An Undetectable Watermark for Generative Image Models
We present a robust image watermarking scheme that is provably quality-preserving, and demonstrate that all prior schemes degrade quality.
摘要
评审与讨论
The paper presents a scheme to embed digital watermarks into the latent space of a diffusion model. The method is based on pseudorandom error-correcting code (PRC): the watermarked image is sampled from the latent vector conditioned on having signs chosen according to the corresponding PRC. In the paper, the guarantees on undetectability and low detection FPR rate are provided, along with the comparison against concurrent watermarking methods both in terms of robustness to removal attacks and quality of generated images.
优点
The paper adapts PRC to the domain of image watermarking and build a robust watermarking scheme with provable FPR upon it. Authors compare their approach against a variety of watermarking schemes both in terms of robustness to different removal attacks as well as of the quality of watermarked images.
The method implies provable guarantees on the FPR of the watermark extraction. The method is robust to attack on surrogate classifiers due to experimentally shown undetectability of the watermark. According to the evaluation protocol, PRC watermark retains the decent quality of the generated image, compared to the one of the sota methods.
The paper is well written, besides minor misprints.
缺点
-
In Theorem 1, an upper bound for the difference of probabilities is loose. To make a conclusion about undetectability, one has to demonstrate the negligible difference between the detection probabilities on watermarked and non-watermark samples. An upper bound which is close to ½ is unsatisfactory in this case. How one can be improved?
-
The robustness of the watermarks yielded by the method to removal attacks (both synthetic and based on diffusion models) is inferior to the ones of Gaussian Shading, Tree-Ring, StegaStamp approaches. Since the robustness is one of the major requirements of the watermark, it is important to improve it in practice. Namely, one may will to improve the robustness at the cost of the quality metric (for example, by embedding longer messages).
I am willing to increase my score if the authors provide a correction for theorem 1 and additional experiments on robustness to removal attacks.
问题
Please see the weakness section.
Question 1.
Yes, you are absolutely correct! That was a typo; there should not have been a 1/2 in the first place. We have updated it now, and thank you for noticing this.
Question 2.
We would like to point out a couple of key things:
a. In fact our robustness is significantly greater than Tree-Ring for the strongest attacks. See Figures 3 and 8.
b. Our robustness is very similar to that of StegaStamp for small perturbations. However, StegaStamp hugely impacts image quality — see Figure 1 (where splotches are clearly visible in the watermarked image) and Table 1.
c. Gaussian Shading does outperform our watermark on robustness. However, that method massively impacts image variability — see Figure 10 for a visual example, Table 2 for a quantitative measurement of variability using the LPIPS score, Table 1 for quality, and the “Gaussian Shading watermark” paragraph of our Related Work section for a more in-depth discussion.
Taking a step back, the premise of our work is that quality is an absolute necessity. It is not clear that any company would be willing to implement a watermark with an 8% loss in quality [1] with no guarantees about performance on un-tested edge cases, if the model cost over 100 million dollars to train. Indeed, to our knowledge no major company has implemented a watermark by default on a production-level model. (Even Google’s SynthID is an opt-in service with highly limited availability.) Once we have quality down, only then should we start worrying about robustness.
Finally, one should consider whether robustness is even important for large perturbations. It's true that for heavy perturbations, StegaStamp and Gaussian Shading are more robust. But in this regime, one can easily tell that perturbations have been applied (see e.g. Figure 12). Users willing to tolerate such a significant hit on quality would probably simply use a weaker model that isn't watermarked in the first place.
[1] Tree-Ring, Gaussian Shading, and Stable Signature all suffer from at least an 8% loss under FID on the Stable Diffusion Prompts dataset in Table 1.
I appreciate that authors addressed my concerns and increase my score.
Reviewer d3g5,
Thank you for increasing your score! We may be pushing our luck, but let us once more make our case for you to increase your score further...
