BitMark: Watermarking Bitwise Autoregressive Image Generative Models

We thank the Reviewer for the detailed analysis of our paper. We appreciate that the Reviewer finds the topic of our paper important and timely. We are also glad that our comprehensive experiments clearly demonstrate the strengths of our watermark, such as the non-trivial property of radioactivity.

In summary, BitMark generalizes to two additional models, we emphasize that BitMark has negligible impact on the quality of generated outputs, and we also empirically analyzed the FPR on domain-shifted datasets. We provide the answers in-line below:

** The core technique, while adapted to a new domain, is heavily inspired by token-level watermarking schemes from LLMs (e.g., KGW, Unigram Watermark). The main contribution is repackaging the method for the bit-level of a specific image generation architecture. This raises questions about whether it’s truly innovative or just porting an old idea. **

Recent watermarking papers [1,2] focus on the token level, where the token overlap between generated and re-encoded images is small. This necessitates retraining of the encoder and decoder. Our key contribution is to demonstrate that operating at the lower level of bits offers a great advantage. Specifically, we demonstrate that the bit-level overlap between generated and re-encoded images is significant and sufficient to enable direct bit-level watermarking, without retraining the encoder and decoder. This allows us to provide the strongest known watermark for image autoregressive models and, as stated by Reviewer 9clc: “the green-red list mechanism adapted from LLM watermarking is cleverly adapted to image generation scenario, with modifications to handle bitwise autoregression.”

How well does BitMark generalize to other bitwise autoregressive models beyond Infinity? Is it easily portable, or tightly coupled to specific implementation details?

We ran additional experiments to demonstrate that BitMark is applicable to two other bitwise models, namely BiGR [3] and Instella [4]. BiGR is an image generative model that harnesses binary latent codes and Instella is another text-to-image (T2I) Image AutoRegressive (IAR) model leveraging bitwise next-patch prediction.

We extended our experimental analysis to include the additional models and added the experiments to Appendix E. We also report the results below:

We calculated a representative p-value for 5000 watermarked images by first calculating the respective mean z-score, then standardizing this mean z-score using the mean and standard deviation derived from z-scores of 5000 MS-COCO images. $\Delta$ denotes the image quality difference to non-watermarked generated images. FID, KID & CLIP are reported for 10000 images.

The results show that we can effectively embed our BitMark into the images generated from BiGR and Instella, without harm to the quality of output images (relatively small changes of the FID, KID, and CLIP scores). The extremely low p-values for the respective models demonstrate that we can confidently reject the $H_0$ (null hypothesis) and claim that our watermark was indeed embedded in the generated images. Thus, BitMark generalizes to multiple models and architectures.

Despite claims of “negligible” image quality impact, Table 1 shows that at watermark strength 5 the FID degrades significantly and CLIP score drops by over 5 points. This shows that the watermark is not as negligible as claimed when pushed to be stronger.

BitMark strength of $\delta \le 3$ has a negligible impact on the image quality, as depicted in Table 1, while being sufficiently strong, as shown in Table 3. We agree that a $\delta=5$ degrades the image quality significantly. Therefore, we chose to run all experiments with $\delta=2$ which does not significantly degrade the FID or CLIP score of the model.

For the statistical detection test, how sensitive is the threshold to dataset shifts (e.g., web images vs. MS-COCO)? Can the test fail if the distribution of bit patterns in clean images varies? It would be good if you can provide empirical checks of FPR on domain-shifted datasets.

We show that our selected $z$ threshold is robust to the dataset shifts in Table 7 in the Appendix.

We additionally computed the FPR for different natural datasets (ImageNet-1k, LAION POP, and Infinity-2B Generated images) given the 1%FPR threshold that we also used for MS-COCO.

Our results show that the selected threshold is not sensitive to shifts in the natural data distribution across a variety of datasets. For every dataset we compute the FPR and find that it is around the 1% FPR of the MS-COCO dataset, showing the cross-distribution robustness of the chosen threshold.

Can the test fail if the distribution of bit patterns in clean images varies?

