Diffusion-Based Image Editing: An Unforeseen Adversary to Robust Invisible Watermarks

• URL: http://arxiv.org/abs/2511.05598v1
• Date: Wed, 05 Nov 2025 16:20:29 GMT
• Title: Diffusion-Based Image Editing: An Unforeseen Adversary to Robust Invisible Watermarks
• Authors: Wenkai Fu, Finn Carter, Yue Wang, Emily Davis, Bo Zhang,
• Abstract summary: Powerful diffusion-based image generation and editing models can inadvertently remove or distort embedded watermarks.<n>We present a theoretical and empirical analysis demonstrating that diffusion-based image editing can effectively break state-of-the-art robust watermarks.<n>We propose a diffusion-driven attack that uses generative image regeneration to erase watermarks from a given image.
• Score: 4.138397555991069
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Robust invisible watermarking aims to embed hidden messages into images such that they survive various manipulations while remaining imperceptible. However, powerful diffusion-based image generation and editing models now enable realistic content-preserving transformations that can inadvertently remove or distort embedded watermarks. In this paper, we present a theoretical and empirical analysis demonstrating that diffusion-based image editing can effectively break state-of-the-art robust watermarks designed to withstand conventional distortions. We analyze how the iterative noising and denoising process of diffusion models degrades embedded watermark signals, and provide formal proofs that under certain conditions a diffusion model's regenerated image retains virtually no detectable watermark information. Building on this insight, we propose a diffusion-driven attack that uses generative image regeneration to erase watermarks from a given image. Furthermore, we introduce an enhanced \emph{guided diffusion} attack that explicitly targets the watermark during generation by integrating the watermark decoder into the sampling loop. We evaluate our approaches on multiple recent deep learning watermarking schemes (e.g., StegaStamp, TrustMark, and VINE) and demonstrate that diffusion-based editing can reduce watermark decoding accuracy to near-zero levels while preserving high visual fidelity of the images. Our findings reveal a fundamental vulnerability in current robust watermarking techniques against generative model-based edits, underscoring the need for new watermarking strategies in the era of generative AI.

Related papers

• Vanishing Watermarks: Diffusion-Based Image Editing Undermines Robust Invisible Watermarking [3.583615559438432]
  Powerful diffusion-based image generation and editing techniques now pose a new threat to robust invisible watermarking schemes.<n>We show that diffusion models can effectively erase robust watermarks even when those watermarks were designed to withstand conventional distortions.<n>We introduce a guided diffusion-based attack that explicitly targets the embedded watermark signal during generation, significantly degrading watermark detectability.
  arXiv  Detail & Related papers  (2026-02-24T08:34:48Z)
• On the Information-Theoretic Fragility of Robust Watermarking under Diffusion Editing [3.6210754412846327]
  Powerful diffusion-based image generation and editing techniques pose a new threat to robust watermarking schemes.<n>We propose a guided diffusion attack algorithm that explicitly targets and erases watermark signals during generation.<n>We evaluate our approach on recent deep learning-based watermarking schemes and demonstrate near-zero watermark recovery rates after attack.
  arXiv  Detail & Related papers  (2025-11-14T03:41:24Z)
• Diffusion-Based Image Editing for Breaking Robust Watermarks [4.273350357872755]
  Powerful diffusion-based image generation and editing techniques pose a new threat to robust watermarking schemes.<n>We show that a diffusion-driven image regeneration'' process can erase embedded watermarks while preserving image content.<n>We introduce a novel guided diffusion attack that explicitly targets the watermark signal during generation, significantly degrading watermark detectability.
  arXiv  Detail & Related papers  (2025-10-07T14:34:42Z)
• DiffMark: Diffusion-based Robust Watermark Against Deepfakes [49.05095089309156]
  Deepfakes pose significant security and privacy threats through malicious facial manipulations.<n>Existing watermarking methods often lack sufficient robustness against Deepfake manipulations.<n>We propose a novel robust watermarking framework based on diffusion model, called DiffMark.
  arXiv  Detail & Related papers  (2025-07-02T07:29:33Z)
• Optimization-Free Universal Watermark Forgery with Regenerative Diffusion Models [50.73220224678009]
  Watermarking can be used to verify the origin of synthetic images generated by artificial intelligence models.<n>Recent studies demonstrate the capability to forge watermarks from a target image onto cover images via adversarial techniques.<n>In this paper, we uncover a greater risk of an optimization-free and universal watermark forgery.<n>Our approach significantly broadens the scope of attacks, presenting a greater challenge to the security of current watermarking techniques.
  arXiv  Detail & Related papers  (2025-06-06T12:08:02Z)
• SEAL: Semantic Aware Image Watermarking [26.606008778795193]
  We propose a novel watermarking method that embeds semantic information about the generated image directly into the watermark.<n>The key pattern can be inferred from the semantic embedding of the image using locality-sensitive hashing.<n>Our results suggest that content-aware watermarks can mitigate risks arising from image-generative models.
  arXiv  Detail & Related papers  (2025-03-15T15:29:05Z)
• JIGMARK: A Black-Box Approach for Enhancing Image Watermarks against Diffusion Model Edits [76.25962336540226]
  JIGMARK is a first-of-its-kind watermarking technique that enhances robustness through contrastive learning. Our evaluation reveals that JIGMARK significantly surpasses existing watermarking solutions in resilience to diffusion-model edits.
  arXiv  Detail & Related papers  (2024-06-06T03:31:41Z)
• MarkPlugger: Generalizable Watermark Framework for Latent Diffusion Models without Retraining [48.41130825143742]
  In the fast-evolving era of AI-generated content (AIGC), the rapid iteration and modification of latent diffusion models (LDMs) makes retraining with watermark models costly.<n>We propose MarkPlugger, a generalizable plug-and-play watermark framework without LDM retraining.<n>Our experimental findings reveal that our method effectively harmonizes image quality and watermark recovery rate.
  arXiv  Detail & Related papers  (2024-04-08T15:29:46Z)
• Robustness of AI-Image Detectors: Fundamental Limits and Practical Attacks [47.04650443491879]
  We analyze the robustness of various AI-image detectors including watermarking and deepfake detectors. We show that watermarking methods are vulnerable to spoofing attacks where the attacker aims to have real images identified as watermarked ones.
  arXiv  Detail & Related papers  (2023-09-29T18:30:29Z)
• Tree-Ring Watermarks: Fingerprints for Diffusion Images that are Invisible and Robust [55.91987293510401]
  Watermarking the outputs of generative models is a crucial technique for tracing copyright and preventing potential harm from AI-generated content. We introduce a novel technique called Tree-Ring Watermarking that robustly fingerprints diffusion model outputs. Our watermark is semantically hidden in the image space and is far more robust than watermarking alternatives that are currently deployed.
  arXiv  Detail & Related papers  (2023-05-31T17:00:31Z)
• Fine-tuning Is Not Enough: A Simple yet Effective Watermark Removal Attack for DNN Models [72.9364216776529]
  We propose a novel watermark removal attack from a different perspective. We design a simple yet powerful transformation algorithm by combining imperceptible pattern embedding and spatial-level transformations. Our attack can bypass state-of-the-art watermarking solutions with very high success rates.
  arXiv  Detail & Related papers  (2020-09-18T09:14:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.