Lightweight-Mark: Rethinking Deep Learning-Based Watermarking

Weakness 1: Complexity of MSE Expansion and the Role of Positivity/Negativity

We appreciate the your insightful feedback. We understand your concern regarding the complexity.

In watermark decoding tasks, positivity or negativity is a key criterion for determining whether decoding is correct. This not only serves as the foundation for decoding results but also plays an important role in our analysis, helping to express optimization behaviors such as inflation or deflation. Therefore, to ensure the rigor and completeness of the proof, considering positivity or negativity is indeed indispensable.

However, your suggestion is very reasonable, and we plan to improve the paper in the following ways to enhance readability and clarity:

1. Simplification of Symbols and Formulae:
To improve the readability of the formulas, we will simplify certain symbols and expressions. For example, we will rewrite $L_R^{+ and < \epsilon}$ as $L_R^{+} \cap L_R^{< \epsilon}$, making the expression more concise.

2. A More Intuitive Explanation of Equation 3:
The goal of decoding is to ensure that the decoded bits are correctly separated from the boundary value (0), without considering the magnitude of each bit (e.g., 0.1 or 1). However, the objective of the MSE loss is not only to ensure that each bit is correctly separated from the boundary value but also to push the bits closer to ±1. Clearly, MSE loss is a stricter loss function, but this stricter requirement does not directly improve decoding accuracy. To highlight the gap between MSE loss and decoding accuracy, we have decomposed it into three parts:

• L_deflation mainly optimizes the portion of the decoding error and directly affects decoding accuracy.
• L_inflation and L_regularization optimize the portion of correct decoding but do not directly influence decoding accuracy.

Additionally, based on the analysis of Equation 3, we propose two methods, PH and DO, to alleviate the redundancy introduced by L_inflation and L_regularization.

---

Weakness 2: Adding perceptual loss or adversarial training for perceptual quality

1. Adding perceptual loss:

Following your suggestion, we expanded our experiments to include perceptual loss in our training process. To improve perceptual quality, we incorporated SSIM and LPIPS losses and present the results in Table 1.

As shown in the Table 1, adding SSIM and LPIPS individually improves SSIM and LPIPS scores, particularly LPIPS, which is reduced by at least half.

Although a slight drop in PSNR and average accuracy is observed, these trade-offs are reasonable given the enhanced perceptual quality.

Table 1. Benchmark comparisons on visual quality and robustness against combined noise

---

2. Adding Adversarial Training：

To further investigate adversarial training, we analyzed the impact of adding a discriminator (DIS) to our proposed lightweight model. Detailed results are provided in Appendix E.8, and the key findings are summarized in Table 2.

Table 2. The Effect of the Discriminator (DIS) on the Proposed Lightweight Model

As observed, the discriminator does indeed lead to some improvement in perceptual quality (LPIPS). Additionally, efficiency is also a key metric for our model. As shown in Appendix E.8 Table 13, the discriminator requires 6.8× more parameters and 8.5× more FLOPs than our entire lightweight model. Given the small perceptual gain and the substantial increase in computational cost, we prioritize perceptual loss as a more efficient approach to enhancing perceptual quality.

---

We sincerely appreciate your insightful suggestion regarding perceptual quality. Your recommendation to incorporate perceptual loss has proven to be effective and efficient, and we will include this experimental analysis in the final version of our paper.

Thank you for your thorough review and the constructive comments on our manuscript. Below, we address your comments to clarify and improve our manuscript:

Weakness 1 & Suggestion 1: Can ($\epsilon$) in DO be Automated Tuning and How to Choose a Reasonable ($\epsilon$)?

1. Can Safe Distance ($\epsilon$) in DO be Automated Tuning?

Following your suggestion, we attempted to make $\epsilon$ a learnable parameter integrated into the optimization process. We initially set $\epsilon$ to 0.1 and left other training settings unchanged. During training, we monitored both decoding accuracy (ACC) and the value of $\epsilon$. We found that $\epsilon$ decreased continuously as training progressed and eventually reached 0, leading to instability.

At this point, the ACC dropped to around 50%, and the model was unable to decode correctly. We analyzed this behavior and identified that in the DO method, the role of $\epsilon$ in the DO method is to penalize values close to the boundary (0). A larger $\epsilon$ applies a broader penalty, while a smaller $\epsilon$ shrinks the penalty range. When $\epsilon$ reaches 0, no penalty is applied, and the model effectively minimizes $L_{inflation}$ by setting $\epsilon = 0$, reducing the DO method (i.e., $L_{deflation} + L_{inflation}$) to $L_{deflation}$. As shown in Section 2.2 ("The Gap between Two Objectives") of our original paper, this causes model instability, which we further validated and reported in Table 5 of Section 4.4 (Ablation Study).

How to Choose a Reasonable ($\epsilon$)?

We acknowledge that directly incorporating $\epsilon$ as a learnable parameter was not feasible. However, your suggestion was valuable, and we conducted extensive experiments on the model's performance under varying $\epsilon$ values. The results of these experiments are presented in Appendix E.11, offering guidance on selecting an appropriate $\epsilon$.

For now, we empirically selected $\epsilon$ based on these experiments, balancing model stability and optimal performance. We also plan to explore more automated and convenient methods in future research. We hope this explanation clarifies the challenges we faced and addresses your concerns.

---

Weakness 2 & Suggestion 2: More Visual Results in Main Text.

Thank you for your constructive comment! Indeed, due to the current length constraints, we are unable to include more images in the main text now. However, in the final version, we will incorporate Figures 3 and 4 into the main body of the paper.

---

Question 1: The Motivation of the lightweight deep watermarking model.

