The Future Unmarked: Watermark Removal in AI-Generated Images via Next-Frame Prediction

We sincerely thank you for your thorough review and valuable feedback on our paper. We are especially grateful for your recognition of our method design and the comprehensive experimental validation. Below, we provide detailed responses to your concerns and questions:

W1: Theoretical Analysis

Thank you for your insightful examination of our theoretical motivation. Our proposed NFPA innovatively formulates the task of semantic watermark removal as a next-frame prediction problem. This formulation is grounded in the inherent semantic continuity and subtle variations across temporal sequences in video. Specifically, semantic watermarks often rely on particular embedding patterns in the high-dimensional feature space. NFPA leverages the fact that adjacent frames in a video exhibit strong semantic consistency with only slight pixel-level differences.

By constructing an optical flow field matrix, we introduce fine-grained and controllable perturbations to the latent representations of the image. Coupled with a frame attention mechanism, this ensures that the generated next-frame image remains semantically coherent with the original watermarked input. These small but strategic semantic perturbations allow the output image to maintain its core semantic structure and perceptual quality while escaping the feature subspace where the watermark was originally embedded. In essence, while the semantic content remains intact, the high-dimensional feature distribution is subtly altered, thereby evading watermark detectors.

This approach achieves a critical balance between semantic consistency and perturbation effectiveness, demonstrating that semantic changes can effectively dismantle embedded watermarks without visibly altering the image. We will elaborate more rigorously on the link between temporal consistency and watermark removal in the revised version.

---

W2: Scalability of Large-Scale Attacks

Thank you for your attention to the efficiency and scalability of our method under large-scale attack scenarios. For semantic-level watermarks, simple and fast pixel-level distortions are generally ineffective. The value of NFPA lies in its ability to remove such robust watermarks, which inherently requires modest computational resources.

Regarding scalability, NFPA, as a deep learning-based model, exhibits substantial parallelization potential. It can be efficiently batch-processed on GPUs, significantly reducing the total runtime when handling large volumes of images. Thus, the average 1.3 seconds per image runtime reflects a reasonable trade-off for its high attack efficacy, and the method has ample room for optimization through parallel processing in practical deployments.

---

W3: Hyperparameter Analysis

We appreciate your suggestion to provide a more detailed sensitivity analysis of our hyperparameters. We have now expanded our analysis as follows:

1. Base Model Selection: Our experiments show that NFPA maintains robust watermark removal performance across different base models (e.g., SD-v1.4 ~ SD-v2.1). Although larger models yield slightly better image quality, this highlights that NFPA is insensitive to the choice of base model, suggesting its continued effectiveness and generalizability even as diffusion models evolve.

2. Frame Attention Mechanism: Ablation studies reveal that removing this mechanism significantly degrades image quality, underscoring its critical role in maintaining inter-frame semantic coherence during attacks. It ensures that while watermarks are removed, the original semantic structure of the image is preserved — achieving a strong balance between attack strength and visual fidelity.

3. Number of Inference Steps: Increasing denoising steps improves image quality but may slightly reduce attack effectiveness. This is because finer denoising and more faithful reconstruction bring the predicted image closer to the original at the pixel level, potentially weakening the semantic-level perturbation introduced by NFPA. Thus, we set the default number of steps to 10, as a balanced trade-off between removal performance and perceptual quality.

4. Maximum Optical Flow Search Range (δ): We evaluate this parameter in Appendix D. When δ = 0, no motion is introduced, and NFPA degrades into a reconstruction-based attack, resulting in poor removal performance. As δ increases, it allows more freedom to explore the feature space and decouple watermark signals, albeit with a potential drop in visual quality. This flexibility enables a controllable trade-off between detection evasion and perceptual distortion.

These detailed analyses will be incorporated in the revised version to better illustrate the impact of hyperparameters on performance.

