GaussMarker: Robust Dual-Domain Watermark for Diffusion Models

Conference: ICML 2025
arXiv: 2506.11444
Code: None
Area: Diffusion Models / Image Generation
Keywords: diffusion model watermark, dual-domain, Gaussian noise restorer, tuning-free, robustness

TL;DR

GaussMarker is proposed—the first dual-domain (spatial + frequency) diffusion model watermarking method. It consistently embeds watermarks in both the spatial and frequency domains of the initial Gaussian noise through a pipelined injector. Coupled with a model-independent learnable Gaussian Noise Restorer (GNR) to enhance robustness against rotation/cropping attacks, it achieves SOTA performance with an average TPR@1%FPR of 0.997 under eight image distortions across three Stable Diffusion versions.

Background & Motivation

Background: As images generated by diffusion models become increasingly realistic, the demand for copyright protection and misuse detection is urgent. Watermarking technology is a promising solution. Existing in-processing methods are categorized into tuning-based and tuning-free approaches, with tuning-free methods being preferred since they do not alter model weights.

Limitations of Prior Work: Tuning-free SOTA methods like Gaussian Shading inject watermarks only into a single domain (either spatial or frequency) of the initial Gaussian noise. This makes them extremely vulnerable to certain simple image edits—for instance, a rotation of just 3° drops the detection accuracy of Gaussian Shading from 100% to 64%, making it completely impractical for real-world deployment.

Key Challenge: Spatial-domain watermarks are sensitive to rotation/cropping (as pixel locations are shuffled), while frequency-domain watermarks are sensitive to certain noise attacks. Single-domain methods can only remain robust against one class of attacks, failing to handle multiple types of attacks simultaneously.

Goal: To design a tuning-free scheme that embeds watermarks simultaneously in both the spatial and frequency domains, while resolving the robustness challenge under rotation/cropping attacks.

Key Insight: In traditional image watermarking, dual-domain watermarking has been proven to be more robust than single-domain, yet this concept has not been applied to diffusion model watermarking. Meanwhile, the authors find that rotation/cropping operations on images can be approximately mapped to equivalent operations in the Gaussian noise space, which allows training a restoration network to recover the degraded noise.

Core Idea: Embed watermarks simultaneously into the spatial and frequency domains of the initial Gaussian noise, and enhance robustness against rotation/cropping via a learnable noise restoration network.

Method

Overall Architecture

GaussMarker consists of three core modules: (1) a pipelined watermark injector—sequentially embedding watermarks in the spatial and frequency domains of the Gaussian noise; (2) DDIM inversion + dual-domain detection—estimating the original noise from the image under inspection and then extracting detection scores in both domains; (3) a Gaussian Noise Restorer (GNR)—restoring the degraded noise signals after attacks. The generation process is identical to standard LDMs, without modifying model weights or inference pipelines.

Key Designs

1. Spatial-Domain Watermark Injection:

   • Function: Embeds an \(l\)-bit multi-bit watermark in the Gaussian noise.
   • Mechanism: The \(l\)-bit watermark \(\omega\) is first upsampled to match the noise dimension \(c \times w \times h\), and then shuffled using deterministic encoding to obtain the signal map \(s \in \{0,1\}^{c \times w \times h}\). The signal map dictates the sign of the noise at each location: \(z_T^s = |z_T| \cdot (2s - 1)\), which preserves the original noise magnitude but controls the sign via the watermark. During detection, the watermark is recovered using inverse shuffling and mean-pooling voting.
   • Design Motivation: Sign control does not alter the statistical distribution of the noise (remaining standard Gaussian), thereby preserving generation quality. Upsampling followed by shuffling ensures the independence and reversibility of each dimension.

2. Frequency-Domain Watermark Injection:

   • Function: Embeds an additional zero-bit frequency-domain watermark into the spatially watermarked noise to increase detection redundancy.
   • Mechanism: Conducting a Fourier transform on the spatially watermarked noise \(z_T^s\) yields frequency features \(\hat{z}_T^s\). A predefined circular ring mask \(M\) is then used to replace low-frequency regions with a preset frequency watermark pattern \(\omega^f\): \(z_T^{s,f} = \mathcal{F}^{-1}(\hat{z}_T^s \cdot (1-M) + \omega^f \cdot M)\). A small-radius ring alters only a minor subset of frequency components, and the Parseval theorem guarantees that the spatial-domain signal \(s\) remains largely unchanged.
   • Design Motivation: Frequency-domain watermarks possess inherent robustness against rotation/scaling (due to translation invariance in the Fourier domain), complementing the spatial-domain watermark. The zero-bit design minimizes interference with the spatial signal.

3. Gaussian Noise Restorer (GNR):

   • Function: Restores the noise estimated via DDIM inversion after rotation/cropping attacks, recovering the watermark signal.
   • Mechanism: The core observation is that operations at the image level during DDIM inversion can be mapped to approximately equivalent operations in the noise space, i.e., \(\text{Inversion}(\mathcal{T}(x^{s,f})) \approx \mathcal{T}(z_T^{s,f})\). Therefore, GNR can be trained by simulating attacks purely on noise, bypassing the need for image generation and inversion. The optimization objective simplifies to \(\min_{\text{GNR}} \|{\text{GNR}}(\mathcal{T}(s_T^{s,f})) - s_T^{s,f}\|^2\), operating on the signal map. In practice, training employs Binary Cross-Entropy (BCE) loss instead of MSE (as the target is binary) and incorporates negative samples to prevent overfitting to a fixed output.
   • Design Motivation: Direct training in the noise space avoids the massive computational cost of LDM forward/backward propagation. Furthermore, the restorer network is agnostic to specific diffusion models—training on SD1.4 can be directly applied to SD2.0 detection.

