Proof of Ownership Verification
- Proof of Ownership is a framework that authenticates legitimate claims on digital objects using protocols such as watermarking, time-stamping, and digital signatures.
- It leverages cryptographic primitives and statistical tests to ensure unforgeability, robustness, and privacy under adversarial models.
- Applications span IoT, neural networks, and digital tokens, with implementations including black-box proofs, decentralized ledgers, and commitment-based schemes.
Proof of ownership denotes a protocol, credential, or statistical test by which a claimant convinces a verifier, challenger, or judge that a disputed object is legitimately tied to that claimant. In the literature, the object of proof ranges from RFID tags and consumer IoT devices to neural-network parameters, training traces, digital tokens, and AI-generated images. The recurring design goals are completeness, soundness or unforgeability, robustness against removal and ambiguity attacks, and, in many settings, public verifiability and privacy preservation. Recent work also separates ordinary ownership claims from stronger origin claims: for latent diffusion models, a seed-bound construction is described as “proof-of-authorship” because only the true generator can legitimately claim the object, whereas time-stamping and watermarking remain proofs of ownership in which being “first” may suffice (Lee et al., 18 Mar 2026). Formal treatments of model ownership similarly cast the problem as an owner–thief–judge game and ask when unremovable ownership proofs exist at all (Canetti et al., 29 Jun 2026).
1. Formal problem statements
Across domains, proof of ownership is usually formalized as an adversarial game. In black-box machine-learning proofs of ownership, the owner applies a marking algorithm to obtain a transformed model and a witness, the thief receives black-box access to the transformed model, and the judge receives only the public parameters, the witness, and oracle access to a suspect model. Security is defined by unremovability: the thief should not be able to output a model that remains similar to the marked model while causing the judge’s tester to reject, except with negligible probability (Canetti et al., 29 Jun 2026).
In RFID, the closely related notion is proof of possession. The system is modeled as
and the adversary is a PPT algorithm with adaptive access to Send, Corrupt, and one TestPoP query. The PoP security goal requires
to be negligible for any PPT adversary, under the additional expectations that Auth satisfies completeness, mutual authentication, and untraceability (Cai et al., 2022).
Protocol-oriented work on deep neural networks introduces a further institutional layer. In decentralized ownership verification, the principal parties are the owner, a verification community, and an adversary or challenger. The owner first watermarks a clean model locally, then registers a time-stamped commitment
through a consensus protocol, and later reveals
when a suspect model must be tested. The protocol explicitly addresses replay, redeclaration, and “spoil attack” scenarios, and introduces watermark capacity and watermark independence as protocol-level metrics rather than embedding-level properties alone (Li et al., 2021).
These formulations show that proof of ownership is not a single primitive. It can be a property of a signed credential, a watermark witness, a training transcript, or a public statistical decision rule. The shared structure is a separation between honest provenance and forgery under a specified threat model.
2. Cryptographic and statistical substrates
The mechanisms used to realize proof of ownership vary widely, but they are usually built from a small set of recurring cryptographic or statistical components.
| Mechanism | Representative use | Source |
|---|---|---|
| PRF-bound randomness | Seed binding with or | (Lee et al., 18 Mar 2026, Cai et al., 2022) |
| Hash watermark + signatures | plus Sign/Verify |
(Yang et al., 2023) |
| zkSNARK relation | Prove without revealing watermark keys | (Sheybani et al., 2023) |
| Vector commitments | Commitment, opening, aggregation, and update with worker-bound proofs | (Xie et al., 2024) |
| Chameleon or irreversible hash | Trapdoor collisions or SHA-512-derived signatures for passports | (Xu et al., 30 May 2025, Cui et al., 2024) |
| Verifiable credentials | DID-based credentials, revocation, and DIDComm exchange | (Sakib et al., 2024) |
PRFs and hashes are frequently used to bind a public identity to a hidden or derived value while preserving pseudorandomness. Signatures provide non-repudiation and public auditability. In some constructions, these mechanisms are sufficient by themselves: RFID PoP uses a hash, a PRF, and EU-CMA signatures to produce a credential
after successful mutual authentication (Cai et al., 2022). In others, they are paired with watermark extraction or model behavior. FedSOV compresses all clients’ public keys into a fixed-length hash watermark and then requires the claimant to produce a valid digital signature under the corresponding private key, thereby ruling out ambiguity attacks under standard assumptions (Yang et al., 2023).
A second family replaces explicit credentials with succinct proofs of knowledge. ZKROWNN compiles watermark extraction into a Groth16 circuit and proves, non-interactively, that querying the suspect model on a secret trigger set yields an extracted watermark with bit-error rate at most . The setup is one-time for a fixed circuit; the resulting proof size is 127 bytes, with verifier time 29.4 ms for the MLP circuit and 1 ms for the CNN circuit (Sheybani et al., 2023).
A third family relies on statistical adjudication rather than direct knowledge proofs. In diffusion-based authorship claims, the verifier computes a similarity statistic and then estimates a tail probability under the null hypothesis of random latent draws. The proof object is therefore not merely a secret string or credential; it is an evidentiary score with a confidence interval and an explicit false-claim probability (Lee et al., 18 Mar 2026).
