Transferable Black-Box One-Shot Forging of Watermarks via Image Preference Models

Thank you for your thoughtful feedback. In this rebuttal, we show that our method is the best available one‑shot, black‑box attack, clearly outperforming alternatives like DiffPure in image quality while remaining highly effective. As requested, we also provide new experiments on 1000 test images confirming reliability, along with AUROC/ROC analysis to highlight detector performance in realistic FPR ranges. We hope the reviewer finds these arguments and results compelling, and if so, we would be very grateful if they could consider raising their score.

W1: Our method’s results with respect to the related work
We thank the reviewer for this comment. While the numbers may appear mixed at first glance, we argue that our method is the best attack for real‑world watermark forging and removal because it is the only practical one‑shot, black‑box method that combines strong accuracy with high perceptual quality. Here’s why:

Forging (Table 1): Our method achieves 1.00 bit accuracy on CIN, 0.83 on MBRS, and 0.83 on VideoSeal, on par with or better than DiffPure (0.75 on VideoSeal). Crucially, we preserve 31.3 PSNR, significantly higher than DiffPure (26.6 PSNR). The only method with higher quality (but lower bit accuracy) is Warfare (39.6 PSNR), but it requires 1000 watermarked images with the same hidden message, which is infeasible in realistic scenarios.

Removal (Table 2): Our method delivers 31.2 PSNR, while DiffPure and CtrlRegen degrade to 25.4 and 24.4 PSNR, respectively. The only method with higher PSNR is VAE (34.3), but it is not a functional attack: watermark bit accuracy remains ≥99%, meaning the watermark is essentially intact. In contrast, our method meaningfully reduces bit accuracy (e.g., 0.82 on CIN, 0.49 on VideoSeal) while preserving high visual quality.

In summary, our method is the most practical and effective one‑shot, black‑box attack available today as it:

• Matches or surpasses other one-shot black-box methods (e.g. DiffPure) in bit accuracy while improving PSNR by +5–6 points.
• Outperforms Image Averaging and Warfare in feasibility, requiring only a single image instead of hundreds or thousands.

W2: Small sample size
We chose the sample size of 100 images due to the long run time of all the experiments and baselines. To alleviate any doubts, we also evaluate our method on 1000 test images for watermark removal (see the table below) with minimal difference to the reported numbers for 100 images.

W3: Reporting AUROC
Thank you very much for the suggestion on AUROC. The paper currently focuses purely on multi-bit watermarking and introducing an experiment in a more practical scenario of watermark detection makes it more relevant. We therefore present the AUROC values for watermark forging in the table below. For watermarking, a very low false positive rate is crucial, therefore, we will also include in the paper the full ROC curves highlighting the performance of various models in the [10^(-6), 10^(-4)] FPR range.

For this experiment, we first forge the watermark with the same setup as the main paper, then extract the binary message and compute the number of matching bits with regards to the original one. We then compute the ROC, considering theoretical FPRs (assuming that the number of matching bits for non-watermarked images follows a binomial distribution). The AUROC results show, similarly to the bit accuracy results in Table 1, that our method is very competitive or outperforms the related methods while maintaining good visual quality.

Q1: Non-additive Watermarks
This is an excellent remark. Recent work (Yang et al., NeurIPS 2024) shows that even simple additive operations can remove or forge watermarks in state‑of‑the‑art systems. We argue this vulnerability arises because detectors are not trained to enforce image–watermark consistency: nothing prevents a watermark from image x from being valid on image y, making it easier for embedders to collapse toward non‑content‑aware solutions. In our experiments, swapped watermarks were still detected with high accuracy (CIN 100%, MBRS 94%, TrustMark 77%, VideoSeal 87%). This is why we urge the community to develop truly content‑aware detectors — for example, by using antiforging losses that penalize when a watermark from one image is validated on another. We will add this point in the paper.

Yang, P., Ci, H., Song, Y., & Shou, M. Z. (2024). Can Simple Averaging Defeat Modern Watermarks? NeurIPS 2024.

Q2: Image regularization loss to mitigate smoothing artifacts
After the submission, we tested adding blurring to the set of synthetic artifacts. This substantially decreased the smoothing artifacts in the images. We will include these new findings in the paper.

Q3: Watermark selection details
As described in Section 4.1, we watermarked 100 images from the SA‑1b validation set using CIN, MBRS, TrustMark, and VideoSeal, with random messages of the appropriate length. For comparability, each method used the same hidden message across all 100 images, since approaches like Warfare and Image Averaging cannot handle multiple messages. We measured bit accuracy of the respective extractors for both removal and forging.