We begin with the observation that watermarks are not in use at the production level right now. There are many possible reasons for this, but we resolve perhaps the only one that can be addressed by fundamental technical advancements: The risk of quality degradation, which we resolve with undetectability. We explain in our introduction how undetectability can also ameliorate potential political issues with watermarks, by allowing selective distribution of the key (which is meaningless for other schemes, whose keys can be learned).
We believe that undetectability is far more important than robustness; a motivated adversary can remove any existing watermark with sufficient effort anyway, so in practice we are primarily only aiming to catch the "lazy" adversaries. Robustness only means that we can catch slightly less lazy adversaries. We therefore do not believe that it really matters how robust a scheme is in the regime where Gaussian Shading and StegaStamp become more robust than ours (again, Tree-Ring is less robust than ours in all regimes).
Existing works present schemes with only very limited guarantees about quality, and sometimes downplay their effect on quality in experiments --- which we demonstrate to be practically very significant (see, for instance, Figure 13 for the impact of Gaussian Shading and Figure 1 for that of StegaStamp). We sidestep the issue of needing to design comprehensive quality experiments, by using the strongest possible quality definition (undetectability) and building the first scheme that provably satisfies this definition.
Thanks, The Authors
The paper uses the pseudorandom code technique to create an pseudorandom initial noise for latent diffusion model. With this noise, the image generated from it is encoded with watermark signal. When reversing a image back to the initial Gaussian noise, the model provider can determine whether this image is waatermarked or not according to the codeword. Since the pseudorandom initial noise is indistinguishable to the real Gaussian noise, this watermark is undetectable compared with existing methods.
优点
- The paper introduces the first undetectable watermark.
- The authors compare the proposed method with several watermarking baselines.
- The robustness of the proposed method is evaluated with several perturbations.
缺点
- The experiments are not adequate for supporting that the image quality of the proposed method outperforms existing ones.
- The robuseness of the propsed method is not that good from the results.
- The proposed watermarking method hugely change the image compared with the original one without watermark.
- The evaluation for undetectability is not convincing.
问题
- The values of the metrics shown in Table 1 are close for different methods, can you actually say that the proposed method is better than the existing ones? I think a significance test is needed to support this conclusion.
- I don't think 500 images are enough for the computation of FID score. Referring to previous work like Stable Signature, at least 1,000 images are needed for getting a reliable results.
- The results and image samples for Stable Signature is weird. According to the results of its original paper, Stable Signature should be a watermark that introduces minimal perturbations onto the original image. Therefore, the watermarked image should be highly similar to the original image. However, in the paper, the image samples and results of Stable Signature indicate that the watermarked image is completely different from the original images.
- The robustness of the PRC method is not satisfied. From Figure 5, the TPR starts to drop when the PSNR is still larger than 30, which is much worse than StegaStamp and Gaussian Shading.
- From the image samples in Figure 1, the image of the PRC method changes the original image a lot.
- The evaluation for undetectability is not convincing. The author only uses ResNet-18 to show it can distinguish the watermarked and original images from other method but not the PRC method. However, is it possible that this results only hold for ResNet-18? It means that it is only undetectable for ResNet-18 and it may be detectable for other classifiers.
Question 1:
We include standard deviations in Table 1 to indicate the significance of the results. We have updated that table to highlight the quality scores that are more than 3 standard deviations away from the original model in red. We hope that this helps make this part of our result more convincing; we do not have time to conduct a more in-depth analysis now.
