Awesome-GenAI-Watermarking

A curated list of watermarking schemes for generative AI models
https://github.com/and-mill/Awesome-GenAI-Watermarking

Last synced: 2 days ago
JSON representation

1.4 Attacks on Watermarking
- Difference between Watermarking and Cryptography
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
  - Watermarking is not Cryptography - | [Author webpage](http://www0.cs.ucl.ac.uk/staff/ingemar/Content/papers/2006/IWDW2006.pdf) | - TODO |
- - Robustness of AI-Image Detectors: Fundamental Limits and Practical Attacks
3.4 Further Links on Audio Synthesis and Detection
- Difference between Watermarking and Cryptography
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - OpenAI moving AI governance forward statement - initiatives/public-policy/our-commitment-to-advancing-bold-and-responsible-ai-together/)) and government ([Biden-⁠Harris Administration Secures Voluntary Commitments from Leading Artificial Intelligence Companies to Manage the Risks Posed by AI ](https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/21/fact-sheet-biden-harris-administration-secures-voluntary-commitments-from-leading-artificial-intelligence-companies-to-manage-the-risks-posed-by-ai/))
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - A Systematic Review on Model Watermarking for Neural Networks - | [Arxiv](https://arxiv.org/abs/2009.12153) | - Not about model rooting |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Github topics: Audio Synthesis
 - Github topic: Audio Deepfake Detection
 - Awesome Deepfakes Detection
 - Stable Audio: Fast Timing-Conditioned Latent Audio Diffusion - GAN)
 - VoiceBox
 - Coqui-AI library
 - Mimic3
 - Amphion-AI
 - Tortoise TTS
 - Github - |
 - Adversarial Watermarking Transformer: Towards Tracing Text Provenance with Data Hiding - Abdelnabi/awt) | [Arxiv](https://arxiv.org/abs/2009.03015) | - |
 - Github Appendix - Code |
 - Arxiv - Error correction |
 - Provable Robust Watermarking for AI-Generated Text - Watermark) | [Arxiv](https://arxiv.org/abs/2306.17439) | - Apparently good and robust LLM Watermarking |
 - Towards Codable Watermarking for Injecting Multi-Bits Information to LLMs - watermarking-for-llm) | [Arxiv](https://arxiv.org/abs/2307.15992) | - TODO |
 - Coalition for Content Provenance and Authenticity (C2PA)
 - C2PA Specifications
 - Explainer
 - ISCC - Content Codes
 - Open-source tools for content authenticity and provenance
 - Deepmind SynthID
 - Vertex AI imagen
 - Google DeepMind's Lyria
 - Identifying and Mitigating the Security Risks of Generative AI
 - invisible-watermark repo - diffusion?tab=readme-ov-file)). This is based on [Digital Watermarking and Steganography](https://dl.acm.org/doi/book/10.5555/1564551#)" (DwtDct and DwtDctSvd). Also see watermark option in the Stable Diffusion repo https://github.com/CompVis/stable-diffusion/blob/main/scripts/txt2img.py#L69.
 - Stable Diffusion XL - watermark/) pip package. The [supported algorithms](https://pypi.org/project/invisible-watermark/) are [Dwt](https://en.wikipedia.org/wiki/Discrete_wavelet_transform), [Dct](https://en.wikipedia.org/wiki/Discrete_cosine_transform), and [RivaGAN](https://github.com/DAI-Lab/RivaGAN) .
 - China bans GenAI without Watermarks
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Arxiv - |
 - Arxiv - Contains overview of spoofed audio datasets, spoofing methods, and detection methods - Very good servey |
 - A Comprehensive Survey on Robust Image Watermarking - | [Arxiv](https://arxiv.org/abs/2207.06909) | - Not about model rooting |
 - A Systematic Review on Model Watermarking for Neural Networks - | [Arxiv](https://arxiv.org/abs/2009.12153) | - Not about model rooting |
 - Arxiv - Not about model rooting |
 - Arxiv - About IP protection in GenAI in general |
 - Arxiv - About security aspects in GenAI in general |
 - Arxiv - About detecting GenAI in general |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Stealing Machine Learning Models: Attacks and Countermeasures for Generative Adversarial Networks - | [Arxiv](https://arxiv.org/abs/2101.02069) | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Awesome-DeepFake-Learning
