Aligned Datasets Improve Detection of Latent Diffusion-Generated Images

7. Why does the performance of detectors drop a lot facing fake images with small scaling factors or real images with large factors? Are there any reasonable explanations?
   We think the reviewer is referring to Figure 2 of the main paper, where we see that, for our method as well as for Corvi, the probability of an image being fake drops when the downscaling factor reaches x4 (at 0.25). We think that this is because the downscaling of x4 was never seen during training. The maximum resolution of our training images are 640 x 640, which can, in very small fraction of cases, can get resized to 256 x 256, i.e., a downsizing factor of x2.5. And since CNNs are not scale invariant, the learnt filters won't behave the same for smaller images. This reason will be applicable to both our method as well as Corvi, since the training real data, as well as the data processing pipeline is the same for both. As for real images, Corvi again struggles with high scaling factors (probability of fakeness increases). Our method, on the other hand, is much more robust in accurately classifying them (a low score) for all scaling factors. We will include a discussion in the final version for why both methods struggle when fake images are downsized by large factors.
8. Larger Batch Size
   We thank the reviewer for the interesting suggestion. We conducted an experiment where we set the batch size to be 1024: 512 real and 512 fake images (our main paper had 64 real and 64 fake images during training).

We observe a slight performance improvement with an increased batch size. This may be attributed to the use of well-aligned datasets, where the gradient updates after each batch are relatively less-noisy. As a result, the training dynamics do not significantly benefit from a larger batch size.

1. Title slightly disqualifies the paper’s main topic
   We thank the reviewer for raising this point. We will add qualifiers to the title which represents problem statements (only Latent Diffusion). We will do so in the final version of the paper.

2. Both Corvi and the proposed method remain vulnerable to minor changes
   While we agree that both Corvi and our proposed method can be disturbed by post-processing, the degree to which they get disturbed is very different. For example, if we look at Figure 2 and consider 0.5 as the threshold for real to fake prediction transition, we see that the Corvi baseline starts calling an image fake even if one simply resizes it to 0.75 its size, whereas to do the same to our detector, one will need to downsize it to more than half its size (at 0.45). And we see a similar story for real images (lines 330,331). So, even though the problem of reliably detecting fake images is still not completely solved, our proposed method is still much more robust compared to the existing paradigm, while at the same time being computationally more efficient.

3. Lack of further insights between Ours and Ours-Sync
   We thank the reviewer for asking for a clarification on this matter. Since our goal is to force the detector to focus only on the autoencoder's artifacts while classifying an image as fake (and real when those artifacts are absent), the real and fake datasets need to be aligned, so that all other semantic differences between them are minimal except for the autoencoder's artifacts, i.e., for every x in the real set, there is a x' in the fake set, where x' is the autoencoder reconstruction of x. However, if x and x' are in separate batches, the network can learn to associate x->real and x'->fake independently of each other, and hence might use some semantic information to learn that mapping. If, on the other hand, x and x' are part of the same batch, in each update of its weights, the model is learning to not look at the semantics. This is what we refer to as batch-level alignment (line 239). We will include a more thorough discussion about the difference between the two modes of training in the final version.

4. The figure in page 10 loses its caption
   We have properly numbered the figure and referenced it in the updated version of main text along with a proper caption.

5. Ensemble of Corvi and Ours method
   We have created a fusion version of Corvi and Ours-Sync and evaluated it. We do so in two ways, fusion-max and fusion-avg. In fusion-max, we classify an image as fake if either detector classifies it as fake. In fusion-avg, we assign equal weightage to both models and take the average prediction of both the networks and classify the image based on that. We evaluate the models in terms of average precision (AP). We calculate the AP by combining the original and post-processed version of each evaluation setting (SD, MJ etc). This way, we get a single score which represents the setting.

We observe a performance degradation in the fusion models compared to the Ours-Sync model. We hypothesize that this is due to spurious correlations learned by the Corvi method, which weaken the Ours-Sync model's predictions in some cases, primarily in fusion-avg, where Corvi’s prediction always impacts the ensemble network's overall prediction.