We thank the reviewer for their thoughtful comments. We are pleased that they find our paper clear and well motivated. We respond to the specific points raised below and kindly ask the reviewer to let us know if these address their concerns.

Q1: Results for StegaStamp and VINE
We considered StegaStamp and VINE. Unfortunately, the official StagaStamp weights are no longer available online. Nonetheless, we considered the community implementation of StegaStamp [A] and show the watermark forging results in the table below. Please note that StegaStamp is robust only because it makes very big unnatural changes to the input image – this is also reported by the authors of StegaStamp where the method achieves a very low PSNR/SSIM score of 28.5/0.905 for the 100 bit model. In contrast, the tested watermarking methods in our paper (CIN, MBRS, TrustMark and VideoSeal) reach values of more than 0.99 in SSIM and more than 40 in PSNR. The very visible changes to the input images make StegaStamp less useful in practice.

VINE claims leading robustness to various attacks such as image editing, however, this is achieved by embedding the watermark message very visibly at the image edges (see the bottom right corner of the watermarked image in the official demo_colab.ipynb of the VINE GitHub repository). The watermark can be removed from the image by simple cropping by 10 pixels, i.e., running the detection on Image.fromarray(np.array(output_pil)[:-10, :-10]) in the official colab yields bit accuracy 55%. However, as requested, we also show the watermark forging results for VINE in the table below.

We use the same setup and data as for the other methods in Table 1 in the paper. The extremely high score of Image averaging for the VINE method indicates that VINE watermarks are not content dependent in practice. In comparison, the benefit of our method is that it requires only a single image to forge the watermark. Also, our method can be applied to watermarks that are highly content-dependent, e.g., VideoSeal watermarks, where the Image averaging method does not work and cannot work by principle.

[A] WAVES: Benchmarking the Robustness of Image Watermarks

Q2: Robustness of forged watermarks.
Robustness is valuable because it allows watermark owners to identify their images even if modified by various transformations that may appear in the wild on the Internet (e.g., image compression, cropping, etc.). In the context of forging, the goal of the attacker is to create forged watermarked images that appear legitimate (i.e. they are detected as watermarked by a detector). Thus, robustness to transformations is less relevant in this thread model.

Nonetheless, prompted by the reviewer, we evaluated the robustness of the forged VINE watermarks. We apply the VINE image editing script (image_editing.py from the official VINE GitHub repository) to the images with forged watermarks. We achieve bit accuracy of 66% (down from 84%). This result indicates the forged watermarks are less robust than their original counterparts but they cannot be stripped completely.

We thank the reviewer for their insightful comments and questions, as well as for finding our work relevant and empirically strong. We respond to the specific points raised below and kindly ask the reviewer to let us know if these address their concerns.

Q1: Evaluation of our method on the Stable Diffusion watermark
To the best of our knowledge, the only watermarked Stable Diffusion images come from the original CompVis GitHub repository. Other Stable Diffusion proxies, such as HuggingFace do not contain any watermarking. Images generated by Stable Diffusion from the CompVis GitHub repository are watermarked using the dwtDct method from the invisible-watermark library. This method has been proven to be very brittle and not to have good performance, as demonstrated in [11, 42]. However, to mitigate any doubts, we also run watermark removal on images watermarked using the dwtDct method and we observe that our method is able to completely remove the watermark, i.e., the bit accuracy for the resulting images is 50%. We would be happy to include any other publicly available method.

[11] The stable signature: Rooting watermarks in latent diffusion models. ICCV 2023.
[42] Tree-rings watermarks: Invisible fingerprints for diffusion images. NeurIPS 2023.

Q2 & W3: Semantic watermarks
Our method’s focus is on the post-hoc watermarking, which cannot introduce large semantic changes to the input image. This is especially true in the case when the post-hoc watermarking is used to ensure authenticity of images (e.g., if a photo comes from a reputable news source). Semantic watermarking, such as Tree-Ring or RingID, watermarks AI generated content by altering the objects and their locations in a generated image. Our method cannot semantically change these objects, therefore, different methods must be used for forging these semantic watermarks (e.g., see [31]).

[31] Black-box forgery attacks on semantic watermarks for diffusion models. CVPR 2025.

