The paper could benefit from a clearer differentiation from existing methods.

The difference between our method and existing related work is described in the manuscript. (1). As described in paragraph 2 in the introduction section, as well as paragraph 3 in the related works section, post-hoc watermarking methods are decoupled from the generative model, which can be easily bypassed by a malicious user. Conversely, our method is to inject the proposed signature into a pre-trained generative model, making its generated images more detectable. (2). As described in paragraph 2 in the introduction section, as well as paragraph 2 in the related works section, the existing generated image detectors suffer from a performance drop against generators that are not seen during the training process. In contrast, our method does not suffer from the issue as long as the image is generated from a model with the proposed signature injected. (3). As described in paragraph 2 in the related works section, different from deep fake detectors that are specifically designed for human images, our proposed method is general-purpose generated image detection. (4) As described in paragraph 4 in the related works section, neural network fingerprinting methods have to be re-trained against newly appeared generators. In contrast, our detector can be reused for any future generator as long as the proposed signature is injected.

Without specific comparisons or benchmarks, it's challenging to gauge the unique contributions of the proposed method.

We presented detailed experiments in section 4.1 and section 4.2 to demonstrate the effectiveness of our proposed method. We compare our proposed method with the state-of-the-art methods in section 4.3. Our method outperforms the existing methods by a margin. Our unique contributions are summarized in the last paragraph of the introduction section.

The paper's methodology is described, but without detailed experimental results or comparisons, it's difficult to assess the effectiveness and robustness of the proposed approach.

We presented detailed experiments in section 4.1 and section 4.2 to demonstrate the effectiveness of our proposed method. We compare our proposed method with the state-of-the-art methods in section 4.3. We humbly ask the reviewer for a specific description of which experiment is missing from the manuscript, and we will add them to the manuscript.

The approach of fine-tuning a generative model with signed images raises concerns about overfitting.

We understand the reviewer’s concern. However, our experiments use the conventional dataset split, where the model outperforms existing methods on unseen images. This means our method has learned to generalize against images unseen during the training phase. All the experimental results demonstrate that our method does not suffer from overfitting issues.

While the paper presents its concepts, more in-depth technical explanations or visual aids, such as diagrams or flowcharts, would help readers better understand the intricacies of the proposed method.

We provided diagrams in Figure 1 to help readers better understand our proposed method. We provided in-depth technical descriptions of the proposed method in Section 3.

The paper lacks a discussion on the practical implications or real-world applications of the proposed method.

Thanks for the suggestion. Here are some examples of real-world applications. Our method can be adopted by model trainers who plan to publish pre-trained generative models but not their original training dataset. By adding signatures in a pre-trained image generative model, the model trainer can, for instance, protect intellectual property and copyright on the pre-trained model. For instance, assume a pre-trained model is sold to several customers, who are not allowed to re-sell the model as per the contract. In this case, different signatures or binary codes can be injected to the model sold to different customers, which helps the copyright holder to identify the customer who violated the contract for further legal actions.

The paper's focus on a specific approach to adversarial signatures within generative models raises questions about the method's scalability to larger datasets or more complex models.

We conduct experiments on the FFHQ and ImageNet datasets, and three state-of-the-art generative models including LDM, ADM, and StyleGAN2, which are commonly used large-scale datasets and models in the literature.

Additionally, its generalizability to other types of adversarial attacks or different domains remains unexplored.

We emphasize that the proposed method is for detecting generated images, which is a completely different topic compared to adversarial attacks and defenses.

We thank the reviewer for the comments and suggestions. We have corrected the formatting issues in the revised paper and we answer the reviewer's questions as follows.

Compare to watermarking of the diffusion models

We compare the performance of our method to a diffusion watermarking method [a] in the revised paper (also posted here). Our method achieves a higher detection accuracy and lower FID, which indicate that our method yields more accurate detection with better image quality.

[a] Yunqing Zhao, Tianyu Pang, Chao Du, Xiao Yang, Ngai-Man Cheung, and Min Lin. A recipe for watermarking diffusion models. arXiv preprint arXiv:2303.10137, 2023b

Experimental data on ImageNet; future directions

We included experimental results on ImageNet in Table 3 of the paper and possible future directions in Sec. A.4 (3) of the appendix.

Clarify regarding unseen generators and finetuning

As we discussed in the paper (Sec 4 in the supplementary material), one limitation of the proposed method is the need for finetuning to embed signatures into a generative model. The training-free approach is an interesting direction for future work.

Difference between binary coding and multiclassification loss

According to our observation, the performance difference between the binary classification loss and multi-class classification loss is negligible. We choose to use binary classification loss for every bit of the binary coding for simplicity. The advantage of binary coding is that it can carry more information (such as identity) than the 1-bit information about whether the image is generated or not. With the binary code, the owner of a specific generative model (with signature injected) will be able to inject the model identity information for protecting intellectual property.

Diffusion-based purification

Diffusion-based purification can potentially remove any watermarks. However, it will impact the fidelity of the image, or even lose or change the original image contents during the process. Therefore, diffusion-based purification is not an ideal approach for removing watermarks/signatures.

