NoisePrints: Distortion-Free Watermarks for Authorship in Private Diffusion Models (2510.13793v1)

Abstract: With the rapid adoption of diffusion models for visual content generation, proving authorship and protecting copyright have become critical. This challenge is particularly important when model owners keep their models private and may be unwilling or unable to handle authorship issues, making third-party verification essential. A natural solution is to embed watermarks for later verification. However, existing methods require access to model weights and rely on computationally heavy procedures, rendering them impractical and non-scalable. To address these challenges, we propose , a lightweight watermarking scheme that utilizes the random seed used to initialize the diffusion process as a proof of authorship without modifying the generation process. Our key observation is that the initial noise derived from a seed is highly correlated with the generated visual content. By incorporating a hash function into the noise sampling process, we further ensure that recovering a valid seed from the content is infeasible. We also show that sampling an alternative seed that passes verification is infeasible, and demonstrate the robustness of our method under various manipulations. Finally, we show how to use cryptographic zero-knowledge proofs to prove ownership without revealing the seed. By keeping the seed secret, we increase the difficulty of watermark removal. In our experiments, we validate NoisePrints on multiple state-of-the-art diffusion models for images and videos, demonstrating efficient verification using only the seed and output, without requiring access to model weights.

• The paper presents a novel watermarking method that leverages persistent noise correlation in diffusion models to embed watermarks without altering the generated image distribution.
• It details a secure, model-agnostic verification process that uses cosine similarity between latent representations and hashed seeded noise for robust authorship verification.
• Experiments demonstrate high robustness and efficiency, achieving near-perfect true positive rates and a 14×–213× speedup over inversion-based methods under various attack scenarios.

NoisePrints: Distortion-Free Watermarks for Authorship in Private Diffusion Models

Motivation and Problem Setting

The proliferation of diffusion-based generative models for visual content has intensified the need for robust, scalable, and model-agnostic authorship verification. Existing watermarking approaches for generative models typically require access to model weights, modify the generation process, or rely on computationally expensive inversion procedures. These requirements are impractical in scenarios where models are proprietary, privately fine-tuned, or only accessible via restricted APIs. The NoisePrints framework addresses these limitations by introducing a distortion-free, lightweight watermarking scheme that leverages the inherent correlation between the initial noise seed and the generated content in diffusion and flow models.

Figure 1: NoisePrints introduces no intervention in the generation process and therefore does not alter the distribution of generated images. For verification, the noise derived from the seed is compared with the given image, in contrast to inversion-based approaches.

Methodology

Seed-Based Watermarking via Noise Correlation

NoisePrints exploits the observation that the initial Gaussian noise vector, deterministically derived from a cryptographically hashed seed, leaves a persistent and strong imprint on the generated latent representation. The method operates as follows:

1. Generation: The content creator records the seed $s$ used to initialize the PRNG for the diffusion process. The PRNG is seeded with $h(s)$, where $h$ is a cryptographically secure hash function, ensuring pre-image and collision resistance.
2. Verification: To verify authorship, the creator provides $(x, s)$, where $x$ is the generated content. The verifier, using only public primitives (the VAE encoder $E$, PRNG specification, and $h$), computes the cosine similarity between $E(x)$ and the noise vector $\varepsilon(h(s))$:

$$\phi(x, s) = \frac{\langle E(x),\, \varepsilon(h(s))\rangle}{\|E(x)\|_2 \|\varepsilon(h(s))\|_2}$$

The claim is accepted if $\phi(x, s) \geq \tau$, where $\tau$ is a threshold calibrated for a negligible false positive rate (e.g., $2^{-128}$).

This approach is model-agnostic, requires no access to the generative model, and does not alter the output distribution, making it distortion-free.

Security and Threat Model

The adversary is assumed to have access to the generated content $x$ and all public primitives but not the model weights or the true seed $s$. The adversary may attempt:

• Watermark Removal: Modify $x$ to reduce correlation with $s$ below $\tau$.
• Watermark Injection: Produce $(\tilde{x}, s')$ such that $\tilde{x}$ is visually similar to $x$ and $(\tilde{x}, s')$ passes verification.

The probability of randomly guessing a seed that yields a high correlation with a given $x$ is exponentially small in the latent dimension $d$, due to the concentration of measure on the sphere:

$$\Pr[\phi \geq \tau] \leq \exp\left(-\frac{(d-1)}{2}\tau^2\right)$$

For typical $d$ (e.g., $10^4$–$10^6$), this probability is negligible.

