Papers
Topics
Authors
Recent
Search
2000 character limit reached

Proofs of Ownership for Machine Learning Models

Published 29 Jun 2026 in cs.LG and cs.CR | (2606.30423v1)

Abstract: With the increasing adoption of Machine Learning, protecting model ownership has become an essential challenge. We initiate a formal study of Proof of Ownership for machine learning models: under what conditions can one prove that a stolen model originated from a particular creator? We model proofs of ownership as a game among three parties: a model owner, a thief, and a judge. The owner transforms the original model into a slightly perturbed model together with a proof of ownership. The thief then obtains the transformed model and attempts to minimally modify it so that it remains useful but escapes detection as owned by the model owner. Finally, the judge receives a model and a proof of ownership, and must decide whether the given model is a modified version of some model created by the model owner, or else the given model was developed independently. Our main result is a dichotomy for classifiers in the black-box setting: Under standard cryptographic assumptions, ownership of models for some concept class can be proven in the above sense {\em if and only if} the concept class is not self-correctable, in a sense close to that of Blum, Luby and Rubinfeld, STOC'90. The result is constructive and extends, with some variations, to a number of related settings.

Summary

  • The paper introduces a formal game-based model for watermarking ML models under adversarial manipulations.
  • It establishes that persistent proofs exist if and only if the model class is not self-correctable, unifying watermarking with backdoor defenses.
  • Cryptographic techniques, including PRG-based sparse marking, ensure ownership evidence remains intact with minimal degradation.

Formal Dichotomy for Proofs of Ownership in Machine Learning

Problem Statement and Framework

"Proofs of Ownership for Machine Learning Models" (2606.30423) addresses whether it is possible to embed cryptographically robust, unremovable ownership proofs within ML models, particularly under adversarial conditions where models may be leaked, stolen, or intentionally altered to erase provenance. The authors introduce a formal, game-based security model involving three roles: model owner, thief (adversary), and a judge. The owner uses a marking algorithm to minimally perturb a model—embedding a watermark or cryptographic proof—producing a marked model and a witness of ownership. The thief is given access to the marked model and attempts to modify it such that its functionality remains intact while erasing the owner’s proof. The judge, given a suspect model and a purported ownership witness, determines whether the model descends from the owner’s original or was independently created.

The model enforces three security properties:

  • Similarity: The marked model must retain the predictive quality of the original.
  • Soundness: It must be computationally infeasible to falsely claim ownership of a model not deriving from the owner.
  • Unremovability: Any adversarial modification that erases ownership evidence must also degrade the model’s utility.

Self-Correctability as a Structural Barrier

The core result is a dichotomy theorem: in the black-box setting, persistent, unremovable proofs of ownership for a given concept class exist if and only if the underlying class is not (close to being) self-correctable in the sense of Blum, Luby, and Rubinfeld. In precise terms, for any class M\mathcal{M} of models, secure proofs of ownership are feasible if and only if there does not exist a polynomial-time algorithm (self-corrector) which, given oracle access to a noisy/corrupted version of a function, efficiently reconstructs a canonical representative of the original.

This extends known folklore barriers: for algebraically self-reducible classes (e.g., low-degree polynomials), any embedded watermark can be stripped by reconstructive attacks (e.g., model extraction, knowledge distillation, or backdoor removal), as these tasks instantiate the self-correction process. The characterization is constructive—a successful attacker that defeats unremovability automatically induces a self-corrector algorithm for the class, and vice versa.

Universal Construction and Cryptographic Techniques

The authors provide an explicit, cryptographically robust marking and judging protocol. Under standard hardness assumptions (correlation-intractable function families), their marking algorithm embeds a sparse watermark at polynomially many pseudorandomly selected input points. The locations and responses at these points are determined using cryptographically generated seeds and hashes, ensuring unpredictability and resistance to removal by adversaries with only black-box access.

Key technical ingredients include:

  • Pseudo-random generator (PRG)-based sparse marking for functional embedding of the watermark.
  • Public parameters sampled from a correlation-intractable hash family.
  • Testing (verification) based solely on black-box queries, guaranteeing that only functionality (not implementation details) is relevant for proof of ownership.
  • Security reductions mapping any adversarial removal strategy to a constructive self-correction for the class.

The construction ensures that the only way to remove the embedded ownership evidence without significant accuracy degradation is to reconstruct the underlying function de novo, which is infeasible except for self-correctable classes.

Extensions and Implications

The dichotomy is robust under natural relaxations:

  • It extends directly to multi-class classifiers by reduction to the binary case.
  • If the thief is allowed to introduce a constant-fraction (ε\varepsilon) error, the only way to erase the watermark is to construct a self-corrector that is accurate up to O(ε)O(\varepsilon) on the domain.

The practical implication is that for a vast class of ML tasks (those not close to self-correctable functions), cryptographically-robust, functionality-level proof-of-ownership mechanisms are possible in the deployment setting where only black-box access is available to adversaries. Conversely, for “simple” or algebraically structured functions, watermarking can always be circumvented by generic extraction-like strategies.

The theoretical implications are notable:

  • The result unifies disparate empirical and cryptographic literature on watermarking, backdoor planting, and defense-by-mitigation under a single complexity-theoretic principle.
  • It exposes self-correctability as the only obstruction to persistent, functionally robust watermarking in the black-box regime, abstracting away details of training algorithms, architectures, or watermarking heuristics.

Open Problems and Future Directions

The paper identifies several critical future directions:

  • White-Box Adversaries: If attackers have access to model weights, self-correction may not be the relevant barrier, and obfuscation must be considered.
  • Generative Models: Extending the dichotomy to generative tasks (where similarity is less clear-cut and pointwise equality is not natural) remains open.
  • Model Owner's Noise Budget: Allowing model owners to introduce more than computationally negligible distortions in exchange for security may yield a richer taxonomy of possible mechanisms and barriers.

Conclusion

"Proofs of Ownership for Machine Learning Models" gives a formal, complexity-theoretic foundation for model watermarking and ownership verification, establishing that self-correctability is the unique, structural boundary governing the feasibility of persistent functional model watermarking in the black-box regime. The work leverages cryptographic primitives to design optimal ownership proofs, and precisely characterizes when watermark removal is and is not possible. Future exploration will need to address white-box attacks, output-based watermarking for generative models, and broader classes where similarity is not pointwise.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 2 tweets with 11 likes about this paper.