Breaking Semantic-Aware Watermarks via LLM-Guided Coherence-Preserving Semantic Injection

TL;DR

This paper reveals a new vulnerability in semantic watermarking for images, showing that large language models can craft semantic alterations that bypass detection, exposing security weaknesses in current methods.

Contribution

The paper introduces the CSI attack, leveraging LLMs to perform coherence-preserving semantic injections that undermine existing semantic watermarking defenses.

Findings

CSI outperforms existing attacks against semantic watermarking

LLM-guided semantic manipulation can bypass current watermark detectors

Semantic watermarking schemes are vulnerable to LLM-driven semantic perturbations

Abstract

Generative images have proliferated on Web platforms in social media and online copyright distribution scenarios, and semantic watermarking has increasingly been integrated into diffusion models to support reliable provenance tracking and forgery prevention for web content. Traditional noise-layer-based watermarking, however, remains vulnerable to inversion attacks that can recover embedded signals. To mitigate this, recent content-aware semantic watermarking schemes bind watermark signals to high-level image semantics, constraining local edits that would otherwise disrupt global coherence. Yet, large language models (LLMs) possess structured reasoning capabilities that enable targeted exploration of semantic spaces, allowing locally fine-grained but globally coherent semantic alterations that invalidate such bindings. To expose this overlooked vulnerability, we introduce a Coherence-Preserving Semantic Injection (CSI) attack that leverages LLM-guided semantic manipulation under embedding-space similarity constraints. This alignment enforces visual-semantic consistency while selectively perturbing watermark-relevant semantics, ultimately inducing detector misclassification. Extensive empirical results show that CSI consistently outperforms prevailing attack baselines against content-aware semantic watermarking, revealing a fundamental security weakness of current semantic watermark designs when confronted with LLM-driven semantic perturbations.