6. More Architectures
   We include 2 more architectures (with different pre-training configurations) in order to demonstrate our point regarding dataset alignment. We modify the Wide-ResNet [1] by removing upsampling operations from its stem, following [2], and use it to train a fake image detector. Additionally, we use a larger, modified ResNet pretrained with the CLIP objective. For each setup, we compare detectors trained on the Corvi baseline dataset against those trained on our dataset.The results can be found in Appendix A.2.4. The detector trained on reconstructions consistently outperforms the Corvi baseline. Our experiments show that the effectiveness of data alignment is independent of architecture choices/initializations. References
   [1] Zagoruyko, Sergey. "Wide residual networks." arXiv preprint arXiv:1605.07146 (2016).
   [2] Gragnaniello, Diego, et al. "Are GAN generated images easy to detect? A critical analysis of the state-of-the-art." 2021 IEEE international conference on multimedia and expo (ICME). IEEE, 2021.

1. Authors did not deeply explore reasons behind phenomena and have conducted shallow comparative studies
   We respectfully disagree with the reviewer regarding the lack of depth in the exploration of the phenomena observed. We have identified two major kinds of spurious correlations relating to resizing and compression and explained precise reasons for both of them in Section 5.2 and the Discussion section respectively. We also identified and explained a similar spurious correlation which can occur even when using frozen feature extractors such as CLIP (Appendix A.2.2).
   
   Furthermore, we also show the effectiveness of dataset alignment in terms of mitigating spurious correlations (Sec 5.2), computational efficiency (Sec 5.3), general performance (Sec 5.4), semantics-independent pattern learning (Sec 5.5), and Data efficiency (Appendix A.2.1). By analyzing the approach along these different dimensions, we have identified different desirable properties which the approach brings. It would be helpful if the reviewer could give suggestions regarding the nature of the experiments that would make the work stronger.
2. Limited Comparison methods
   The reviewer mentions that we only compared it with 2 methods, however we wish to highlight that we have compared our models with 5 baseline methods (details listed in Sec 5.1), these baselines were carefully selected in order to represent 3 different paradigms of fake image detection methods-training based (Corvi), linear-probing based (Cozzolino-LDM, Ojha-ProGAN and Ojha-LDM) and reconstruction based (AEROBLADE).
3. Lack of results on public benchmarks
   Our work focuses on training a reliable fake image detector for a family of latent diffusion models. Therefore, in order to make sure that it is clearly the case, we wanted to evaluate across a wide variety of latent diffusion models. To the best of our knowledge, existing benchmarks such as GenImage possess a limited number of Latent Diffusion models and are tailored towards Universal Fake Image detection. For instance, they do not contain images from the latest models such as Playground, PixelArt, Kandinsky and Latent Consistency Models. Therefore, we decided to create our own evaluation benchmark, specifically for the problem that we were interested in solving - that is, reliably detecting fake images from the LDM family.
   
   However, we have also tested our model on the Sentry benchmark [1]. The Sentry benchmark consists of images from 2 latent diffusion models, SDv1.5, SDv2 and the closed-source commercial model Midjourney. We report our results in terms of AP and accuracy with a fixed threshold (0.018 for AEROBLADE, 0.5 for everything else). In order to calculate the AP, we use the same real images which we use in the rest of the paper. With SDv1.5, the authors also generate images which “look realistic”, which they label as SDv1.5R. The results indicate that our approach’s performance is similar to what we reported. Our approach achieves near perfect performance in terms of accuracy and AP on the SDv1.5, SDv1.5R and SDv2 images. It is important to note that the Midjourney (Mjv5) images used in the Sentry benchmark are gathered from the internet based on community uploads. It simulates the post-processing setting that we report in our paper (Table 2). On Midjourney, our detector achieves a good AP value of 94.37%. These results show that the improvements that we observe through the use of data alignment is not tied to our curated dataset.

References
[1] Lu, Zeyu, et al. "Seeing is not always believing: benchmarking human and model perception of AI-generated images." NeurIPS 36 (2024).

5) Comparison techniques are too basic, compare against SOTA methods such as DIRE and NPR
We respectfully disagree with the suggestion that the comparison techniques are too basic. In this response, we will show later on that the baselines we selected outperform the newly suggested baselines. Initially, the reviewer mentioned that we had compared our method to only two baselines, which was inaccurate. In fact, we compared our approach to five different baseline detectors. The reviewer’s new request is to compare two new methods which were not mentioned in the original review. And while we have still managed to get the results on them, we want to briefly mention some information about those methods. The reason we did not include the DIRE [2] method in our earlier draft was due to analysis that can be found in the AEROBLADE paper (Section 9 of the AEROBLADE paper). The paper experimentally analyzes spurious correlations learnt by the DIRE method (associating JPEG with real images and PNG with fake images). Nevertheless, we compare against both of these methods which the reviewer has now requested.