Question 2:
Ok, thanks for the suggestion! We have performed the same calculations using FID with 1,000 images. We obtained similar results:
| Watermark | FID-500 (COCO Dataset) | FID-500 (Stable Diffusion Prompts Dataset) | FID-1000 (COCO Dataset) | FID-1000 (Stable Diffusion Prompts Dataset) |
|---|---|---|---|---|
| Original | 76.3987 ± 0.3120 | 63.4625 ± 0.2507 | 35.5521 ± 0.1217 | 28.3789 ± 0.1023 |
| DwtDct | 76.5676 ± 0.2237 | 63.6912 ± 0.2588 | 35.6334 ± 0.1153 | 28.5247 ± 0.1049 |
| DwtDctSvd | 76.3322 ± 0.2739 | 64.4768 ± 0.2147 | 35.5589 ± 0.1320 | 28.8410 ± 0.1142 |
| RivaGAN | 77.7440 ± 0.2494 | 65.7144 ± 0.2511 | 36.2143 ± 0.1179 | 29.1548 ± 0.1253 |
| StegaStamp | 79.8856 ± 0.2505 | 66.8853 ± 0.2613 | 37.2258 ± 0.1325 | 30.0212 ± 0.1227 |
| SSL | 77.9346 ± 0.2254 | 65.0303 ± 0.2434 | 36.3177 ± 0.1174 | 29.2351 ± 0.1169 |
| Stable Signature | 78.2577 ± 0.2634 | 70.1263 ± 0.2539 | 36.8704 ± 0.1267 | 30.1254 ± 0.1327 |
| Tree-Ring | 77.3445 ± 0.1733 | 68.7192 ± 0.1572 | 36.1568 ± 0.1196 | 29.3583 ± 0.1120 |
| Gaussian Shading | 77.9279 ± 0.2168 | 69.9333 ± 0.1237 | 36.2875 ± 0.1243 | 29.6372 ± 0.1128 |
| PRC | 76.5979 ± 0.2746 | 63.7350 ± 0.3511 | 35.6354 ± 0.1228 | 28.5167 ± 0.1206 |
Question 3:
Sorry, this concern probably stems from our Figure 1, which previously showed some watermarks used as post-processing schemes and others used as in-processing schemes. In that figure, we had treated Stable Signature as an in-processing scheme, and therefore the image was unrelated to the "original image." It was instead a freshly sampled watermarked response to the prompt. We have now updated the figure to use fresh images for every watermark, to make it more clear that we are only interested in the in-processing scenario.
Question 4:
The PSNR measures the relative quality, i.e., the amount of noise relative to the initial sampled image. However, the initial sampled image under StegaStamp and Gaussian Shading is significantly lower quality than the initial sampled image under the PRC watermark.
It's true that for heavy perturbations, StegaStamp and Gaussian Shading are more robust. But we believe that this is not the interesting regime: Here, one can easily tell that perturbations have been applied (see e.g. Figure 12). Users willing to tolerate such a significant hit on quality would probably simply use a weaker model that isn't watermarked in the first place.
Question 5:
See our response to Question 3.
To be clear, our watermark is embedded into content as it is being generated. This is the scenario considered in Tree-Ring and Gaussian Shading, and is the most relevant scenario for generative AI. See our Related Work section for an explanation of "in-processing" vs "post-processing" watermarks.
In our in-processing application scenario, the amount one needs to modify any particular initial noise vector to embed the watermark is immaterial, as it is never observed by any user. That is, to generate an image, the model owner first samples a fresh initial noise vector each time. So what matters is that the distribution of initial noise vectors is not noticeably changed, and our watermark is the first to satisfy this property! In contrast, as demonstrated in our experiments in Section 4.2, prior schemes noticeably alter the distribution of generated content.
Question 6:
We performed the same experiment for several models, obtaining the same result each time. The new results are shown in Figure 6 of the updated PDF. We would like to emphasize that the results of these experiments were essentially pre-ordained by Theorem 1.
Thank you for the rebuttal and the additional experiments. Most of my questions have been adequately addressed, and I will raise my score to 6. However, I still have a question regarding StegaStamp.
From Figure 1 in the revised paper, StegaStamp introduces visible blurry artifacts to the watermarked image, resulting in poor visual quality. This seems inconsistent with its original paper, where the watermark was described as being invisible or at least not noticeable to the human eye, provided the bit length is not excessively long.