---

Q1&W4: Watermarks from Real Images and Other Diffusion Models

Thank you for raising concerns about the applicability of our method to different types of watermarked images. To address this, we conducted two additional sets of experiments:

1. Watermarks from Other Generative Models: We evaluate watermarked images generated by the FLUX.1-dev [a] model. Since no official semantic watermarking implementation exists for other diffusion architectures, we use post-processing watermarking schemes for validation. The results clearly demonstrate that NFPA remains highly effective, even when attacking watermarks from novel diffusion architectures. The results are as follows (TPR@1%FPR ↓):

2. Real-World Watermarked Images: We further validate NFPA on real-world photographs from the MIRFLICKR dataset. We randomly sampled 1,000 real photos and embedded watermarks using four conventional methods. NFPA effectively reduced the average watermark detection rate to 0.08. The results are as follows (TPR@1%FPR ↓):

These results strongly support that NFPA is both adaptive across various generative architectures and practical in real-world scenarios.

---

Q2: Complex Motion Models

Thank you for your comments on our choice of motion models and their potential influence on attack performance. We test three basic camera translation motions (X, Y, and XY axes). Regardless of the motion mode, NFPA consistently outperforms state-of-the-art methods, indicating robustness to motion model choices.

We also added a new experiment using a zoom-based motion model, and the results are as follows (TPR@1%FPR ↓):

These results further confirm NFPA’s motion-model-insensitive design. We recognize that more complex or dynamic motion models could unlock new attack potentials. Exploring such models is part of our future research.

---

Q3: Watermark Defenses

We appreciate your insightful question regarding possible defense strategies against NFPA. The idea of integrating temporal consistency into watermark design is particularly promising. Potential defenses could include:

1. Enhancing Semantic Resilience: Watermarks could be embedded in high-level semantic features, rather than shallow textures or frequency components. This would make any semantic-level perturbation attempt inevitably affect the image content in a detectable way.

2. Temporal Consistency Embedding: Designing watermarks that persist through semantic shifts or frame predictions could significantly challenge attacks like NFPA. For example, encoding watermarks to evolve predictably across semantic transitions would require attackers to break temporal coherence, making attacks more detectable.

This could involve adversarial training to make watermark extraction models resilient to subtle semantic perturbations. We believe this is a highly valuable direction for building next-generation robust watermarking schemes.

---

Q4: Perceptual Quality Evaluation

Thank you for your thoughtful discussion on evaluating semantic fidelity. Beyond FID and CLIP scores, we incorporated two additional metrics:

• Q-align [b]: A large multimodal model-based metric aligned with human perceptual judgments. It provides a better approximation of human visual assessment.
• Cosine Similarity (CosSim): Based on SimCLR [c] representations, this metric measures the semantic similarity between the original and attacked image, providing insight into whether the semantic content is preserved.

These results demonstrate that NFPA achieves high semantic and perceptual fidelity, validating our core motivation: using next-frame prediction to effectively remove watermarks without compromising image quality or semantics.

---

References

[a] https://huggingface.co/black-forest-labs/FLUX.1-dev

[b] Q-Align: Human-Aligned Quality Estimation for Text-to-Image Generation, CVPR 2024

[c] A Simple Framework for Contrastive Learning of Visual Representations, ICML 2020

We sincerely thank you for the detailed and thoughtful review of our paper. We truly appreciate your recognition of the novelty, significance, and overall quality of our work. Below, we provide detailed responses to your insightful comments and concerns:

---

Q1: The Necessity of Semantic-level Attacks

Thank you for raising this fundamental question. We fully understand your concern that attacks should avoid damaging the semantic integrity of the image. In fact, one of the core objectives of our proposed method is to achieve watermark removal with minimal semantic shift. As shown in Figure 4 of the main paper, the outputs generated by our method are visually near-equivalent to the original watermarked images, indicating that the image content remains essentially intact.

More importantly, semantic-level removal attacks are necessary. Recent advances have introduced a new class of semantic-level watermarking schemes (e.g., TreeRing, RingID) that embed signals into the semantic latent space of AIGC images by altering the noise or structural priors. These schemes are designed to be significantly more robust than classical pixel-based watermarks. However, without corresponding semantic-level attacks, there is currently no principled way to evaluate their real-world security. This could lead to false confidence in these watermarking methods, posing risks for applications like deepfake detection and content provenance.

Our work aims to fill this gap by proposing the first semantic-level watermark removal attack. We formulate the problem as a next-frame prediction task, enabling fine-grained semantic manipulation while maintaining perceptual consistency through frame attention. Moreover, we would like to emphasize that our goal is to expose vulnerabilities in existing image watermarking systems, which can inspire the development of stronger and more resilient watermarking techniques. NFPA also serves as a valuable security evaluation tool, guiding the design of future watermarking methods and contributing to a more trustworthy AI ecosystem.