For the evaluation, for completeness we use 2 checkpoints for NPR [1] as well as DIRE. For NPR, the authors provide checkpoints for the AIGCDetect [3] benchmark as well as the GenImage benchmark [4]. We report the performances of both of these checkpoints. Furthermore, we also use 2 of the checkpoints provided by the authors of DIRE, one which was trained on ADM-generated images [5] and one that was trained on Stable Diffusion v2 generated images. In order to give the complete picture, we report the AP (same setting as Appendix A.2.3).

Based on the results, we would like to make two major observations,
a. Our method outperforms the newly added baselines comprehensively.
b. The AEROBLADE baseline that we compare against vastly outperforms the DIRE baseline recommended by the reviewer. Given that both of these baselines belong to the paradigm of reconstruction-based detection, we hope this proves that the detectors we compare against are not simple detection techniques, contrary to the reviewer’s suggestion.
c. Furthermore, we would like to point out that the NPR baseline is also a fine-tuned ResNet-50 based detector. The baseline we select in that paradigm (Corvi), comprehensively outperforms the NPR baseline which once again highlights the fact that the baselines we selected are not simple techniques and in-fact outperform the baselines suggested by the reviewer.

6. Consider adding ViT based methods
We again would like to highlight that the request to see ViT based models was not present in the original review. We are running some experiments using the ViT backbone. However, since this request by the reviewer was given just 4 days before the deadline, we are not sure if the model will finish training before the discussion period ends. In the case we do get the results, we will try to add them here in the comments section.

1. Does the model learn patterns specific to a single LDM? Does the model learn Universal patterns that can generalize to GANs?
   We demonstrate that the trained detector learns patterns that generalize to a variety of latent diffusion models. This includes models with changes in VAE architecture such as Kandinsky (line 458-459) and models with changes in UNets (lines 423-426) such as Playground, PixelArt as well as commercial models such as Midjourney.
   
   Furthermore, we would like to clarify that we are not trying to solve the problem of universal fake image detection in this work. While the community emphasizes on solving the problem of universal fake image detection, in this work, we highlight that reliable detection of fake images from a single family of models is not by any means a trivial task and highlight it by showing several failure modes for a lot of existing models such as spurious correlations (Sec 5.2, Appendix A.2.2) and limited performance (Tab 1, 2 and Discussion section). We believe that before tackling the problem of Universal Detection, it is important to build reliable detectors for a single class of models. Please refer to our general comment addressed to all reviewers which elaborates on this point.
2. Discussion of deep fakes, talking face synthesis etc.
   Just as we mentioned in our response to the previous question, our goal is not to build a general purpose fake image detector that can detect all kinds of fake images. It is to highlight that even in the case of "entire image synthesis", there are many cautions that one should take while training a detector, and we propose a method for that task. We do agree that detecting deep fakes is also important, maybe societally even more important, but for now, that is outside the scope of our work. We will discuss this clearly in the final version of our paper.
3. Limited Analysis of pre-trained models We thank the reviewer for raising this point regarding the extent of our analysis. In order to verify the veracity of our findings across a variety of pre-training techniques, we include 3 more initializations, a ResNet-50 with the DINO initialization, a modified-ResNet with CLIP initialization and a modified FCN [1] trained on MSCOCO for the task of semantic segmentation. The analysis can be found in Appendix A.2.4 of the updated submission. We observe that, regardless of the architecture or initialization, our method of using a well-aligned dataset consistently yields better performance than using the dataset provided by the Corvi baseline. For instance, when using the CLIP initialization, our detector achieves an AP of 96.86%, compared to the 88.09% AP achieved by the baseline detector when detecting images generated by Playground. Furthermore, we also observe that the performance across different initializations remains roughly the same.
4. Alignment issues are not entirely novel
   We agree that alignment is not an entirely new issue, in fact we ourselves have highlighted prior efforts to ensure alignment in lines 212-216. We thank the reviewer for sharing these articles with us. Article [2] highlights a very similar issue. We will include a discussion about it in our revision. However, it is important to note that [2] talks about how the high-resolution real images possess more high-frequency artifacts which are picked up by the detector. Our work on the other hand emphasizes on how the data augmentations used could behave differently on either class due to a lack of alignment, which in turn can induce spurious patterns that are picked up by the detector.
   