Additionally, I strongly suggest that the authors use the same initial noise for all watermarking methods in Figure 1. This would allow readers to make a more straightforward comparison of the image quality across different methods.
Thanks for your quick reply, and for increasing your score!
Re: StegaStamp.
We used the official code provided by the authors (https://github.com/tancik/StegaStamp) for our implementation. The StegaStamp paper says that their experiments used 100 bits. We used only 96 bits for our implementation of StegaStamp (and 512 bits for our PRC watermark). If you look closely at Figure 2 of their paper (https://arxiv.org/pdf/1904.05343), you can definitely see the same splotchy artifacts present in our Figure 1. Still, it's true that they are less-pronounced in their paper. But even in the StegaStamp paper they acknowledge that the quality of images can vary: "Despite often being very subtle in high frequency textures, the residual added by the encoder network is sometimes perceptible in large low frequency regions of the image." So it is very possible that their images may have been cherry-picked or else just lucky; it is also possible that StegaStamp was unlucky in our Figure 1. Every sample we took with the Figure 1 prompt revealed these splotches, but maybe that prompt happens to be particularly bad for StegaStamp.
Taking a step back, while the StegaStamp paper claims that the encoded image is mostly perceptually identical to the input image, they do not provide any formal guarantee of quality. Indeed, it is not possible to build an undetectable post-processing watermark (as mentioned in our Related Work section).
Re: Initial Noise.
It is important to understand that it is not possible to use the same initial noise for in-processing watermarking schemes in general. In-processing watermarks (including ours, Tree-Ring, and Gaussian Shading) typically work by carefully choosing the initial noise vector. That is, the choice of initial noise vector is the watermark itself. Therefore, we cannot simply choose all of the initial noises to be the same across different in-processing watermarks. Check out Section 3.2 for more details on our scheme, we think it is conceptually quite interesting.
Anyway, Figure 1 is only intended to demonstrate that most of these watermarks are not perceptible at least at first glance, and to add some color to the introduction. And note that a single image with our watermark is perfectly, statistically indistinguishable from a single un-watermarked image. That is, the marginal distribution on one PRC watermarked generation is literally identical to the marginal distribution on one un-watermarked generation. (Of course, undetectability says that this extends to many images for a computationally-bounded user.)
Let us know if we are on the same page, or if we misunderstood something in your reply. We are happy to clarify further, or if we misunderstood, to address whatever it is.
Thank you for your timely reply. Even for in-processing methods, it is still possible to "start from" the same initial noise. For example, in the case of Tree-Ring, you could add the ring-shaped watermark to the frequency domain of the same initial noise. While the noise may be partially altered after watermarking, they would still originate from the same starting point. For Gaussian Shading, it is still possible to start from the same, just as described in their paper.
You're right, it is possible to use Tree-Ring as a post-processing watermark by simply zero-ing out some of the Fourier-domain latents. However, this will significantly alter the image and does not appear to be the intended use-case of the Tree-Ring watermark [1]. The point I wish to make is that we are considering the in-processing setting, in which it does not in general make sense to start from the same initial noise; therefore presenting a figure in the post-processing setting is highly confusing. It makes it difficult for the reader to understand what we are doing and which setting we are considering.
Furthermore, the Gaussian Shading watermark cannot actually be reasonably used as a post-processing watermark (and neither can ours). The paper appears to suggest that it can, but this is highly misleading as we will explain now...
The basic implementation of the Gaussian Shading watermark works by selecting the initial latent such that every coordinate has a fixed sign. If you start from a random latent, then flip the signs according to the watermark, then you will obtain a latent with every sign re-randomized, and the image will be essentially unrelated. This is similar to the situation with our PRC watermark.