3. Generated objects, authorship, and digital provenance
For latent diffusion models, proof of ownership is reformulated as proof of authorship. The central idea is that the author controls the LDM seed and can bind that seed to identity via a cryptographic pseudorandom function. Given generation parameters
0
the author computes
1
The public release is 2. During a dispute, the probabilistic adjudicator recomputes the latent, encodes both the regenerated image and the contested image, and evaluates
3
It then estimates
4
by Monte Carlo. Under Assumption A2, Theorem 4.1 gives additive error 5 with confidence 6 using
7
samples, and authorship is accepted when the upper confidence bound falls below a threshold such as 8 (Lee et al., 18 Mar 2026).
This framework is notable for two reasons. First, it explicitly distinguishes proof-of-authorship from time-stamping and watermarking: only the generator who controlled the seed can mount the successful claim. Second, the framework “does not involve any secret”; the binding is public, the pseudorandomness is public-keyed by the author’s public identifier, and security rests on PRF indistinguishability plus the adjudicator’s statistical test (Lee et al., 18 Mar 2026). The same paper analyzes random forgers, malicious forgers, malicious model providers, colluding adjudicators, 9 perturbations, and mild affine transforms, and states that no PPT adversary can forge or remove the linkage with more than negligible probability.
A very different lineage appears in distributed-ledger ownership of digital property. In NFT-style systems, a transaction is a tuple
0
the ledger is a time-ordered list
1
and the current owner of token 2 is the o_new field in the suffix-most transaction involving 3. Verification consists of finding the latest transaction for the token, checking the signature and hash linkage, and reading the new-owner field (Trujillo, 2022). Hyperownership preserves this proof primitive and instead augments it with temporal bipartite graphs and hypertext traversal. This suggests two broad models of provenance: source-bound proof, in which the origin process itself yields the evidence, and ledger-bound proof, in which ordered transfer records constitute the evidence.
4. Neural-network ownership verification
Neural-network ownership verification has produced several distinct families of schemes. A classical watermarking line uses triggers and extraction tests. In knowledge-free black-box watermarking for image classification, a generator obtained from data-free distillation produces “anchors” that stabilize performance during trigger injection. The owner’s identity key is expanded into a one-way sequence of binary codes, each code is mapped to a trigger image and a pseudorandom label, and verification reveals a contiguous block of codes and applies four checks: trigger consistency, label consistency, model response consistency, and one-way linkage. If acc rows pass, the protocol computes
4
and accepts when
5
The reported theorems establish accuracy, unambiguity, and identity preservation (Li et al., 2022).
Federated learning adds a multi-owner dimension. FedSOV compresses all clients’ public keys into a fixed-length hash watermark
6
and embeds it by regularizing the batch-norm scale parameters:
7
Verification first extracts the watermark and checks its similarity against a security boundary, then challenges a claimant to sign a fresh message with the client’s private key. Theoretical security is tied to q-SDH unforgeability of the signature and near-collision resistance of the hash. Reported results include fidelity drop 8 versus FedAvg, watermark detection rate 9 for 0 up to 200 clients, 1 for 2 even after fine-tuning or 80% pruning, signing 3 ms, and verification 4 ms (Yang et al., 2023).
Privacy-preserving verification is the focus of ZKROWNN. There, a proof of ownership is a non-interactive zero-knowledge proof that a suspect model, queried on a secret trigger set, yields an extracted watermark with
5
The prover runs Prove(PK,x,w) for public statement 6 and witness 7, and the verifier runs Verify(VK,x,\pi). Because the circuit is fixed for a given model, the trusted setup is one-time; subsequent proofs are public, non-interactive, and constant-size at 127 B (Sheybani et al., 2023).
Other schemes avoid watermark exposure by using model behavior itself. In the gray-box ownership framework based on white-box adversarial attacks, the owner uses white-box access to the original model to generate an adversarial example 8 whose output probability for a chosen target class is driven toward a designated value while preserving the original top-1 class. Verification measures
9
On 100 random ImageNet validation images, with ResNet50-v1 as the owner’s model and ResNet50-v1, ResNet50-v2, and VGG variants as suspects, the reported outcomes are 0, 1, and average 2 (2505.17579).
Passport-based schemes bind ownership to affine parameters in normalization layers. “Steganographic Passport” hides a user identity image into an owner-side passport via an invertible steganographic network,
3
and uses an irreversible, collision-resistant hash function to derive a model signature from the owner passport. Ownership verification combines integrity, fidelity, and sign-agreement tests; the reported tables show zero AD in integrity and resilience under pruning, fine-tuning, and Expanded Residual Block ambiguity attacks (Cui et al., 2024). CHIP replaces the irreversible hash with a discrete-log-based chameleon hash
4
derives owner and user passports plus licensee certificates through trapdoor collisions, and verifies ownership through four tests 5, 6, 7, and 8. On AlexNet and ResNet-18 over CIFAR-10, CIFAR-100, Caltech-101, and Caltech-256, passport-free and passport-aware accuracies are reported to remain within 0.1–0.3% of clean baselines, while training time increases by 9 for AlexNet and 0 for ResNet-18 (Xu et al., 30 May 2025).