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
 - Model Extraction Attack and Defense on Deep Generative Models - | - | - |
2.1 Papers on Watermarking Diffusion Models (outputs) (Image)
- Difference between Watermarking and Cryptography
 - Flexible and Secure Watermarking for Latent Diffusion Model - | - | - References Stable Signature and improves by adding flexibility by allowing for embedding different messages w.o. finetuning |
 - Artificial Fingerprinting for Generative Models: Rooting Deepfake Attribution in Training Data - | [Arxiv](https://arxiv.org/abs/2007.08457) | - Rooting GAN models. By embedding watermark into training data to exploit transferability |
 - PTW: Pivotal Tuning Watermarking for Pre-Trained Image Generators - watermark) | [Arxiv](https://arxiv.org/abs/2304.07361) | - Focus on GANs, but latent diffusion models should work too |
 - Arxiv - Stable Signature model purification via finetuning |
 - Arxiv - TODO |
 - Arxiv - Guards concepts obtained through textual inversion ([An Image is Worth One Word: Personalizing Text-to-Image Generation using Textual Inversion](https://arxiv.org/abs/2208.01618)) from abuse by allowing to identify concepts in generated images. - Very interesting references on company and government stances on watermarking |
 - Arxiv - Different from Glaze in that style synthesis from protected source images is not prevented, but recognizable via watermarks - CISPA authors |
 - WOUAF: Weight Modulation for User Attribution and Fingerprinting in Text-to-Image Diffusion Models - | [Arxiv](https://arxiv.org/abs/2306.04744) | - TODO |
 - RoSteALS: Robust Steganography using Autoencoder Latent Space - Post-hoc watermarking |
 - DiffusionShield: A Watermark for Copyright Protection against Generative Diffusion Models - | [Arxiv](https://arxiv.org/abs/2306.04642) | - Not about Rooting -Data Poisoning protected images which will reproduce if used as training data in diffusion model |
 - Github - Framework for 1. small unconditional/class-conditional DMs via training from scratch on watermarked data and 2. text-to-image DMs via finetuning a backdoor-trigger-output - Lots of references on watermarking discriminative models - Static watermarking |
 - Arxiv - Threat model: Check ownership of model by having access to the model - Hard to read - Explains difference between **static and dynamic watermarking** with many references |
 - Github - 1. Find optimal signature for an image individually. - 2. Finetune a GenAI model on these images. |
 - Arxiv - Finetuning a backdoor-trigger-output - Static watermarking - CISPA authors |
 - OpenReview - Watermark removal and forgery in one method, using GAN - References two types of watermarking: **1. Learn/finetune model to produce watermarked output and 2. post-hoc watermarking after the fact** (static vs. dynamic, see "Intellectual Property Protection of Diffusion Models via the Watermark Diffusion Process") |
 - Arxiv - Watermark removal by "no-box"-attack on detectors (no access to detector-API, instead training classifier to distinguish watermarked and vanilla images) |
 - Arxiv - Post-hoc watermarking - Watermark embedding during generation according to "Latent Watermark: Inject and Detect Watermarks in Latent Diffusion Space", but I think it is actually post-hoc. |
 - EditGuard: Versatile Image Watermarking for Tamper Localization and Copyright Protection - Post-hoc watermarking with tamper localization |
 - Arxiv - Discusses 3 categories for watermarks with references: before, during, and after generation |
 - The Stable Signature: Rooting Watermarks in Latent Diffusion Models - Meta/FAIR author Finetune a model in accordance with encoder/decoder to reveal a secret message in its output. - robust to watermark removal and model purification (quality deterioration) - Static watermarking |