The p-values for the natural images are significantly above the threshold of 1%. Thus, we never observe false positives (we never mark a natural images as watermarked).

The radioactivity seems to be a strong and non-trivial property of BitMark, and it even transfers to Diffusion-based models (SD v2.1 as in this paper). However, as the authors said, previous watermarking methods designed for diffusion models do not exhibit strong radioactivity. The author attributes this radioactivity to " slightly changing all parts of a given generated image, including low-level and high-level features, which are then also partly adapted by M2.", however, I believe previous watermarks like tree-ring also satisfies this property. Thus I am not convinced by this explanation and I believe more concrete analysis should be given to provide insights into the community.

Previous work [5] (that we cite in our submission) demonstrated that TreeRing is not radioactive even when SD v2.1 is adapted on images generated from the same model and watermarked with TreeRing. We fully agree with the Reviewer that the radioactivity property is non-trivial. We observe that while TreeRing only influences specific frequencies (low-mid range) in the initial Gaussian noise of the generation process, our BitMark is applied throughout the full generation process and impacts all frequencies in the latent space (is applied to all the resolutions). BitMark thus influences all parts of the image: the basic color in the first scales, then coarse grained structures at intermediate scales, and high level details in the last scales. We believe that this wide range of the influence, both in terms of the sheer number of modified bits and the multi-scale application, makes the generated images radioactive.

---

If the above responses address some of the Reviewer's concerns, we would greatly appreciate it if they could consider updating their rating to reflect this.

References:

[1] Tong et al. “Training-Free Watermarking for Autoregressive Image Generation”, 2025.

[2] Jovanović et al. “Watermarking Autoregressive Image Generation”, 2025.

[3] Hao et al. “BiGR: Harnessing Binary Latent Codes for Image Generation and Improved Visual Representation Capabilities”, ICLR 2025.

[4] Wang et al. “Instella-T2I: Pushing the Limits of 1D Discrete Latent Space Image Generation”, 2025.

[5] Dubiński et al. “Are Watermarks For Diffusion Models Radioactive?”, 2025.

We thank the Reviewer for the positive and constructive feedback. We appreciate that the Reviewer finds our paper well-written and the motivation strong. We are glad that our comprehensive experiments clearly demonstrate the practicality of our watermark and robustness to many attacks, including adaptive ones.

In summary, our BitMark generalizes to three additional models, we evaluated BitMark against post-processing watermarks, extended the robustness evaluation, and addressed concerns regarding radioactivity. We provide case-by-case responses below:

The contribution of this paper might be a little weak for me, as the authors simply apply the previous language model watermark to the Infinity model.

Recent watermarking papers [1,2] focus on the token level, where the token overlap between generated and re-encoded images is small. This necessitates retraining of the encoder and decoder. Our key contribution is to demonstrate that operating at the lower bit level offers a great advantage. Specifically, we show that the bit-level overlap between generated and re-encoded images is significant and sufficient to enable direct bit-level watermarking, without retraining the encoder and decoder, and this allows us to provide the strongest known watermark for image autoregressive models. As stated by Reviewer 9clc: “the green-red list mechanism adapted from LLM watermarking is cleverly adapted to image generation scenario, with modifications to handle bitwise autoregression.”

The authors only conduct the experiments with the Infinity model. I think the paper will be strengthened if the authors can include more models.

We ran additional experiments to demonstrate that BitMark is applicable to Infinity-8B, as well as to two other bitwise models, namely BiGR [3] and Instella [4]. BiGR is an image generative model that harnesses binary latent codes and Instella is another text-to-image (T2I) Image AutoRegressive (IAR) model leveraging bitwise next-patch prediction.

We extended our experimental analysis to include the additional models and added the experiments to Appendix E. We also report the results below:

We calculated a representative p-value for 5000 watermarked images by first calculating the respective mean z-score, then standardizing this mean z-score using the mean and standard deviation derived from z-scores of 5000 MS-COCO images. $\Delta$ denotes the image quality difference to non-watermarked generated images. FID, KID & CLIP are reported for 10000 images.