---

Q2: Image Quality Metrics

Thank you for pointing out the importance of evaluation metrics. We fully agree that PSNR and SSIM are standard and meaningful for pixel-level fidelity assessments. However, as you rightly observed, our focus is on semantic-level watermark removal, which necessitates a shift in the evaluation perspective:

• PSNR and SSIM are designed to measure pixel-wise reconstruction quality, suitable for tasks like image compression or denoising where spatial alignment is preserved;
• In contrast, our method (NFPA) performs semantic transformations that may introduce spatial variations (e.g., pixel rearrangements), even though the semantic content and perceptual quality remain intact;
• In such scenarios, pixel-aligned metrics can produce misleadingly low scores, failing to reflect true semantic consistency.

To address this concern and further support our claims, we have introduced two additional evaluation metrics:

• Q-align [a]: A large multimodal model-based metric aligned with human perceptual judgments. It provides a better approximation of human visual assessment.
• Cosine Similarity (CosSim): Based on SimCLR [b] representations, this metric measures the semantic similarity between the original and attacked image, providing insight into whether the semantic content is preserved.

These results demonstrate that NFPA achieves high perceptual and semantic fidelity, without compromising watermark removal effectiveness.

---

Q3: Evaluation on more diffusion architectures

We appreciate your suggestion to extend the experimental scope, as it is crucial to validate the robustness and generality of our method. In response, we have conducted additional experiments to evaluate NFPA’s performance on images generated by the FLUX.1-dev [c] diffusion model. Since some watermarking schemes lack implementations for alternative diffusion architectures, we focus on post-hoc watermarking methods to test cross-model transferability of our attack.

The results are as follows (TPR@1%FPR ↓):

These results show that NFPA remains highly effective even on images generated by a novel diffusion model, demonstrating strong transferability and adaptability across different generative backbones.

---

W1: Clarifying the Distinction Between Pixel-Level and Semantic-Level Watermarking

We sincerely appreciate your insightful comment. We fully agree that a clearer and more explicit differentiation between pixel-level and semantic-level watermarking will enhance the reader's understanding of the distinct threat models, attack surfaces, and potential vulnerabilities associated with each. In the final version of our paper, we will include the following refined description:

• Pixel-level watermarking methods (e.g., DwtDct, RivaGAN, SSL, StableSignature) embed imperceptible ownership signals directly into the image’s pixel or frequency domain, often via spatial perturbations, quantization, or frequency modulation. These techniques are typically vulnerable to classical distortions such as compression, cropping, or noise injection.

• Semantic-level watermarking methods (e.g., TreeRing, RingID, GaussianShading, StegaStamp) typically operate in the latent space of diffusion models. They encode ownership by perturbing semantic features, making them more resilient to low-level attacks but potentially more susceptible to semantic-space manipulations, like our proposed method.

This distinction also highlights the necessity of our attack, where semantic-level watermarking introduces new robustness challenges and requires more advanced removal strategies to verify their robustness.

---

Again, thank you for your insightful feedback and deep engagement with our work. Your suggestions have significantly helped us clarify the motivation, strengthen the empirical foundation, and refine the overall presentation of our paper. We have incorporated the necessary extensions and explanations in the revised version, and we hope the improved clarity and rigor will better communicate our contributions.

References

[a] Wu et al. Q-ALIGN: Teaching LMMs for Visual Scoring via Discrete Text-defined Levels. ICML 2024.
[b] Chen et al. A Simple Framework for Contrastive Learning of Visual Representations. ICML 2020.
[c] https://huggingface.co/black-forest-labs/FLUX.1-dev

We sincerely thank you for your detailed and insightful review. We are glad that you recognized the novelty of our method and its practical value in black-box, data-free, and query-free scenarios. Below, we provide detailed responses to each of your valuable concerns:

---

W1: Baseline Comparison: CtrlRegen+

We greatly appreciate your suggestion to include CtrlRegen+ [1] as a key baseline. Following your recommendation, we have conducted a thorough evaluation and commit to including the complete results and quantitative analysis in the final version.