$O(r^2)$ complexity of re-training a detector

We are sorry for the clarity issue in our language. To be precise, this is the cumulative time complexity for the whole process of keeping the detector up-to-date. We will revise the manuscript to remove the ambiguity. The following is the elaboration on why the complexity is $O(r^2)$.

• Upon the release of the first generative model, a generated image training set has to be collected for training the detector. We denote the time complexity in this case as 1.
• Upon the release of the second generative model, the training dataset grows to two times larger than the previous step, because the training dataset must involve all the two models. In this case, the time complexity is 2.
• Upon the release of the r-th generative model, the complexity for re-training is r. Thus, the cumulative complexity for keeping the detector up-to-date is $O(r(r-1)/2) = O(r^2)$.
• We made this implicit in the manuscript by using the phrase “re-training a detector every time upon…”. We have made it more clear in the revised paper.

In contrast, since we can always reuse the same signature injector $W$ and the corresponding detector $F$, the cumulative complexity of our method is merely $O(r)$, which only involves fine-tuning the generators for signature injection.

Joint detection of "unsigned" synthetic images along with "signed"

The joint detection of “unsigned” images with “signed” images is an interesting direction, which we will explore for future work. However, we would like to point out that detectors trained with “unsigned” images will not generalize well on unseen images, and meanwhile result in an $O(r^2)$ cumulative complexity for keeping the detector up-to-date, as explained in section 5.2. In contrast, since the training of our proposed signature injector W and the signature detector $F$ is independent of the generator, they can be reused for fine-tuning any image generators, and hence lead to the $O(r)$ cumulative complexity, as explained in section 5.2.

The purpose of $M(W(x+e))$ and why not add adversarial noise

In the use cases of our method, the detector is not supposed to be released to the public so the white-box adversarial attack is not feasible. The transferability-based attacks are not feasible either because our threat model assumes the model owner only releases the pre-trained generator while keeping the training data and detector private. Even if black-box attacks can still be used, they will be much less effective and will be costly to the attacker to achieve a reasonable attack success rate. Therefore, the major threat comes from ``restoration attacks" where the malicious user attempts to remove the signature from the generated image with a signature removal model $M$. The input to $M$ is a signed image $W(x)$ and $e$ is only added during training to enhance robustness. The experimental results suggest that our method remains valid even if the attacker attempts to remove the signature.

Comparison with a simple post-hoc watermarking approach

We would like to clarify that a simple post-hoc watermarking approach does not satisfy the persistence goal. This is because malicious users can easily avoid watermarking by simply removing the post-hoc watermarking process, e.g. by deleting the corresponding lines of code from the inference script. In contrast, the proposed method couples the watermarking process with image generation by changing the model weights, making it difficult for malicious users to bypass watermarking (signature). In addition, as we have discussed in Sec 3.1 of the paper, our method applies optimal watermarks that introduce the smallest amount of perturbation to the original images and therefore have less negative impacts on the image quality. This can be seen from the higher PSNR of our method compared to traditional watermarks as shown in the Table below. The comparison results with post-hoc methods are included in the revised paper.

Results with lossy compression, different image formats, and resolutions

We have included the results with common image transformations including affine transformation in Table 7 in the paper. The results with different levels of lossy compression can be found in Table 10 in the appendix. We report the additional results with different image formats and resolutions in the revised paper. The results demonstrate that our method is robust to image format and resolution change.

The threat model

We apologize for the confusion. We have included the description of the threat model in the revised paper. Our threat model assumes the signed image generator is released to the public while the training datasets and the signature detector are kept private. We address the reviewer’s concerns in detail as follows,

• In practice, the developers of the foundation models are usually prestigious research groups, who are usually honest, and the threat often comes from the individual users. In the use cases of our method, the model developer is responsible for injecting the signatures by finetuning. This makes it non-trivial for individual users to avoid the signatures as they are already embedded into the model weights.
• We assume a trustworthy third-party will own the detector, for example, the government or organizations who want to regulate the use of generative AI. This third-party will distribute the signature injectors to the model developers to sign the models.

Difference from model poisoning attacks

This work and model poisoning attacks are completely different in the problem setting. The poisoning attack aims to mix carefully designed data samples into the training data, and hence the poisoning attackers are releasing training data, instead of any pre-trained model. In contrast, the threat model of our method is that the model trainer only releases the pre-trained generator (with signature) to the public, while keeping the training data and the corresponding detector private. Thus, poisoning attacks are incompatible with our problem settings and threat model, despite the slight resemblance in their goals. We have included the discussions in the appendix of the revised paper.

Performance with or without the adversarial signature

The second (baseline) and the last rows (ours) in Table 5 of the paper report the performance with and without the adversarial signature. It can be seen that without the adversarial signature, the detection accuracy drops significantly. In contrast, with the signature injected, the classifier can accurately discriminate images produced by unseen generators.

The term universal is used incorrectly

We thank the reviewer for the suggestion, and we agree that the term “universal” is ambiguous without elaboration. We have removed the term “universal” from the title and added more clarifications in the paper. In particular, the proposed signature is “universal” because (1) a single signature injector W can be re-used for fine-tuning arbitrary given generators; (2) a single signature detector F can be re-used for all generators with the signature injected. Namely, the training process of W and F are independent of image generators. As a result, W and F can be re-used all the time.