SemBind: Binding Diffusion Watermarks to Semantics Against Black-Box Forgery Attacks

TL;DR

SemBind is a novel framework that enhances the security of latent diffusion model watermarks by binding them to image semantics, effectively resisting black-box forgery attacks without compromising image quality.

Contribution

It introduces a semantic masker trained with contrastive learning to bind watermarks to semantics, providing a flexible defense against black-box forgery in latent-based watermarking.

Findings

Significantly reduces false acceptance in black-box forgery scenarios

Maintains high image quality while enhancing watermark security

Compatible with existing latent-based watermarking methods

Abstract

Latent-based watermarks, integrated into the generation process of latent diffusion models (LDMs), simplify detection and attribution of generated images. However, recent black-box forgery attacks, where an attacker needs at least one watermarked image and black-box access to the provider's model, can embed the provider's watermark into images not produced by the provider, posing outsized risk to provenance and trust. We propose SemBind, the first defense framework for latent-based watermarks that resists black-box forgery by binding latent signals to image semantics via a learned semantic masker. Trained with contrastive learning, the masker yields near-invariant codes for the same prompt and near-orthogonal codes across prompts; these codes are reshaped and permuted to modulate the target latent before any standard latent-based watermark. SemBind is generally compatible with existing latent-based watermarking schemes and keeps image quality essentially unchanged, while a simple mask-ratio parameter offers a tunable trade-off between anti-forgery strength and robustness. Across four mainstream latent-based watermark methods, our SemBind-enabled anti-forgery variants markedly reduce false acceptance under black-box forgery while providing a controllable robustness-security balance.