2.2 Watermarks to Guide Other Objectives
- Difference between Watermarking and Cryptography
 - ChartStamp: Robust Chart Embedding for Real-World Applications - codes/ChartStamp) | - | - Like StegaStamp, but it introduces less clutter in flat regions in images |
 - StegaStamp: Invisible Hyperlinks in Physical Photographs - Watermark in physical images that can be captured from video stream - "Towards the Vulnerability of Watermarking Artificial Intelligence Generated Content" speculates that [Deepmind SynthID](https://deepmind.google/technologies/synthid/) works similarly to this |
 - Unadversarial Examples: Designing Objects for Robust Vision - Perturbations to make detection easier |
2.3 Misc Papers (to be categorized...)
- Difference between Watermarking and Cryptography
 - Evading Watermark based Detection of AI-Generated Content - jiang/WEvade) | [Arxiv](https://arxiv.org/abs/2305.03807) | - Evaluation of robustness of image watermarks + Adversarial sample for evasion |
 - HiDDeN: Hiding Data With Deep Networks - Main tool used in Stable Signature - Contains differentiable approx. of JPEG compression - Dynamic watermarking |
 - Towards Blind Watermarking: Combining Invertible and Non-invertible Mechanisms - Is not about rooting a model, but about attacking post-hoc watermarking of images - Lots of references on invertible NNs |
 - DocDiff: Document Enhancement via Residual Diffusion Models - Is not about rooting a model, but about post-hoc watermarking of images - Includes classic watermark removal |
 - Free Fine-tuning: A Plug-and-Play Watermarking Scheme for Deep Neural Networks - Is not about generative models, but discriminative models |
 - Adversarial Attack for Robust Watermark Protection Against Inpainting-based and Blind Watermark Removers - | - Post-hoc watermark with enhanced robustness against inpainting |
 - A Novel Deep Video Watermarking Framework with Enhanced Robustness to H.264/AVC Compression - | - Post-hoc watermark for videos |
 - Enhancing the Robustness of Deep Learning Based Fingerprinting to Improve Deepfake Attribution - Asia | 2022 | - | - | - Is not about rooting, but transformation-robustness strategies for watermarks |
 - ProMark: Proactive Diffusion Watermarking for Causal Attribution - | [Arxiv](https://arxiv.org/abs/2403.09914) | - TODO |
 - Watermarking Images in Self-Supervised Latent Spaces - TODO |
 - Generative Autoencoders as Watermark Attackers: Analyses of Vulnerabilities and Threats - | - | - Attack on pixel-watermarks using LDM autoencoders |
 - Github - Is not about rooting a model, but removing watermarks with diffusion purification - Evaluates stable signature and Tree-Ring Watermarks. Tree-ring is robust against their attack. - Earlier Version of Generative Autoencoders as Watermark Attackers |
 - WaterDiff: Perceptual Image Watermarks Via Diffusion Model - P2 Workshop at ICASSP | 2024 | - | - | - TODO |
 - Github - Withdrawn from arxiv |
 - Arxiv - TODO |
 - Arxiv - Withdrawn from arxiv |
 - Arxiv - TODO |
 - Arxiv - TODO |
 - Arxiv - They show that an image can be created that looks like it may have been generated by a targeted model. They also propose a framework how to achieve deniability for such cases. |
 - Squint Hard Enough: Attacking Perceptual Hashing with Adversarial Machine Learning - | - | - Attacks on perceptual hashes |
 - Diffusion Models for Adversarial Purification - Defense against adversarial pertubation, including imperceptible watermarks in images |
 - Flow-Based Robust Watermarking with Invertible Noise Layer for Black-Box Distortions - | - Like HiDDeN, just a neural watermark encoder/extractor |
 - Glaze: Protecting artists from style mimicry by text-to-image models - Is not about Rooting, but denying style stealing |
 - Arxiv - Seem similar to Glaze on first glance. Authors may have been unlucky to do parallel work |
 - You are caught stealing my winning lottery ticket! Making a lottery ticket claim its ownership - Group/NO-stealing-LTH.) | [Arxiv](https://arxiv.org/abs/2111.00162) | - Watermarking the sparsity mask of winning lottery tickets |