What they're doing: It appears that what they're doing in Figures 9 and 10 of the Gaussian Shading (GS) paper is simply considering the GS-watermarked image as the original image! Presumably this is why the GS watermarked images appear identical to the "original image": It's because it literally is the original image [2]. We believe that this is highly misleading on the part of the GS paper, and we do not wish to contribute to the confusion brought by this kind of practice.
[1] Consider, for instance, that the abstract of the Tree-Ring paper contrasts their method with "existing methods that perform post-hoc modifications to images after sampling."
[2] Notice in Figure 9 of the Gaussian Shading paper (https://arxiv.org/pdf/2404.04956) that they do not include image differentials from their watermark to the "original" image.
Reviewer xnWy,
Thanks for this discussion! Since today (December 2) is the final day for you to ask us questions, we wanted to confirm that we have sufficiently addressed your comments.
In particular, we believe that the point about their not existing in general (or in our scheme) a way to post-facto modify the latents for an in-processing watermarking scheme is very important. If we have failed to clarify this point then let us know what the contention is and we can try to resolve things.
If our response is clear, and you find our additional experiments and clarifications in our initial response convincing, then we would like to ask that you reconsider your score.
Thanks, The Authors
The paper introduces an undetectable watermarking scheme for generative image models, which ensures that no adversary can distinguish between watermarked and un-watermarked images while preserving image quality. It utilizes a pseudorandom error-correcting code to embed watermarks at the semantic level, making the scheme robust against various removal attacks and capable of encoding long messages.
优点
-
This paper is well-written and easy to follow.
-
The proposed method maintains image quality by embedding watermarks without degrading metrics like FID, CLIP, and Inception Score.
-
The watermarking method can be seamlessly integrated into existing diffusion model frameworks.
缺点
-
The idea of modifying the initial noise for diffusion is not new. And this method changes initial noise a lot compared to Tree-Ring watermark.
-
This watermark is not as robust as current watermarks such as StegaStamp and Gaussian shading.
-
No significant improvements on metrics.
问题
-
I understand the key idea of this work is quite similar to Tree-Ring watermark, i.e., selecting the initial noises of a diffusion model so that them can be later detected. However, a point of concern arises regarding the feasibility of completely altering the signs of the initial noise. Based on the provided examples, images without any watermark and those embedded with the PRC watermark exhibit significant differences, including distinct content variations. This raises the question of whether such discrepancies would be acceptable to companies and end-users in practical applications.
-
Is the implementation of Stable Signature correct in this work? As far as I know, images watemarked by Stable Signature should not display substantial differences from unwatermarked images because Stable Signature does not modify the initial latents.
-
The definition of ‘undetectable’ used in this study requires clarification. Based on the data presented in Table 1, the PRC watermark appears marginally more effective than prior watermarking methods concerning metrics such as FID, CLIP score, and Inception Score; however, the observed improvements are not pronounced. If the PRC watermark is claimed to be the first undetectable watermark, an explanation is needed as to why previous watermarking techniques are deemed detectable, given their competitive metric performance.
-
For robustness part, do you consider some transfer-based or query-based attack? The results illustrated in Figures 5 and 6 indicate that PRC watermarks demonstrate lower robustness compared to methods such as StegaStamp and Gaussian shading watermarks, especially when heavier perturbations are applied. Also note that your metric is TPR@FPR=0.01, and FPR=0.01 is already a very high false positive rate.
Question 1.
Re: Changing the initial noise: We believe that there may have been some confusion about our application scenario. Our watermark is embedded into content as it is being generated. If one needs to add a watermark to an existing image, then our method does not apply at all. While it is possible to use Tree-Ring to embed a watermark in an existing image, it will drastically change the image and is not intended for this purpose — see their paper. Also see our Related Work section for the difference between "in-processing" watermarks (such as ours, Gaussian Shading, and Tree-Ring) and "post-processing" watermarks.