We faithfully follow the default hyperparameter (step=0.5) in the official open-source implementation. The results are as follows (TPR@1%FPR ↓):

Clearly, CtrlRegen+ shows limited effectiveness on several watermarking methods, particularly RingID (0.96) and GaussianShading (1.00). In contrast, our NFPA achieves strong generalizability across all watermark types.

Furthermore, CtrlRegen+ requires training two distinct modules (semantic and spatial controllers), incurring significantly higher training costs. In contrast, NFPA is a zero-shot method, leveraging pretrained diffusion models for direct next-frame prediction without any fine-tuning or additional training. This makes NFPA more deployable and practical in real-world attack settings.

---

W2: Baseline Comparison: Video Generation Model

Thank you for the insightful suggestion. To assess this idea, we evaluated Stable Video Diffusion (SVD) [a]. We used its second generated frame as the next-frame image. The results are as follows (TPR@1%FPR ↓):

SVD performs substantially worse than NFPA, likely due to two key limitations:

1. It lacks explicit mechanisms for watermark removal;
2. Its inference time is high (∼31 seconds per image), making it impractical for real-time attacks.

By contrast, NFPA leverages flow-guided latent perturbation to remove watermark, achieving a better trade-off between efficiency and effectiveness.

---

W3: Baseline Comparison: Translation + Inpainting

As suggested, we implemented two baselines for comparison:

• Translation only: We follow the NFPA settings to randomly translate the image along the x/y axis using the ImageChops.offset(.) function, with a translation range of [-40, 40] pixels;
• Translation + Inpainting: shifted images are completed using the stable-diffusion-2-inpainting [b] model.

The results are as follows (TPR@1%FPR ↓):

We summarize two key points of analysis:

1. Naive translation fails to remove most watermarks, with an average detection rate of 0.49;
2. Translation + Inpainting improves slightly but still underperforms NFPA and lacks a clear watermark removal strategy.

These results further justify our formulation of the task as next-frame prediction rather than simple spatial augmentation.

---

W4: More Camera Transformations

Thank you for highlighting this point. We test three basic camera translation motions (X, Y, and XY axes). Regardless of the motion mode, NFPA consistently outperforms state-of-the-art methods, indicating robustness to motion model choices. We have extended NFPA to include zoom-based camera motion and compared it with the original translation variant. The results are as follows (TPR@1%FPR ↓):

The results further verify that NFPA remains robust across different types of camera motion, supporting its flexibility and generalization. We plan to explore more advanced transformations as part of our future work.

---

W5: Perceptual Quality Evaluation

We appreciate your focus on visual quality. To further evaluate perceptual and semantic preservation, we introduce two complementary metrics:

• Q-align [c]: A large multimodal model-based metric aligned with human perceptual judgments. It provides a better approximation of human visual assessment.
• Cosine Similarity (CosSim): Based on SimCLR [d] representations, this metric measures the semantic similarity between the original and attacked image, providing insight into whether the semantic content is preserved.

These results show that NFPA achieves high perceptual quality and semantic fidelity without compromising on watermark removal. In the final version, we will include more perceptual examples and plan to incorporate user studies as a future extension.

---

We thank you again for your constructive feedback, which helped us substantially improve our work. We have added key baselines, performed in-depth ablation studies, and provided more comprehensive justifications based on your input. We believe these enhancements significantly strengthen the completeness and persuasiveness of our paper.

References

[1] Image Watermarks Are Removable Using Controllable Regeneration from Clean Noise, ICLR 2025

[a] https://huggingface.co/stabilityai/stable-video-diffusion-img2vid

[b] https://huggingface.co/stabilityai/stable-diffusion-2-inpainting

[c] Q-Align: Human-Aligned Quality Estimation for Text-to-Image Generation, CVPR 2024

[d] A Simple Framework for Contrastive Learning of Visual Representations, ICML 2020

Thank you for the clarification. However, I respectfully disagree with the clarification points.

While the authors argue that later frames introduce semantic drift, SVD is explicitly trained to preserve semantic consistency across time, and even frames up to 20-30 typically maintain the object-level semantics. Notably, the proposed NFPA method itself introduces substantial semantic changes, as visible in Supplementary Figure 1, that likely similar to what later SVD frames produce.