5. Training traces, distributed computation, and work-based proof
A separate line treats ownership as evidence of computational effort rather than of an embedded watermark. Proof-of-Learning defines a scheme
1
in which the prover stores checkpointed model states, batch indices, and data-signature hashes during SGD. Verification decrypts the proof, checks the initialization, identifies the largest inter-checkpoint jumps, and re-executes selected updates. The formal intuition is entropy accumulation in stochastic optimization: for SGD with additive noise,
2
Theorem 1 states linear entropy growth in forward SGD, Theorem 2 states that reverse entropy is at least forward entropy, and the corollary states that any adversary must perform at least 3 work to forge a valid transcript. With 4, verification is reported to be less than 10% of original training time (Jia et al., 2021).
Proof-of-Training refines this idea by asking what distinguishes honest training records from forged ones. The record is a quadruple
5
with trajectory updates
6
The key claim is a universal distinction criterion: honest records encode enough information about the underlying data distribution that trajectory matching can recover higher-fidelity synthetic data from them than from forged records. The paper models four attacks, proves a mutual-information separation
7
and evaluates a verifier that synthesizes data from candidate records and scores it by retraining accuracy. The discrimination degree is
8
with success iff 9. Reported experiments show zero false accepts, zero false rejects, and end-to-end verification time of 0 min on a single GPU for SDS=500 (Chang et al., 2024).
PoLO unifies proof-of-learning and proof-of-ownership through chained watermarking. Training is partitioned into shards, each shard embeds a watermark generated from the hash of the preceding shard, the full chain serves as PoL, and the final watermark serves as PoO. The reported evaluation gives 99% watermark detection accuracy for ownership verification, verification cost at 1.5–10% of traditional methods, forging cost at 1.1–4× honest proof generation, and original proofs retaining over 90% detection accuracy even after attacks (Deng et al., 18 May 2025).
Distributed training introduces commitment-oriented variants. Binary Linear Tree Commitment–based ownership protection commits to a weight vector
1
supports coordinate openings with proof size 2, supports updates in 3, and aggregates many openings via inner-product arguments. Proofs are watermarked by worker identity keys so that stolen proofs cannot be replayed by another worker. For 4, the reported benchmarks include 0.44 s total for 1024 commitment updates, 0.94 s total for updating all proofs, and aggregation times that grow linearly with the number of opened positions (Xie et al., 2024).
6. Decentralization, transfer, and fundamental limits
Operational deployments often require public verifiability, transferability, and revocation. In decentralized DNN ownership verification, the verification community stores time-stamped hashes of the owner’s watermark key and verification algorithm, then later re-executes verification collectively through a consensus protocol. This design is intended to prevent redeclaration and to avoid reliance on a single trusted notary, while introducing “spoil-attack resistance” as an explicit system-level goal (Li et al., 2021).
For consumer IoT devices, ownership proof is carried by self-sovereign identity infrastructure rather than by watermark extraction. The main entities are the manufacturer, distributor, buyers and sellers, a mediator, and a ledger. The manufacturer issues a ProofOfOwnership verifiable credential to the first buyer, later revokes it on-chain during transfer, and issues a new credential to the next buyer after DIDComm-based challenge/response. The credential contains the issuer DID, tracking ID, owner DID, status, and an Ed25519Signature2018 proof; the ledger stores DIDs, schema and credential definitions, and revocation registry entries. In the ProVerif analysis, secrecy and authenticity queries all returned “RESULT is true” (Sakib et al., 2024).
The strongest general limitation comes from the formal theory of black-box model ownership. Under correlation-intractable hash families for poly-time evasive relations, a family of binary classifiers admits an unremovable black-box proof of ownership if and only if it does not admit a correctable canonicalization, or equivalently is not self-correctable (Canetti et al., 29 Jun 2026). The constructive direction marks a classifier on pseudorandomly chosen inputs and tests whether the suspect model reproduces the hidden labels often enough; the impossibility direction shows that a self-corrector would strip the watermark while preserving functionality. This result does not say that all practical ownership schemes fail; rather, it isolates a precise boundary for one black-box notion of proof.
A recurring misconception is that any watermark automatically yields a decisive ownership claim. The surveyed literature is more restrictive. Ambiguity attacks, trigger exposure, watermark overwriting, fine-tuning, pruning, public verification leakage, and malicious infrastructure all require separate treatment. Some schemes answer with signatures, some with zero knowledge, some with statistical tail bounds, some with public ledgers and revocation, and some with work-based transcripts. The modern literature therefore treats proof of ownership not as a single algorithmic trick but as a family of evidentiary systems whose validity depends on the adversarial model, the object being claimed, and the precise meaning of “ownership” in that domain.