The results show that we can effectively embed our BitMark into the images generated from Infinity 8B, BiGR, and Instella, without harm to the quality of output images (relatively small changes of the FID, KID, and CLIP scores). The extremely low p-values for the respective models demonstrate that we can confidently reject the $H_0$ (null hypothesis) and claim that our watermark was indeed embedded in the generated images. Thus, BitMark generalizes to multiple models and architectures.

I know there might not be other bitwise autoregressive image models, but maybe apply a similar technique to bitwise language models?

Note that the LLMs do not suffer from the lack of token overlap, which is the case for Image AutoRegressive models (IARs). Our main observation is that the bit-wise overlap is significant in bit-wise IARs and enables us to embed the strong watermarks. Thus, bit-wise watermarking is not necessary for LLMs and the performance on the level of our BitMark can be already achieved on the token level. If the Reviewer can recommend any language models that utilize bit-wise generation, we would be happy to try our BitMark technique on them.

There is no comparison to other watermark techniques. I think the authors should at least compare to some post-hoc watermark methods.

We added a comparison of BitMark ($\delta = 2$) against three postprocessing watermarks, namely RivaGAN [4] (with message length = 32), StegaStamp [5] (with message length = 100) and TrustMark [6] (with message length = 100). We applied the postprocessing watermarks on 1000 images generated by Infinity-2B and applied the same attacks from our paper. In the following we report the TPR@1%FPR. The experiments show that BitMark is the most robust watermark for Infinity (compared to RivaGAN, StegaStamp, and TrustMark).

​​If the watermark is very radioactive, is it a good thing? If so, it means the watermark can be easily learned by an adversary, and they can perform spoofing attacks. We want an undetectable watermark

Our primary motivation is to prevent model collapse since we want to ensure that companies like OpenAI do not use their own generated data or any derivatives of their generated data to train their future models. This is precisely where the radioactivity property becomes essential: the images generated by a model fine-tuned or trained on generated data are also harmful to the next models. Thus, the spoofing attack is not a concern in this case.

I thought the watermark would be very vulnerable to a rotation attack since if you rotate the image, you mess up the bit sequence order.

The bit-sequence order in the latent space after tokenization is not directly transferable to the pixel space. While BitMark is applied in sequence order in the bit-space, due to the BSQ and Decoder, there are additional spatial transformations applied to the final model output. The important property that contributes to the robustness of BitMark is the large number of bits that are influenced during our watermark embedding.

We performed an experiment computing the overlap between bits from: (1) the original generated image and the rotated encoded image, and (2) the encoded image and the rotated encoded image. Given that over 300k bits that are influenced by BitMark, even a small overlap of 50.14% at 20° is sufficient for the robust detection of our watermark.

Related to the above, would the watermark be robust to a flipping attack, such as horizontally flipping the image?

We added an additional attack to our robustness evaluation and also reported the TPR@1%FPR in the following Table:

We observe that our BitMark is robust to the flipping attacks.

---

If the above responses address some of the Reviewer's concerns, we would greatly appreciate it if they could consider updating their rating to reflect this.

References:

[1] Tong et al. “Training-Free Watermarking for Autoregressive Image Generation” https://arxiv.org/abs/2505.14673

[2] Jovanović et al. “Watermarking Autoregressive Image Generation” https://arxiv.org/abs/2506.16349

[3] Hao et al. “BiGR: Harnessing Binary Latent Codes for Image Generation and Improved Visual Representation Capabilities” ICLR 2025. https://openreview.net/forum?id=1Z6PSw7OL8

[4] Wang et al. “Instella-T2I: Pushing the Limits of 1D Discrete Latent Space Image Generation” https://arxiv.org/pdf/2506.21022

[5] Kevin Alex Zhang, Lei Xu, Alfredo Cuesta-Infante, and Kalyan Veeramachaneni. Robust invisible video watermarking with attention. 2019.

[6] Matthew Tancik, Ben Mildenhall, and Ren Ng. Stegastamp: Invisible hyperlinks in physical photographs. In IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), June 2020.