Loss & Training

The detection phase fuses the scores from both domains. The spatial-domain score is \(r_s = -\|\tilde{\omega} - \omega\|^2\) (watermark bit error), and the frequency-domain score is \(r_f = -\|(\hat{\tilde{z}}_T - \omega^f) \cdot M\|^2\) (frequency pattern matching error). GNR is applied to the inverted noise prior to score extraction, and the final decision is made by fusing the p-values from both domains. GNR training takes around 1 hour and is independent of the LDM.

Key Experimental Results

Main Results (TPR@1%FPR / Bit Accuracy, SD V2.1)

Method	Clean	Rotate	JPEG	Crop&Scale	Blur	Avg
Gaussian Shading	1.000/1.000	0.018/0.512	0.999/0.986	0.081/0.540	1.000/0.999	0.788/0.874
Tree-Ring	1.000/-	0.548/-	0.998/-	0.048/-	1.000/-	0.823/-
RingID	1.000/-	1.000/-	1.000/-	0.078/-	1.000/-	0.883/-
PRC	1.000/1.000	0.010/0.500	0.926/0.962	0.020/0.501	0.993/0.996	0.638/0.816
GaussMarker	1.000/1.000	0.997/0.998	0.996/0.997	1.000/1.000	1.000/1.000	0.997/0.990

Across SD Versions (Average TPR@1%FPR / Bit Accuracy)

SD Version	Gaussian Shading	Tree-Ring	GaussMarker
SD V1.4	0.796/0.874	0.828/-	0.997/0.990
SD V2.0	0.796/0.874	0.822/-	0.998/0.991
SD V2.1	0.788/0.874	0.823/-	0.997/0.990

Key Findings

• The performance gap under rotation attacks is astonishing: Gaussian Shading obtains a TPR@1%FPR of only 0.018, whereas GaussMarker achieves 0.997—going from virtually unusable to nearly perfect.
• Crop&Scale is likewise a lethal attack for other methods (TPR 0.02~0.08), whereas GaussMarker maintains 1.000—where the noise restoration of GNR is key.
• Consistency across all three SD versions demonstrates the reliability of GNR's model-agnostic design.
• Achieving high TPR while maintaining low FPR (<1%) aligns well with practical deployment requirements.

Highlights & Insights

• Migration of Dual-Domain Watermarking from Traditional Theories to Diffusion Models: The spatial domain provides multi-bit capacity, and the frequency domain provides rotation robustness, complementing each other. This perspective of migrating classical theories to novel applications is highly valuable.
• Model-Agnostic Design of GNR: By exploiting the approximate equivariance of DDIM inversion, the restorer network is trained on pure noise, entirely bypassing the dependency on any specific LDM. Training only requires sampling Gaussian noise and simulating attacks, making it highly efficient.
• Minimal Interference Design of Zero-Bit Frequency Watermark: The small-radius ring mask ensures minimal perturbation to the spatial signal, with theoretical guarantees provided by the Parseval theorem.

Limitations & Future Work

• GNR requires training an additional restoration network, increasing deployment complexity.
• Robustness against extreme combined attacks (simultaneous rotation, cropping, and compression) has not been verified.
• The frequency-domain watermark is zero-bit (only detecting presence/absence), and analysis on the upper bound of multi-bit capacity is missing.
• Generalizability to non-SD architectures (next-generation diffusion models like DiT, Flux, etc.) remains to be tested.

Related Work & Insights

• vs Gaussian Shading: GS embeds watermarks only in the spatial domain, causing TPR under rotation to drop from 1.0 to 0.018. GaussMarker, with its dual-domain scheme + GNR, maintains 0.997, yielding a 55x improvement in robustness.
• vs Tree-Ring: Tree-Ring utilizes concentric ring patterns in the frequency domain, showing some robustness to rotation (TPR 0.548) but falling far short. GaussMarker's GNR further restores noise degradation.
• vs Stable Signature: This requires modifying the decoder weights, which is a tuning-based method. GaussMarker is entirely tuning-free and plug-and-play.
• Insights: The noise restoration concept of GNR can be extended to scenarios requiring pattern recovery from degraded signals, such as audio watermarking and 3D model watermarking.

Rating

• Novelty: ⭐⭐⭐⭐⭐ First dual-domain diffusion model watermarking + model-agnostic GNR restoration scheme.
• Experimental Thoroughness: ⭐⭐⭐⭐⭐ 8 types of distortion + 4 advanced attacks + 3 SD versions, compared against 7 methods.
• Writing Quality: ⭐⭐⭐⭐ Clear framework with intuitive diagrams of injection/detection pipelines.
• Value: ⭐⭐⭐⭐⭐ Resolves the biggest pain point of diffusion model watermarking (rotation/cropping robustness), offering high practical deployment value.

Related Papers

• [CVPR 2025] SleeperMark: Towards Robust Watermark against Fine-Tuning Text-to-Image Diffusion Models
• [ICML 2025] Morse: Dual-Sampling for Lossless Acceleration of Diffusion Models
• [NeurIPS 2025] T2SMark: Balancing Robustness and Diversity in Noise-as-Watermark for Diffusion Models
• [ICML 2025] Angle Domain Guidance: Latent Diffusion Requires Rotation Rather Than Extrapolation
• [ICCV 2025] Dual Recursive Feedback on Generation and Appearance Latents for Pose-Robust Text-to-Image Diffusion