   Article [3] shared by the reviewer demonstrates the benefit of latent space augmentation in training deep fake detectors. The method involves learning feature extractors specific to each deep fake technique and distilling the learned knowledge into a single student model which serves as a deep fake detector. In order to extend it to detect unseen deep fakes, the authors introduce augmentations in the latent space (such as interpolations) and distill this knowledge to the student as well. While they train on real images and their “deep fake” counterparts, the work does not analyze the effectiveness of data set alignment to the best of our knowledge; we thereby request the reviewer to provide further clarity regarding the same.
5. What is the definition of fake image as per this work?
   In this work, we define a fake image as whole-image synthesis by a neural network. We treat any image that was produced by a neural network and then post-processed as fake images as well. Any images that were not produced by neural networks (photographs taken with a camera, graphics programs) as real images.

References
[1] Long, Jonathan, Evan Shelhamer, and Trevor Darrell. "Fully convolutional networks for semantic segmentation." Proceedings of the IEEE conference on computer vision and pattern recognition. 2015.

1. Generalization to different architectures
   In our paper, we show that a detector trained on LDM VQVAE reconstructions can generalize to Stable Diffusion models that use different VAE’s such as Playground, PixelArt etc (Sec 5.4). Our detector can generalize to a completely different MoVQGAN [1] used by Kandinsky (line 458-459). We also show that our detector is more robust to vast changes in the UNet of the diffusion model (lines 423-426). If, however, the main concern of the reviewer was whether our model can work on images generated by the original VQGAN etc (without them being used with diffusion models), then please refer to the general comment about how our goal is different from that of building a universal fake image detector.

2. Proposed method disregards semantic content as a result could be vulnerable to artifact decimation
   In the article referenced by the reviewer, the authors conduct an experiment where they down-sample the fake images with a 4x factor. Such an operation could remove some artifacts while approximately preserving the original image. We agree that downscaling an image too much might reduce the artifacts introduced by the autoencoder. In fact, in Figure 2 of the main paper, we do see that the probability of an image being fake drops when the downscaling factor reaches x4 (at 0.25). However, we believe that this is not because there are no artifacts to be found, but rather because that downscaling of x4 was never seen during training. The maximum resolution of our training images are 640 x 640, which can, in very small fraction of cases, can get resized to 256 x 256, i.e., a downsizing factor of x2.5. And since CNNs are not scale invariant, the learnt filters won't behave the same for smaller images. Moreover, we also believe that almost every method is going to struggle when images are downscaled by that amount. In fact, going back to Figure 2, we see that the Corvi baseline, which was in fact trained in the standard manner (using fake images with semantic anomalies), struggles even more when fake images are downscaled by x4. In summary, we agree with the reviewer that huge amounts of up/downsizing is a challenge for fake image detection; but we believe it has more to do with a CNN's implicit biases/limitations, and less to do with our specific method. Finally, we would like to clarify that our detector learns patterns beyond low-level traces which the article referenced by the reviewer mentions. This can be inferred based on our model's robustness to various post-processing operations (Appendix A.2.5).

3. Sensitivity to various transformations
   While it is true that we wanted to investigate the resizing issue more deeply because there is a principled reason why Corvi struggles with it, in our evaluations, we have shown robustness to many other randomized post-processing artifacts. Table 2 is for that purpose, where we show the sensitivity to blur, JPEG compression and color jitter operations (lines 412-413). However, we also agree with the reviewer that a more comprehensive study of our method's sensitivity to isolated post processing effects will be helpful. For that purpose, we have conducted additional tests separately analyzing the model's robustness to blur, Gaussian noise, and JPEG compression. We refer the reviewer to Appendix A.2.5 for the analysis. Particularly in the case of blur, we notice that blurred fake images are more confidently classified as fake using our method compared to Corvi.

4. The figure in page 10 should be properly numbered and referenced
   We have numbered the figure properly (currently Fig 5) and referenced it in the updated version of the paper.

5. Using thresholdless metrics
   We agree that using other threshold-less metrics can be helpful in addition to accuracy. As a result, we have evaluated all the approaches by using Average Precision (AP) and true positive rate at 5 false positive rate (tpr5fpr). The results can be found in Appendix A.2.3 of the updated version. We achieve a very high AP and TPR@5FPR. For instance, when detecting Playground-generated images, we achieve an AP of 98.54% and a tpr@5fpr of 92.88%, compared to the next best method (Corvi), which achieves an AP of 90.93% and a tpr@5fpr of 65.75% on the same task. The reason we used accuracy as the metric was because we wanted to simulate a real-life testing environment where calibrating the detector on the test dataset will not be possible. This implies that having a good test AP is not always useful in practice.