[7] Tu Bui, Shruti Agarwal, and John Collomosse. Trustmark: Universal watermarking for arbitrary resolution images. ArXiv e-prints, November 2023.

Dear Reviewer cNxC,

We thank the Reviewer for acknowledging our rebuttal and are happy to address any concerns that still exist!

In addition, we would like to further clarify the difference between token sequence and bit sequence as follows:

An image can be tokenized into a $n \times n$ token matrix. Each token in this matrix has $m$ bits, where each bit is like as a channel of the matrix. Our watermarking method operates on the bit sequence across the $m$ channels (in each matrix token), not on the spatial arrangement of the matrix tokens.

For example, when we apply horizontal flipping to the matrix, we change the order of the columns in the $n \times n$ matrix. However, the order of the $m$-bit sequence in each token stays almost the same. Since the watermark is embedded in the $m$-bit sequences rather than the spatial relationships between the $n \times n$ token matrix, horizontal flipping largely preserves the watermark signal.

We also would like to follow up on our answers, especially regarding our contribution, our application of BitMark to other models, comparison to other watermark techniques, and the radioactivity. Do our replies adequately address the reviewer's concerns? We are happy to provide any additional explanations. If our answers address the Reviewer's questions, we hope that the reviewer will consider raising the rating for our submission.

With kind regards,

Authors of paper #2950 (BitMark)

We thank the Reviewer for the positive and constructive feedback. We appreciate that the Reviewer finds our paper to be well written and clearly motivated.

In summary, we generalized BitMark to three additional models, evaluated BitMark against post-processing watermarks and extended the radioactivity experiments. We address the points in detail below:

Results on Infinity-8B will be beneficial for this paper's generalization ability. Generalization ability among models should be further evaluated.

We ran additional experiments to demonstrate that BitMark is applicable to Infinity-8B, as well as to two other bitwise models, namely BiGR [1] and Instella [2]. BiGR is an image generative model that harnesses binary latent codes and Instella is another text-to-image (T2I) Image AutoRegressive (IAR) model leveraging bitwise next-patch prediction.

We extended our experimental analysis to include the additional models and added the experiments to Appendix E. We also report the results below:

We calculated a representative p-value for 5000 watermarked images by first calculating the respective mean z-score, then standardizing this mean z-score using the mean and standard deviation derived from z-scores of 5000 MS-COCO images. $\Delta$ denotes the image quality difference to non-watermarked generated images. FID, KID & CLIP are reported for 10000 images.

The results show that we can effectively embed our BitMark into the images generated from Infinity 8B, BiGR, and Instella, without harm to the quality of output images (relatively small changes of the FID, KID, and CLIP scores). The extremely low p-values for the respective models demonstrate that we can confidently reject the $H_0$ (null hypothesis) and claim that our watermark was indeed embedded in the generated images. Thus, BitMark generalizes to multiple models and architectures.

The Radioactive experiment should be conducted with various watermarked ratios on training data.

We performed additional experiments on the radioactivity with various ratios of watermarked data. The experiments clearly show that with an increasing amount of watermarked data, the signal of BitMark becomes stronger. Even if model M2 is trained on only 10% of our watermarked data, the model M2 can already generate images with a clear bias towards our watermark distribution, resulting in a high TPR of 22.7% @ 1% FPR. We note that even a slight bias is significant at the distribution level. Concretely, we apply a statistical test, namely the Mann-Whitney-U-Test, to test if the z-score distribution of M2-generated data is significantly larger than on M1 generated data. The test is significant with a p-value of 5.6e-62 when M2 is trained on 5% watermarked data, showing that the z-score distribution of M2-generated data is greater than the and clean data z-scores.

As shown in the following table, less than 5% of watermarked data in the training set is enough to distinguish if Infinity-2B has been trained on watermarked data.

Fine-tuning models on images generated with different green-red settings

In our setup, a model provider decides on a specific green-red setting instead of using many of them. This makes the watermark detection much easier for the model provider.

What is the superiority of this work compared with previous post-hoc watermarking schemes?