In our in-processing application scenario, the amount one needs to modify any particular initial noise vector to embed the watermark is immaterial, as it is never observed by any user. That is, to generate an image, the model owner first samples a fresh initial noise vector each time. So what matters is that the distribution of initial noise vectors is not noticeably changed, and our watermark is the first to satisfy this property! In contrast, as demonstrated in our experiments in Section 4.2, prior schemes noticeably alter the distribution of generated content.
TLDR: Our results demonstrate that our watermark is actually the strongest existing watermark in terms of minimizing discrepancies observable by the end-users in practical applications. In particular, the end-user without the key cannot tell that our watermark is there, even if they are looking for it.
Re: Novelty compared to Tree-Ring: It is true that the idea to select initial noise of a diffusion model is from the Tree-Ring paper, but we argue that there is still highly substantial work to be done in determining precisely how to select the initial noise. In particular, if one uses the Tree-Ring watermark, then there is a significant distribution shift in the generated images (as demonstrated in our quality results, and even pointed out in the Tree-Ring paper itself!). Therefore in our view, the key idea of this work is to use a pseudorandom code to select the latents of the image — an idea that is both novel and, we believe, interesting from both a theoretical/security standpoint and a practical/ML standpoint.
Question 2.
Sorry, this concern probably stems from our Figure 1, which previously showed some watermarks used as post-processing schemes and others used as in-processing schemes. In that figure, we had treated Stable Signature as an in-processing scheme, and therefore the image was unrelated to the "original image." It was instead a freshly sampled watermarked response to the prompt. We have now updated the figure to use fresh images for every watermark, to make it more clear that we are only interested in the in-processing scenario.
Question 3.
Please see our explanation of undetectability on Page 1. Due to space constraints we do not state a separate formal definition of undetectability, but one is anyways implicit in Theorem 1.
In Figure 2, we demonstrate that it is very easy to detect prior watermarks without knowing the key. Observe in Figure 2 that a distinguisher quickly learns to identify other watermarks with nearly 100% accuracy, and therefore they unambiguously fail to qualify as undetectable. In contrast, the distinguishing rate hovers around 50% for the PRC watermark (no better than random guessing). Note also that the result of this experiment for the PRC watermark was essentially pre-ordained by Theorem 1.
Re: “Competitive” metric performance: We believe that it is imperative that a watermark absolutely minimizes quality degradation for production-level models. For instance, an 8% increase in FID (which is observed under Tree-Ring on the Stable Diffusion Prompts dataset in Table 1) may not sound like a lot, but for a modern state-of-the-art model that takes immense resources to train, we believe that it is unlikely for anyone to be willing to take such a hit. This is the primary motivation for our work: Ensure that you truly preserve quality, then worry about robustness. And as demonstrated in Table 1, ours is the only quality-preserving watermark.
Question 4.
We demonstrate many different attacks, described in detail in Section A.2. All of the attacks we consider use only a single query, and then apply post-processing to the watermarked image.
We agree that FPR=0.01 is too high to be practical. Our watermark tends to excel at lower FPRs, but we used this high FPR because it is the most common choice for prior works and we wanted to compare on equal footing.
It's true that for heavy perturbations, StegaStamp and Gaussian Shading are more robust. But we believe that this is not the interesting regime: Here, one can easily tell that perturbations have been applied (see e.g. Figure 12). Users willing to tolerate such a significant hit on quality would probably simply use a weaker model that isn't watermarked in the first place.
Dear Reviewer zDzs,
Thank you for your detailed feedback! In our responses, we’ve addressed your concerns and questions.
Could you kindly confirm if our clarifications have resolved your concerns or if further elaboration is needed? We appreciate your insights and look forward to your thoughts.
Best regards,
The Authors
Reviewer zDzs,
Today (December 2) is the last day you can ask us questions, so we wanted to follow up on this. If our answers have sufficiently addressed your concerns then we would appreciate it if you reconsider your score.