6. Minor Comments/Suggestions
   We thank the reviewer for providing us with feedback on the writing. We have made the appropriate changes and have highlighted it in red in the updated version of the paper.

References
[1] Zheng, Chuanxia, et al. "Movq: Modulating quantized vectors for high-fidelity image generation." Advances in Neural Information Processing Systems 35 (2022): 23412-23425.

7. Why calibrate the threshold only for the shaders experiment?
   We conduct the shaders experiment to show the following-by using a well-aligned dataset, we can detect fake images coming from completely unrelated domains (which is very relevant given the internet scale datasets that are used to train models). Since, the model does not observe any natural images during training, it is not likely for those images to conform to a 0.5 threshold, therefore, we calibrate the threshold. Note that, we calibrate the threshold based on a validation set, and we calibrate it for the Corvi/Ours-Sync methods in Table 3 in order for fair comparison. The details of the experiment are given in Appendix A.1.2. If we do not calibrate the threshold, the accuracies of the models drop a bit. Please note that the calibrated thresholds of our models are around 0.44 for the Ours version and 0.6 for the Ours-Sync version trained on shaders.

8. Why do shaders struggle with post-processing?
   We have two hypotheses for this. First, the images from Shaders dataset have a resolution of 384x384, whereas those in the natural case (LSUN + MS COCO) have images ranging from 256x256 to 640x640 (line 718-723). Due to the wide range of resolutions present, we think that the detector trained on natural images encounters a wider range of resizing operations during training which results in increased robustness. In Table 2, resizing is one of those post-processing operations that is randomly applied to test images (to simulate real world processes), to which the detectors trained on natural images could be more robust towards. Our second hypothesis is that both of our detectors, one trained on natural and the other on Shaders, won't be perfect in their reconstructions. For example, [2] showed that 4-channel LDM autoencoders struggle with reconstructing text. And hence, the resulting detector might learn to associate 'good-looking text' to real and 'gibberish' to fake. Similarly, the same autoencoder will struggle in reconstructing Shaders images as well, and the detector might consequently learn to associate those features to real/fake images. However, in the first case, the features learnt (good text -> real) can actually be useful at test time to detect fake images as fake (e.g., when a test image as gibberish text), whereas those learnt by Shaders inconsistencies will likely not transfer to the natural image test data.

9. Why is the detector trained on our approach more data-efficient?
   We believe that this is a direct effect of dataset alignment. In the case of Corvi, with a small dataset which is not well-aligned, there could exist multiple subtle spurious patterns (e.g. a real black cat vs a fake white cat). The model can overcome such patterns with more data. Our detector on the other hand will not capture such shallow, spurious patterns since the dataset is properly aligned. This increases the likelihood of our model to capture deeper, more common patterns that make an image fake.

References
[2] Dai, Xiaoliang, et al. "Emu: Enhancing image generation models using photogenic needles in a haystack." arXiv preprint arXiv:2309.15807 (2023).

References
[1] Corvi, Riccardo, et al. "On the detection of synthetic images generated by diffusion models." ICASSP 2023-2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2023.
[2] Ricker, Jonas, Denis Lukovnikov, and Asja Fischer. "AEROBLADE: Training-Free Detection of Latent Diffusion Images Using Autoencoder Reconstruction Error." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2024.
[3] Chen, Baoying, et al. "DRCT: Diffusion Reconstruction Contrastive Training towards Universal Detection of Diffusion Generated Images." Forty-first International Conference on Machine Learning.
[4] Yu, Xiao, et al. "SemGIR: Semantic-Guided Image Regeneration Based Method for AI-generated Image Detection and Attribution." Proceedings of the 32nd ACM International Conference on Multimedia. 2024.
[5] Grommelt, Patrick, et al. "Fake or JPEG? Revealing Common Biases in Generated Image Detection Datasets." arXiv preprint arXiv:2403.17608 (2024).
[6] Esser, Patrick, et al. "Scaling rectified flow transformers for high-resolution image synthesis." Forty-first International Conference on Machine Learning. 2024.

