RAW: A Robust and Agile Plug-and-Play Watermark Framework for AI-Generated Images with Provable Guarantees

We sincerely thank the reviewer for devoting their valuable time to reviewing our paper and offering insightful suggestions for improving it.

Q: The paper lacks a comprehensive analysis of performance against image manipulations. While Table 4 illustrates performance on various attacks, it is unclear whether the hyper-parameters for these attacks have been set to their full strength. For instance, what hyper-parameters are being used for the VAE and Diff attacks?

R: Thank you for your questions regarding the hyperparameters for the attacks. For all the attacks, we followed the public implementation in this GitHub repository (https://github.com/XuandongZhao/WatermarkAttacker) for watermark attacks without any modifications. We will include the hyperparameters for the attacks in the revision.

Q: It is recommended that the authors include image quality metrics for the attacks (e.g., PSNR, SSIM) to demonstrate that their method maintains acceptable performance even under strong attacks that preserve image quality.

R: Thank you for your questions regarding the evaluation metrics.

We report the PSNR and SSIM of the watermarked images in the Table below. For PSNR and SSIM, our method outperforms the StegaStamp method but is slightly behind DwtDctSvd and RivaGAN. These results are consistent with our expectations. The StegaStamp method achieves more robust detection by sacrificing image quality through injecting a large amount of noise into the image, while DwtDctSvd and RivaGAN maintain image quality slightly better at the cost of reduced robustness against (adversarial) image perturbations.

Q: Additionally, including a wider variety of diffusion attacks (e.g., pixel space and latent space) and potentially adversarial attacks (e.g., model substitution attacks), as discussed in the literature [4][5], would provide a more comprehensive evaluation.

R: Thank you for your suggestions regarding the evaluation of the proposed method. We will include more adversarial attacks, as you suggested, in the revision to provide a more comprehensive evaluation.

We sincerely thank the reviewer for devoting their valuable time to reviewing our paper and offering insightful suggestions for improving it.

Q: The proposed method still embeds the watermark into the carrier image and is not specifically designed for AI-generated images.

R: Thank you for your questions regarding the watermark design.

The design of our proposed work aims to be usable by anyone, regardless of how the image is generated, whether by state-of-the-art diffusion models or drawn by an artist. Despite the general-purpose design, empirical evidence has verified the effectiveness of our method on AI-generated images. That being said, we will explore how to tailor the current methods to better fit AI-generated images in future work.

Q: In Table 2, some columns lack bolded data, and some bolded entries are not the best results.

R: Thank you for your questions regarding the Table 2.

We will bold all the best results for each column in the revision. In Table 2,there are a total of three performance metrics and two metrics regarding the quality of the watermarked images. For the performance of encoding speed, our method outperforms other methods by significant margins. For the normal AUROC, all methods are close to each other, and the differences are not significant. For the adversarial AUROC, our method achieved the second-highest AUROC of 0.92 for MS-COCO, slightly behind the StegaStamp method. This is reasonable and consistent with our expectations, as StegaStamp significantly degrades image quality to achieve robustness against image perturbations, as indicated by significantly higher FID and lower PSNR and SSIM values. We will make this clear in the revision.

Table: Comparasion between StegaStamp and RAW (our method) on MS-COCO.

Q: Since the carrier is involved in the method, PSNR should be evaluated.

R: Thank you for your suggestion regarding the image quality comparison metrics.

We report the PSNR and SSIM of the watermarked images in the Table below. For PSNR and SSIM, our method outperforms the StegaStamp method but is slightly behind DwtDctSvd and RivaGAN. These results are consistent with our expectations. The StegaStamp method achieves more robust detection by sacrificing image quality through injecting a large amount of noise into the image, while DwtDctSvd and RivaGAN maintain image quality slightly better at the cost of reduced robustness against (adversarial) image perturbations.

Q: The survey of existing works in the "Related Works" section is incomplete. Numerous works on watermark frameworks for diffusion models are not included.

R: Thank you for your questions regarding the related works section. We will include more works on watermark frameworks for diffusion models in the revision.

Q: It would be helpful if the authors provided a figure depicting an overview of the proposed method.

R: Thank you for your suggestion regarding the presentation of the proposed method. We have included a figure depicting an overview of the proposed method in the revision.

Q: The authors should clarify why they did not use signSGD to optimize the verification model if it is better. What are the data-level optimization problems?

R: Thank you for your insightful question regarding the optimizer and the data-level optimization problems.

The data-level optimization problem refers to problems where the variables to be optimized are the data themselves instead of typical model parameters. For instance, the problem of finding an adversarial example is a data-level optimization problem ($x$ is an input to a machine learning model $f$, and $y$ is the correct label for $x$): $min_{x'} \| x - x' \|_\infty \text{; subject to } f(x') \neq y .$ Data-level optimization problem can be difficult to solve, e.g., the results may get stuck at suboptimal points [A]. A common approach is to use the signum of first-order gradients [B,C].

The reason for not using signSGD to optimize the verification model is that the verification model is a typical model parameter optimization problem, and signSGD may potentially lead to several optimization issues such as slow convergence speed. We will make this clear in the revision.

Refs: [A] Wang et al., "Probabilistic margins for instance reweighting in adversarial training". In NeurIPS, 2021.

[B] Madry et al., "Towards deep learning models resistant to adversarial attacks". In ICLR, 2018.

[C] Wang et al., "Watermarking for Out-of-distribution Detection". In NeurIPS, 2022.

Q: The method is not plug-and-play; it requires training the watermark and the verifier for each target generative model.

R: Thank you for your question regarding the plug-and-play nature of the proposed method. When referring to the method as plug-and-play, we mean that the watermarking method can be applied to any generative model without modification, regardless of its architecture. This is in sharp contrast to previous works that are designed for specific generative models, such as [8] for stable diffusion with the DDIM sampler only. In addition, we believe that additional training by individual users, e.g., artists, is actually beneficial since the watermark and verifier are tailored to them and possibly would bring better robustness. We will make this clear in the revision.

Q: The reasoning for optimizing the watermark only based on instead of needs to be explained.

R: Thank you for your question regarding the optimization procedure.

The main reason for optimizing the watermark based only on $L_0$ instead of $L_\text{raw}$ is because $L_\text{raw}$ involves non-differentiable terms with respect to the watermark, which makes gradient-based optimization infeasible. In detail, recall that $L_\text{raw}$ contains cross-entropy losses calculated on perturbed images, which can involve non-differentiable operations such as JPEG compression.

Q: Metrics for image quality comparison are limited. The authors should also include metrics like SSIM.

R: Thank you for your suggestion regarding the image quality comparison metrics.

We report the PSNR and SSIM of the watermarked images in the Table below. For PSNR and SSIM, our method outperforms the StegaStamp method but is slightly behind DwtDctSvd and RivaGAN. These results are consistent with our expectations. The StegaStamp method achieves more robust detection by sacrificing image quality through injecting a large amount of noise into the image, while DwtDctSvd and RivaGAN maintain image quality slightly better at the cost of reduced robustness against (adversarial) image perturbations.

Q: For the SDXL model, no comparison with baselines is made.

R: Thank you for your question regarding the baseline comparison for the SDXL model. We report the results in the following table. We observe that our proposed method outperforms RivaGAN and DwtDctSvd while being slightly behind StegaStamp. This is reasonable and consistent with our expectations, as explained previously.

Table: Comparison between RAW and baselines on images generated by SDXL.