The motivation behind the lightweight deep watermarking architecture stems from the practical demands of deploying models in resource-constrained environments. The motivations are as follows:

1. Practical Need for Lightweight Models in Real-World Applications Digital watermarking plays a crucial role in protecting intellectual property across various domains, such as images, videos, and 3D content. However, high-performance models are often impractical for deployment due to their:

• Large parameter sizes, which increase storage requirements.
• High computational demands, which exceed the capacity of many real-world systems.

This challenge is particularly acute in scenarios like video streaming and online education, where devices must operate efficiently within strict computational and energy constraints. High-performance lightweight models are essential to enable such deployment while remaining effective for copyright protection.

2. Importance of Lightweight Design in SoC Architectures In SoC-based environments, lightweight design is not just beneficial but imperative:

• Storage Constraints: The storage capacity in embedded devices is limited, making parameter-efficient models essential.
• Computational Efficiency: SoCs lack significant computational power. Lightweight models reduce energy consumption, enabling practical deployment on edge devices.

---

Question 2: Further Improving Subjective Visual Quality.

• PSNR primarily measures pixel-level differences but does not reflect visual quality well in terms of image structure and texture details.
• SSIM considers luminance, contrast, and structure, offering a better alignment with human perception, but it still does not fully capture complex visual features.
• LPIPS compares feature representations from deep neural networks, providing a closer approximation to human perception, especially in terms of high-level perceptual quality.

For improving subjective visual quality, more detailed experiments can be found in weakness 2 of Reviewer QY8P's feedback. For your convenience, we summarize the results here. We experimented with two approaches: directly adding SSIM and LPIPS losses, and using a discriminator. Both methods effectively improved subjective visual quality (LPIPS), but adding SSIM and LPIPS losses was computationally more efficient.

Notation and Typographical Corrections

Thank you for your detailed review. We will ensure proper formatting of subscripts and expressions in the final version.

Regarding the typos, you are right that in L159 it should be "the last three terms," and the citation in L359 should be "2024". We will address these issues in the final version.

---

To provide a comprehensive response, we have included some results in the anonymous link:

https://anonymous.4open.science/r/Rebuttal-ICML-8393/Rebuttal_ICML2025_%208393.pdf

Q1: Thank you for your constructive suggestion! If we remove the projection head, we could indeed add a Tanh function after the decoder to constrain the output to the range (-1,1), as shown in Figure 3 (linked). However, we do not impose such a restriction on the decoder output because the success of decoding depends on the relationship between the decoded bits and the boundary value (0 for MSELoss, 0.5 for BCELoss), rather than on the magnitude of the output itself. For example, an output of 0.1 and 2 both indicate the same decoded bit '1' under MSELoss.

Adding a Tanh function would not alter the relative relationship between the decoded bits and the boundary (i.e., values greater than 0 remain positive, and values less than 0 remain negative). Consequently, as shown in Table 1 (linked), the final decoding accuracy remains unaffected, so we opt not to introduce an additional function.

For BCELoss, the sigmoid function is necessary because BCELoss is designed for probabilistic outputs. The sigmoid ensures that the outputs lie within the [0,1] range, representing valid probability distributions. In contrast, MSELoss does not require such a transformation, as it directly optimizes the squared error.

Q2: Thank you for your question. The term "Combined noise" was originally introduced by HiDDeN, and its purpose is to address the scenario where watermark images may encounter different types of distortions in real-world applications. Since it is difficult to predict which specific distortion may occur, the watermarking model needs to be trained to handle multiple types of noise simultaneously. In practice, during training, we employ a Combined Noise technique, where the model is exposed to a random noise layer in each mini-batch. This enables the model to learn robustness to multiple types of distortions at the same time. Additionally, during evaluation, we assess the model's robustness under different noise layers to demonstrate its general robustness. This approach is also widely used in watermarking models such as MBRS, CIN, and FIN.

Q3: Thank you for your insightful suggestion. Following your advice, we experimented with directly using a few-step diffusion model as a noise layer for training. The results are presented in Table 2 (linked).

As the number of steps (t) in the noise layer diffusion model increases, the robustness of the watermarking model against diffusion-based attacks also improves. However, with smaller t, the model’s performance remains inferior to surrogate method. We believe this is due to the difficulty of simulating large t attacks with smaller t. Additionally, using t=0.03 already demands substantial GPU memory and time, which limits our ability to explore larger values of t with our current resources.

Despite these challenges, we believe your approach holds significant potential. Developing efficient few-shot diffusion models to simulate larger t attacks is an important direction for future research. However, this goes beyond the scope of our current paper. Our main contribution lies in providing a lightweight watermarking model that demonstrates state-of-the-art performance across various distortions. We are confident that our model can soon be integrated with future diffusion noise layers, and we believe it can as an efficient and effective framework for the watermarking community.

Q4: Thank you for your valuable suggestion. We have included the results in Table 3 (linked). For your convenience, we summarize the findings below. Our method consistently performs best in most cases for the PRGAI attack, and it consistently ranks in the top two for the DiffPure attack.

Q5: Thank you for your insightful suggestion. We have included the watermarked image without an attack in Figure 1 (linked) and will update Figure 5 in the final version accordingly.

Q6: Thank you for your insightful suggestion. We conducted extensive experiments to evaluate the model's performance under stronger perturbations, and the results are provided in Table 4 (linked). For your convenience, we summarize the key findings below: Under stronger perturbations, both PH and DO methods remain competitive. Notably, DO outperforms other models across all distortions, except for Median Blur. This confirms the effectiveness of our methods and demonstrates that the robustness acquired from training with less perturbations generalizes well to more perturbations.