Further regarding fair comparison, I understand that next-frame prediction is the core motivation of NFPA. However, the visual examples in the supplementary material (e.g., Figure 1) clearly show that the semantic and spatial shifts produced by NFPA go well beyond what would be expected from a strict "next-frame" prediction. These changes are unlikely to arise from a single-step temporal shift and resemble the kind of gradual transformation observed across multiple frames.

We sincerely thank the reviewer for the thorough evaluation and insightful feedback. Your recognition of the novelty and performance of our method is truly encouraging. Below, we provide detailed responses to the three main concerns you raised:

---

W1: Attack Baselines: IRA

We greatly appreciate your suggestion to include the Imprint-Removal Attack (IRA) [1] as an additional strong baseline. Following your recommendation, we have conducted the corresponding experiments and commit to including the complete results and quantitative analysis in the final version.

In our replication, we used SD2.1 as both the target and surrogate model, which corresponds to the white-box setting of the original IRA—effectively representing its upper-bound performance. Our results show that NFPA outperforms IRA in average attack success rate. Furthermore, our method exhibits clear advantages over IRA in two key aspects:

1. Superior Attack Stability

IRA is a typical adversarial optimization-based method that is highly sensitive to the choice of surrogate model. As noted in the original paper, when using SDXL as the surrogate model, IRA still fails to reduce TreeRing watermark detection below 0.64 after 50 optimization steps. In contrast, NFPA maintains strong and consistent performance across a wide range of watermarking schemes, making it more suitable for open-world attack scenarios.

2. High Efficiency and Practicality

IRA requires per-image adversarial optimization, taking approximately 15 minutes per image, which is computationally expensive and impractical for large-scale attacks. NFPA, on the other hand, completes watermark removal in around 1 second per image, making it highly deployable and scalable in practice.

The comparative results are shown below (TPR@1%FPR ↓):

These results clearly demonstrate that NFPA achieves superior stability, efficiency, and practicality, thereby strengthening the practical and academic value of our contribution.

---

W2: Image Quality Metrics

Thank you for suggesting the use of LPIPS [2] to improve perceptual evaluation. While we agree that LPIPS is a widely-used perceptual quality metric, we also recognize that it is fundamentally a pixel-space metric, computing L2 distances between features extracted at each pixel location. This makes it highly sensitive to slight spatial shifts, which may not accurately reflect performance in semantic-level removal attack like ours.

To better capture perceptual and semantic fidelity, we consider two new metrics:

• Q-align [a]: A large multimodal model-based metric aligned with human perceptual judgments. It provides a better approximation of human visual assessment.
• Cosine Similarity (CosSim): Based on SimCLR [b] representations, this metric measures the semantic similarity between the original and attacked image, providing insight into whether the semantic content is preserved.

Results are summarized below:

These results indicate that NFPA has minimal impact on visual quality and semantic consistency. This strongly supports our motivation of preserving semantic integrity through next-frame prediction.

---

W3: On the Applicability to Conventional Image Watermarks

We appreciate your attention to the applicability of NFPA beyond T2I watermarks. As discussed in Section 4.2 of our paper, we systematically evaluated NFPA against four representative conventional watermarking methods that are not derived from generative models: DwtDct, RivaGAN, SSL, and StegaStamp.

To further validate its practicality, we applied these watermarks to 1,000 real-world photos randomly sampled from the MIRFLICKR dataset and then evaluated NFPA’s effectiveness on this benchmark. The results (TPR@1%FPR ↓) are as follows:

These results confirm that NFPA is highly effective in removing conventional image watermarks, reducing the average detection rate from 0.95 to 0.08. This demonstrates strong generalizability of our approach in both synthetic and real-world watermarking scenarios.

---

We once again thank the reviewer for the valuable feedback and encouragement. Your suggestions have significantly helped improve the completeness, clarity, and evaluation strength of our submission. We will incorporate all additional results and analyses in the final version to address your concerns comprehensively.

References

[1] Müller et al. Black-box forgery attacks on semantic watermarks for diffusion models. CVPR 2025.
[2] Zhang et al. The Unreasonable Effectiveness of Deep Features as a Perceptual Metric. CVPR 2018.
[a] Wu et al. Q-ALIGN: Teaching LMMs for Visual Scoring via Discrete Text-defined Levels. ICML 2024.
[b] Chen et al. A Simple Framework for Contrastive Learning of Visual Representations. ICML 2020.