% | 0.00% | 31.33 | 97.03% | 98.60% | | DiffusionDB | 26.12 | 48.45% | 0.00% | 31.59 | 96.24% | 96.60% |

Dear reviewer,

Please read the rebuttal and start discussion with authors.

AC