 - Arxiv - Is not about rooting a model, but about attacking post-hoc watermarking - Includes 1. watermark removal and 2. forging |
 - Leveraging Optimization for Adaptive Attacks on Image Watermarks - Is not about rooting a model, but about attacking post-hoc watermarking |
 - Arxiv - Is not about rooting a model, but about post-hoc watermarking of images - Takes watermarks literally and injects hidden images |
 - Arxiv - Is not about rooting a model. They show that watermarks in training data are recognizable in output and allow for intellectual property claims |
 - Github - Just a benchmark/framework for testing watermarks against |
 - Practical Deep Dispersed Watermarking with Synchronization and Fusion - Post-hoc watermark for images with enhanced robustness to transformations |
 - Github - Is not about rooting, but GenAI image detection |
 - Responsible Disclosure of Generative Models Using Scalable Fingerprinting - Rooting GAN models. Seems to have introduced the idea of scalably producing many models fast with large message space (TODO: check this later), similar to how Stable Signature did it later for stable diffusion. |
 - Self-Consuming Generative Models Go MAD - | [Arxiv](https://arxiv.org/abs/2307.01850) | - Contains a reason why GenAI detection is important: Removing generated content from training sets |
1.2 Differences Between Watermarking Schemes
- TrojDiff: Trojan Attacks on Diffusion Models with Diverse Targets
- How to Backdoor Diffusion Models?
3.1 Papers on Watermarking (Audio)
- Difference between Watermarking and Cryptography
 - Github - Meta/FAIR author |
 - MaskMark: Robust Neural Watermarking for Real and Synthetic Speech - |
 - Arxiv - Meta/FAIR author |
 - HiFi-GAN: Generative Adversarial Networks for Efficient and High Fidelity Speech Synthesis - gan) | [Arxiv](https://arxiv.org/abs/2010.05646) | - Very good GAN for Speech synthesis (TODO: Is this SotA?) - Can do live synthesis even on CPU - Quality is on par with autoregressive models |
 - Spoofed Training Data for Speech Spoofing Countermeasure Can Be Efficiently Created Using Neural Vocoders - | [Arxiv](https://arxiv.org/abs/2210.10570) | - Include vocoder generated training data to enhance detection capabilities for countermeasures |
 - AudioQR: Deep Neural Audio Watermarks For QR Code - qu/AudioQR) | - | - Imperceptible QR-codes in audio for the visually impaired |
3.2 Audio Synthesis Datasets
- Difference between Watermarking and Cryptography
  - ASVspoof 2021 Challenge - | 2021 | [Github](https://github.com/asvspoof-challenge/2021) | [Arxiv](https://arxiv.org/abs/2109.00535) | - Challenge for audio spoofing detection |
  - ADD 2022: the first Audio Deep Synthesis Detection Challenge - challenge/2021) | [Arxiv](https://arxiv.org/abs/2202.08433) | - [Official Chinese challenge website (NO HTTPS!)](http://addchallenge.cn/) |
3.3 News on Audio Watermarking
- Difference between Watermarking and Cryptography
  - Introducing the watermark algorithm for synthetic voice identification

Programming Languages

Python 4 Jupyter Notebook 1

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

Awesome-GenAI-Watermarking

1.4 Attacks on Watermarking

Difference between Watermarking and Cryptography

3.4 Further Links on Audio Synthesis and Detection

Difference between Watermarking and Cryptography

2.1 Papers on Watermarking Diffusion Models (outputs) (Image)

Difference between Watermarking and Cryptography

2.2 Watermarks to Guide Other Objectives

Difference between Watermarking and Cryptography

2.3 Misc Papers (to be categorized...)

Difference between Watermarking and Cryptography

1.2 Differences Between Watermarking Schemes

3.1 Papers on Watermarking (Audio)

Difference between Watermarking and Cryptography

3.2 Audio Synthesis Datasets

Difference between Watermarking and Cryptography

3.3 News on Audio Watermarking

Difference between Watermarking and Cryptography