Thank you for your questions. We address the concerns raised below,

The idea of training on reconstructions has been proposed before in some works, but the motivations are not too similar\

1. [3] Uses Reconstructions to train a detector, but motivations are different
   The goal of authors in [3] was to improve existing fake image detector's generalization ability with the aid of reconstructed real images. However, their motivations for doing so are different from ours. Their goal is to simply make the task of the detector more difficult, which they do by introducing real image reconstructions as an additional type of "harder-to-classify" fake images. But the standard fake images, generated using text by the iterative denoising process, are still part of the overall fake category in the training data. Please refer to Fig. 2 of their paper which shows that the overall fake category is composed of three types of fake images, including the standard fakes and their reconstructions. This implies that the fundamental problem that we have discussed in our work, i.e., any kind of misalignment, e.g., resizing artifacts due to differing original resolutions, can still be a problem for their approach. In contrast, in our work, we wanted to completely align the real and fake image distribution so that, as much as possible, there is very little scope for learning some other spurious features. In fact, if we had to use the method proposed by authors in [3] for the data used by Corvi et al. which uses generated images at 256 x 256 resolution (with real images at a different resolution), then among the three types of fake images (Fig. 2 in [3]), two of them will still have the resolutions of 256 x 256, and will have the same problems as we discuss in Sec. 5.2.
   
   Next, the way we do reconstructions is different and much simpler. For the LDM based models (e.g., SDv1.4, which is used as the training data in [3]), we do not need to do any multi-step DDIM inversion, but simply pass the real image through the autoencoder to get its reconstructions. This is much more computationally efficient (Fig. 3; Sec. 5.3). Furthermore, training a detector on DDIM reconstructed images, will be sensitive to the change in the UNet (while preserving the VAE). Ours on the other hand will not be sensitive to changes in the UNet. We have empirically observed this in our work in Lines 423-426.
   
   Finally, because we have had such a strong emphasis on making the real and fake dataset well-aligned, we show that the principle can be used to build effective detectors even when we only have access to algorithmically generated images (which do not capture the semantics of natural images), and do not have access to natural real images (Sec. 5.5).

2. [4] does not use reconstructions, furthermore we have compared against a similar paradigm in our paper
   We would also like to point out that [4] is not very similar to our approach. They use an image-to-text model in order to get a prompt for each real image which can be used to generate the corresponding fake image. In fact, this is very similar to the existing paradigm that we compare against and also acknowledge in our work (refer Fig 1 and line 212-216). The existing paradigm relies on the captions associated with the image in order to generate similar fake images. For the class of latent diffusion models, our proposed approach is more efficient (does not require costly captioning or iterative denoising). Furthermore, using the LDM autoencoder leads to better reconstructions, i.e., more aligned fake images.

Autoencoder reconstructions are generally more accurate than DDIM reconstructions for LDM’s
The autoencoder reconstruction is among the best approximations to the real image that can be made by the latent diffusion model. Intuitively, DDIM inversion tries to approximate this encoded latent, this results in additional approximation error which could affect reconstruction quality. This has been discussed in several prior works such as [6] and [2]. Importantly, [2] has a clear experiment demonstrating the difference in the reconstruction quality. They observe that using DDIM reconstructions increases the distance between the fake images and their reconstruction and show in conclusion that just using only LDM’s autoencoder for reconstructions achieves better reconstructions. [6] uses the autoencoder reconstruction ability in order to measure the upper bound of generation quality (hypothesis being that autoencoder reconstruction is the closest to real images one can get to). Additionally, DDIM inversion involves numerically solving a forward ODE and a reverse ODE, it is therefore twice as expensive as if we were to generate the images from scratch (similar to Corvi), therefore using autoencoder reconstructions is much more efficient in comparison.

Thank you for your questions, we address the concerns below,

Inpainting
In this work, we restrict our scope to “entire-image synthesis”. As mentioned in our response to reviewer hbmp, we will discuss this clearly in our final version.

Will mark benign manipulations as fake
Our problem statement focused on detecting any type of fake image generated by a specific family of generative models. Consequently, as long as super-resolution or enhancement is performed by a latent diffusion model (similar to Stable Diffusion), our method will classify it as fake. We emphasize that any image enhanced or restored by a latent diffusion model is, at its core, manipulated by a neural network. Our aim is to detect such images as fake regardless of whether they are malicious or benign.

Susceptibility to Laundering
If a real image (such as a compromising photo) can be reproduced by the generative model, we believe that the generated image should be detected as fake. Practically, this is driven by the goal of detecting fake images that are visually plausible and closely resemble realistic ones. Regarding the presented scenario, we want to emphasize that as long as the original image (which is not fake) has not been altered, it should be identified as real by a model designed to focus on the generator’s artifacts.

Citations
We will cite relevant work such as DRCT and explain the differences in our final version.