Stable Signature is Unstable: Removing Image Watermark from Diffusion Models
Yuepeng Hu, Zhengyuan Jiang, Moyang Guo, Neil Gong
TL;DR
This paper demonstrates that the Stable Signature watermarking method for diffusion models can be effectively removed through fine-tuning, challenging its robustness and raising concerns about watermark security.
Contribution
We introduce a fine-tuning attack that successfully removes Stable Signature watermarks from diffusion models without degrading image quality.
Findings
Watermarks can be effectively removed via fine-tuning.
Stable Signature's robustness is less than previously claimed.
Watermarked images can be indistinguishable from non-watermarked ones.
Abstract
Watermark has been widely deployed by industry to detect AI-generated images. A recent watermarking framework called \emph{Stable Signature} (proposed by Meta) roots watermark into the parameters of a diffusion model's decoder such that its generated images are inherently watermarked. Stable Signature makes it possible to watermark images generated by \emph{open-source} diffusion models and was claimed to be robust against removal attacks. In this work, we propose a new attack to remove the watermark from a diffusion model by fine-tuning it. Our results show that our attack can effectively remove the watermark from a diffusion model such that its generated images are non-watermarked, while maintaining the visual quality of the generated images. Our results highlight that Stable Signature is not as stable as previously thought.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Steganography and Watermarking Techniques · Chaos-based Image/Signal Encryption · Digital Media Forensic Detection
MethodsDiffusion