Authenticated Contradictions from Desynchronized Provenance and Watermarking

TL;DR

This paper identifies a security gap where digital assets can falsely pass independent provenance and watermark verification, and proposes a joint audit protocol to reliably detect such contradictions.

Contribution

It formalizes the Integrity Clash problem, demonstrates its feasibility through metadata washing workflows, and introduces a cross-layer audit protocol for accurate detection.

Findings

The Integrity Clash can be exploited through standard editing pipelines.

A cross-layer audit protocol achieves 100% accuracy in detecting contradictions.

The gap between provenance and watermark verification layers can be effectively closed.

Abstract

Cryptographic provenance standards such as C2PA and invisible watermarking are positioned as complementary defenses for content authentication, yet the two verification layers are technically independent: neither conditions on the output of the other. This work formalizes and empirically demonstrates the $\textit{Integrity Clash}$, a condition in which a digital asset carries a cryptographically valid C2PA manifest asserting human authorship while its pixels simultaneously carry a watermark identifying it as AI-generated, with both signals passing their respective verification checks in isolation. We construct metadata washing workflows that produce these authenticated fakes through standard editing pipelines, requiring no cryptographic compromise, only the semantic omission of a single assertion field permitted by the current C2PA specification. To close this gap, we propose a cross-layer audit protocol that jointly evaluates provenance metadata and watermark detection status, achieving 100% classification accuracy across 3,500 test images spanning four conflict-matrix states and three realistic perturbation conditions. Our results demonstrate that the gap between these verification layers is unnecessary and technically straightforward to close.