Q3: Google SynthID forging
Google SynthID is a closed source product where the watermark detector is not available, therefore, we were unable to evaluate against that. We note that at Google’s developer conference on May 20, 2025, i.e., after the NeuIPS paper deadline, waitlist-based access to SynthID has been announced. However, we were unable to gain access to the API yet. For other providers (HuggingFace, Ideogram, Flux, etc.), there is very little information on if/how they do watermarking, and even less on how to get access to the detection. Therefore we were unable to test against the detectors used by all these platforms, although doing so would have indeed strengthened the paper.

Q4: Additional qualitative metrics
We were unsure about the reviewer’s question, specifically, whether they were (a) asking us to compare our attack using the preference model against other qualitative metrics, or (b) suggesting that the preference model itself be used as a qualitative metric, in which case it would be compared to LPIPS for evaluating the quality of other images.

If (a) We show the requested LPIPS quality metric and CVVDP quality metric [B] for watermark removal in the table below. We observed that CVVDP metric correlates with human judgement better than many standard metrics. We will add the new metrics into the paper.

If (b) This is an interesting suggestion, although it goes beyond the scope of our current paper. It would indeed be a valuable direction to explore, as we have observed that traditional metrics like PSNR, SSIM, LPIPS, and CVVDP can sometimes yield high scores for watermark distortions that are clearly visible, or, conversely, give low scores (e.g., PSNR < 30dB) for distortions that are barely perceptible. That said, using the preference model as a metric could be challenging, as its outputs may vary significantly depending on the type of image (typically textured vs flat) and could therefore be hard to calibrate. Moreover, properly evaluating the metric would require assessing its correlation with human judgments and comparing it to LPIPS, which would demand substantial effort to design and carry out a robust user study.

[B] ColorVideoVDP: A visual difference predictor for image, video and display distortions. Arxiv 2024.

W1: Lower performance for TrustMark
Indeed, the TrustMark watermarks are difficult to forge using any forging method. However, 61% bit accuracy is not random, and there are still individual forged images with bit accuracy close to 90%. Therefore, with enough effort, it is still possible to confidently fool TrustMark’s detector with a forged watermarked image. The key contribution of this work is highlighting this potential attack vector for watermarking methods and we believe this work will motivate further research into watermarking methods that utilize highly content-dependent decoders, thus making any forgery very difficult.

W2: Effectiveness on real-world dataset
Our experiments are done on the SA-1b dataset. This is a high-resolution and high-quality dataset of real-world photos. To mitigate any doubts, we also test our method on AI generated images from Stable Diffusion. From the results on watermark forging in the table below, we can see our method performs very similarly on both real-world photos as well as AI generated images. We are happy to include any other dataset in our experiments.

W4: Statistical significance analysis
We train 3 additional preference models, each with different random seed and report standard deviation for our watermark removal results in the table below. The table shows there is not much difference in performance across different models.

W5: Robustness evaluations under detection-aware defense schemes
Unfortunately, we are not aware of any such work in the context of watermarking. We are happy to include any evaluation if we are given the reference to such work or additional details on how to conduct such evaluation.

Safeguards and ethical aspects
Thank you for the feedback. We will include further discussion and clarification on the method’s impact in these areas, and would be interested in any further feedback the reviewer could give.

We thank the reviewer for their thoughtful comments. We are pleased that they find our work novel and thorough. We respond to the specific points raised below and kindly ask the reviewer to let us know if these address their concerns.

Q1: Contribution of synthetic artifacts
We thank the reviewer for raising this insightful question. To address it, we conducted an additional experiment focusing on the choice of synthetic artifact types, which are motivated by common artifact patterns observed in computer vision, such as noise and checkerboard patterns. Specifically, we trained our model independently for each style of watermark pattern to evaluate their individual effectiveness. From the watermark removal results in the table below, we can see that the wave pattern is the most effective in removing watermarks. But on average, the combination of the three watermark types produces significantly better results than only the wave style pattern. We will include this analysis in the paper.

W1: Diffusion-based watermarking
Our method’s focus is on the post-hoc watermarking, which is a widely used approach that has broad applications beyond diffusion models and beyond generated content in general. In diffusion watermarking, such as RingID, watermark is encoded into an image by altering objects and their locations in the generated image. Our method cannot semantically change these objects, therefore, different methods must be used for forging these semantic watermarks (e.g., see [31]).

[31] Black-box forgery attacks on semantic watermarks for diffusion models. CVPR 2025.