We added a comparison of BitMark ($\delta = 2$) against three postprocessing watermarks, namely RivaGAN [3] (with message length = 32), StegaStamp [4] (with message length = 100) and TrustMark [5] (with message length = 100). We applied the postprocessing watermarks on 1000 images generated by Infinity-2B and applied the same attacks from our paper. In the following we report the TPR@1%FPR. The experiments show that BitMark is the most robust watermark for Infinity (compared to RivaGAN, StegaStamp, and TrustMark).

---

If the above responses address some of the Reviewer's concerns, we would greatly appreciate it if they could consider updating their rating to reflect this.

References:

[1] Hao et al. “BiGR: Harnessing Binary Latent Codes for Image Generation and Improved Visual Representation Capabilities” ICLR 2025.

[2] Wang et al. “Instella-T2I: Pushing the Limits of 1D Discrete Latent Space Image Generation”. ArXiv e-prints, June 2025

[3] Kevin Alex Zhang, Lei Xu, Alfredo Cuesta-Infante, and Kalyan Veeramachaneni. Robust invisible video watermarking with attention. 2019.

[4] Matthew Tancik, Ben Mildenhall, and Ren Ng. Stegastamp: Invisible hyperlinks in physical photographs. In IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), June 2020.

[5] Tu Bui, Shruti Agarwal, and John Collomosse. Trustmark: Universal watermarking for arbitrary resolution images. ArXiv e-prints, November 2023.

We thank the Reviewer for the positive and constructive feedback. We appreciate that our work is considered novel and that the green-red list mechanism adapted from LLM watermarking to image generation is described as clever. We are glad that our comprehensive experiments clearly demonstrate the practicality of our watermark.

In summary we implemented the rotation estimation tool to revert rotations and observed that the detection of our watermark can be increased with the rotation correction tools. We also addressed the question regarding reverse engineering the green list, in essence: the choice of the arbitrary length of BitMark makes a frequency analysis (used to reverse-engineer the green list) difficult.

We address the points in detail below:

Weaknesses: (1) The method struggles with large rotation attacks. While the paper suggests that rotation estimation tools could rotate back and correct these images (thus being easy to be detected), no experimental evidence supports this claim.

We performed experiments to detect BitMark after correcting rotated images with the rotation estimation tool referred to in our submission [1]. Specifically, we first applied random rotations to the watermarked images from 0 to 360 degrees. We then used the rotation estimation tool [1] to estimate the rotation angles of the images and rotated them back. Our BitMark is then detected on the re-rotated images. The following table showing the detection results with and without the rotation correction was added to Appendix E.

The results show that BitMark achieves a significant AUC of 99.5% and a TPR of 98.3% at 1% FPR after the rotation correction. This demonstrates that the detection of our watermark can be increased with the rotation correction tools.

In addition, we consider an even harder case: after the random rotation, we apply a central crop to the image with 50% cropping ratio, such that all the black corners during rotation are completely removed. We show the results below (also added them to Appendix E)..

Even in this harder case, the detection of our watermark is also increased after the rotation correction. Notably, our BitMark achieves a high AUC of 89.1 and a TPR of 66.3 at 1% FPR.

Can attackers reverse-engineer the green list by analyzing large sets of generated images? If so, how does BitMark defend against such an attack?

The attacker cannot reverse the green list since, in our watermark, we follow the Private Watermarking from KGW [13], where the generative model is kept behind a secure API. The green-list can only be reverse-engineered if the attacker could re-encode and tokenize the images. The choice of the arbitrary length of BitMark makes a frequency analysis (used to reverse-engineer the green list) difficult, as the frequency analysis has to be done for multiple possible patterns of size n. Additionally, even the knowledge about the green list is not effective in removing our watermark, which we show with our Bit-Flipper attack. The attack cannot remove our BitMark without causing a severe image degradation.

---

We would like to thank the Reviewer again for the questions and comments. The paper has definitely improved as a result. We would like to check if there are any other questions or concerns that we can address.

References:

[1] Maji Subhadip and Smarajit Bose. "Deep image orientation angle detection." 2020.

[2] John Kirchenbauer et al. “A watermark for large language models.” ICML, 2023.