Thanks, The Authors
This paper presents an undetectable watermarking method for generative image models. The proposed PRC watermark aims to embed a cryptographically pseudorandom pattern that is robust, quality-preserving, and indistinguishable from adversaries without the detection key. Additionally, the PRC watermark can encode long messages, such as timestamps or IDs, without compromising image quality. Experimental results demonstrate that the PRC watermark maintains image quality and is difficult to detect or remove without significant quality degradation, making it a promising solution for embedding undetectable, robust watermarks in AI-generated images.
优点
- This paper provides an undetectable image watermark method, which is novel.
- This paper provides sufficient theoretical and empirical support.
缺点
-
For Figure 2, this paper evaluates the undetectability of different watermarking methods. Could authors specify how many different keys other watermarking methods use? And if increasing the key numbers will increase the undetectability?
-
PRC.Encode_k is interesting, but it would be good for authors to explain how to sample a PRC codeword using PRC.Encode_k in more detail. It should be an important part of this paper, but only Algorithms 1 and 2 in the Appendix are not enough for the reader to understand it.
-
Section 4.5 describes the security of PRC watermark under spoofing attack. The experimental results are in the Appendix; it would be good for the authors to specify where the corresponding experimental results are in Section 4.5. Moreover, the number of keys used for other watermarking methods in Figure 8 is also not specified.
问题
Please see above.
Thanks for your comments! We have updated the PDF to address your concerns and those of the other reviewers.
Question 1.
We only used 1 key to generate Figure 2; note that using additional keys without adjusting the scheme will increase the false positive rate. More importantly, it is unlikely to affect the results: Other than the PRC watermark, existing schemes embed simple patterns in the images and can therefore easily be learned (see our Related Work section). Indeed, we reproduced Figure 2 using 2 keys for each scheme and observed essentially the same results. This is included in Figure 7 of our updated PDF. We will try to include a larger experiment with more keys by Wednesday, we have just not yet had the time to do this.
Question 2.
Good point. We reference the basic idea on page 5, but as you point out, it is extremely terse: "this PRC works by sampling random -sparse parity checks and using noisy solutions to the parity checks as PRC codewords." In more detail, we first sample the parity checks at random, then we sample a generator matrix consistent with those parity checks with carefully chosen dimension; codewords are noisy samples from the image of the generator matrix.
The main reason for our brevity is that there exist several new constructions of PRCs in the literature now [Golowich & Moitra 2024; Ghentiyala & Guruswami 2024], and our method immediately works by substituting any of these. We chose the PRC of [Christ & Gunn 2024], but in general the PRC watermark should use the best known PRC. We did not want to detract from this point by overly focusing on the particular construction in the body of the paper. Therefore we chose to instead focus on how we use the PRC in the body.
(We also found it difficult to fit more discussion into the 10-page limit.)
Question 3.
Great catch, thank you! We have added a pointer to the appropriate figure in Section 4.5. We again only used 1 key to generate this figure.
We have just updated the PDF to include detection experiments with 10 keys for other watermarking schemes. See Figure 7: ResNet18 quickly learns to detect all watermarks except ours with significant advantage, even using 10 keys.
Let us know if we've addressed all of your concerns!
Reviewer EiMf,
As today (December 2) is the last day for you to ask us a question, we wanted to follow up on this conversation. If you have any further questions about the new experiments we added to address your concerns, we would be happy to answer them!
Otherwise, we would like to ask that you consider increasing your score if our responses and new experiments are sufficiently convincing.
Best, The Authors
My concerns have been resolved, and I will raise my score. The idea is interesting. Thanks for your efforts!
The paper presents a robust watermarking scheme for generative models with diffusion that is provably quality preserving. The idea is to modify the initial noise for the diffusion. All reviewers are positive about the work, although some concerns about novelty and difference to previous work have been raised they seem to be minor.
审稿人讨论附加意见
The discussion went in a normal direction - all questions have been addressed, some with additional experiments.
Accept (Poster)