Dispute Protocol and Geometric Robustness

To address geometric transformations and injection-only attacks, a dispute protocol is introduced. Each claimant submits $(x_i, s_i, g_i)$, where $g_i$ is a transformation. The protocol verifies both self and cross-correlation after alignment, ensuring that only the rightful owner can consistently pass both checks.

Figure 2: Estimation and alignment of geometric attacks. The green mask indicates the region used for cosine similarity after realignment.

Zero-Knowledge Proofs for Privacy-Preserving Verification

NoisePrints supports zero-knowledge proofs (ZKPs) to allow authorship claims without revealing the seed. The ZKP circuit proves that the cosine similarity between the noise derived from the private seed and the public image exceeds $\tau$, without leaking the seed. The implementation leverages fixed-point arithmetic and circuit partitioning to handle high-dimensional vectors efficiently, with proof generation and verification times on the order of milliseconds and proof sizes under 1 KB.

Experimental Evaluation

Reliability

NoisePrints was evaluated on multiple state-of-the-art diffusion and flow models, including SD2.0, SDXL, Flux, and Wan (video). For all models, the mean NoisePrint score for genuine $(x, s)$ pairs exceeded the threshold by a large margin, yielding a true positive rate (TPR) of 0.99–1.0 at a false positive rate (FPR) of $2^{-128}$.

Robustness to Attacks

NoisePrints was benchmarked against prior watermarking methods (WIND, Gaussian Shading, PRC) under a comprehensive suite of attacks:

• Basic Image Processing: Brightness, contrast, blur, noise, compression, and resizing.
• Diffusion-Based Regeneration: SDEdit-style attacks using different models.
• Inversion-Based Adversarial Attacks: DDIM inversion followed by optimization to decorrelate from the original noise.
• Geometric Transformations: Rotation and cropping, with realignment.

Figure 3: Robustness of different methods against common post-processing attacks: brightness changes, Gaussian blur, and Gaussian noise at varying severity.

Figure 4: Robustness of different methods against regeneration and inversion attacks (using a different model).

Across all attack types, NoisePrints matched or outperformed baselines, especially under realistic, perceptual-preserving manipulations. For severe degradations, all methods eventually fail, but NoisePrints maintains high TPR for all practical levels of corruption. Notably, the method is highly robust to SDEdit-style regeneration and geometric attacks when realignment is applied.

Efficiency

Verification with NoisePrints is orders of magnitude faster than inversion-based baselines. For example, on SD2.0, verification takes $\sim$0.18 ms (excluding VAE encode), compared to 3.2 s for inversion-based methods—a $14\times$–$213\times$ speedup depending on the model and data dimensionality.

Limitations and Implications

NoisePrints requires access to the model’s VAE, which may not always be public. The method is not suitable for real/fake detection, as adversarial patterns could be injected into real images to mimic the required correlation. Verification assumes a restricted set of geometric transformations; more complex manipulations may require further protocol extensions.

Practically, NoisePrints enables scalable, model-agnostic authorship verification for private or API-only diffusion models, empowering independent creators and small organizations. The approach is compatible with existing two-stage watermarking pipelines and can serve as a fast pre-filter to reduce reliance on expensive inversion.

Theoretically, the work highlights the persistent correlation between initial noise and generated content in high-dimensional generative models, with connections to optimal transport and the geometry of latent spaces. The cryptographic security analysis ensures that accidental or adversarial collisions are infeasible under standard computational assumptions.

Future Directions

Potential extensions include:

• Adapting correlation-based watermarking for real/fake detection in open-world settings, possibly by analyzing spatial correlation patterns.
• Enhancing robustness to a broader class of geometric and generative manipulations.
• Integrating with federated or distributed content provenance systems using ZKPs for privacy-preserving verification at scale.

Conclusion

NoisePrints establishes a practical, distortion-free, and efficient framework for authorship verification in private diffusion models. By leveraging the intrinsic correlation between the initial noise seed and the generated content, it obviates the need for model access or process modification, while providing strong empirical robustness and cryptographic security guarantees. The method is well-suited for deployment in real-world generative media ecosystems, particularly where model access is restricted and scalable verification is essential.