Robustness of Watermarking on Text-to-Image Diffusion Models

TL;DR

This paper evaluates the robustness of watermarking in text-to-image diffusion models, revealing strengths against certain attacks but vulnerability to fine-tuning, and proposes three attack methods to test watermark resilience.

Contribution

It introduces three novel attack methods against generative watermarking and provides an in-depth analysis of factors affecting attack success in diffusion models.

Findings

Watermarking is robust against discriminator and edge prediction attacks.

Fine-tuning significantly reduces watermark detection accuracy.

Ablation study identifies key factors influencing attack effectiveness.

Abstract

Watermarking has become one of promising techniques to not only aid in identifying AI-generated images but also serve as a deterrent against the unethical use of these models. However, the robustness of watermarking techniques has not been extensively studied recently. In this paper, we investigate the robustness of generative watermarking, which is created from the integration of watermarking embedding and text-to-image generation processing in generative models, e.g., latent diffusion models. Specifically, we propose three attacking methods, i.e., discriminator-based attacks, edge prediction-based attacks, and fine-tune-based attacks, under the scenario where the watermark decoder is not accessible. The model is allowed to be fine-tuned to created AI agents with specific generative tasks for personalizing or specializing. We found that generative watermarking methods are robust to direct evasion attacks, like discriminator-based attacks, or manipulation based on the edge information in edge prediction-based attacks but vulnerable to malicious fine-tuning. Experimental results show that our fine-tune-based attacks can decrease the accuracy of the watermark detection to nearly $67.92\%$. In addition, We conduct an ablation study on the length of fine-tuned messages, encoder/decoder's depth and structure to identify key factors that impact the performance of fine-tune-based attacks.