Papers
Topics
Authors
Recent
Search
2000 character limit reached

Proof of Ownership Verification

Updated 4 July 2026
  • Proof of Ownership is a framework that authenticates legitimate claims on digital objects using protocols such as watermarking, time-stamping, and digital signatures.
  • It leverages cryptographic primitives and statistical tests to ensure unforgeability, robustness, and privacy under adversarial models.
  • Applications span IoT, neural networks, and digital tokens, with implementations including black-box proofs, decentralized ledgers, and commitment-based schemes.

Proof of ownership denotes a protocol, credential, or statistical test by which a claimant convinces a verifier, challenger, or judge that a disputed object is legitimately tied to that claimant. In the literature, the object of proof ranges from RFID tags and consumer IoT devices to neural-network parameters, training traces, digital tokens, and AI-generated images. The recurring design goals are completeness, soundness or unforgeability, robustness against removal and ambiguity attacks, and, in many settings, public verifiability and privacy preservation. Recent work also separates ordinary ownership claims from stronger origin claims: for latent diffusion models, a seed-bound construction is described as “proof-of-authorship” because only the true generator can legitimately claim the object, whereas time-stamping and watermarking remain proofs of ownership in which being “first” may suffice (Lee et al., 18 Mar 2026). Formal treatments of model ownership similarly cast the problem as an owner–thief–judge game and ask when unremovable ownership proofs exist at all (Canetti et al., 29 Jun 2026).

1. Formal problem statements

Across domains, proof of ownership is usually formalized as an adversarial game. In black-box machine-learning proofs of ownership, the owner applies a marking algorithm to obtain a transformed model and a witness, the thief receives black-box access to the transformed model, and the judge receives only the public parameters, the witness, and oracle access to a suspect model. Security is defined by unremovability: the thief should not be able to output a model that remains similar to the marked model while causing the judge’s tester to reject, except with negligible probability (Canetti et al., 29 Jun 2026).

In RFID, the closely related notion is proof of possession. The system is modeled as

RS=(Setup,Reader,{Tagi}i,Auth,PoP),RS=(Setup, Reader, \{Tag_i\}_i, Auth, PoP),

and the adversary is a PPT algorithm with adaptive access to Send, Corrupt, and one TestPoP query. The PoP security goal requires

AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]

to be negligible for any PPT adversary, under the additional expectations that Auth satisfies completeness, mutual authentication, and untraceability (Cai et al., 2022).

Protocol-oriented work on deep neural networks introduces a further institutional layer. In decentralized ownership verification, the principal parties are the owner, a verification community, and an adversary or challenger. The owner first watermarks a clean model locally, then registers a time-stamped commitment

msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle

through a consensus protocol, and later reveals

msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle

when a suspect model must be tested. The protocol explicitly addresses replay, redeclaration, and “spoil attack” scenarios, and introduces watermark capacity and watermark independence as protocol-level metrics rather than embedding-level properties alone (Li et al., 2021).

These formulations show that proof of ownership is not a single primitive. It can be a property of a signed credential, a watermark witness, a training transcript, or a public statistical decision rule. The shared structure is a separation between honest provenance and forgery under a specified threat model.

2. Cryptographic and statistical substrates

The mechanisms used to realize proof of ownership vary widely, but they are usually built from a small set of recurring cryptographic or statistical components.

Mechanism Representative use Source
PRF-bound randomness Seed binding with s=fi(κ)s=f_i(\kappa) or t=PRFki(c)t=PRF_{k'_i}(c) (Lee et al., 18 Mar 2026, Cai et al., 2022)
Hash watermark + signatures h=H(pk1pkK)h=H(pk_1\Vert\cdots\Vert pk_K) plus Sign/Verify (Yang et al., 2023)
zkSNARK relation Prove BER(wm,wm^)θBER(wm,\hat{wm})\le \theta without revealing watermark keys (Sheybani et al., 2023)
Vector commitments Commitment, opening, aggregation, and update with worker-bound proofs (Xie et al., 2024)
Chameleon or irreversible hash Trapdoor collisions or SHA-512-derived signatures for passports (Xu et al., 30 May 2025, Cui et al., 2024)
Verifiable credentials DID-based credentials, revocation, and DIDComm exchange (Sakib et al., 2024)

PRFs and hashes are frequently used to bind a public identity to a hidden or derived value while preserving pseudorandomness. Signatures provide non-repudiation and public auditability. In some constructions, these mechanisms are sufficient by themselves: RFID PoP uses a hash, a PRF, and EU-CMA signatures to produce a credential

cred=(u,σR,t,σT)cred=(u,\sigma_R,t,\sigma_T)

after successful mutual authentication (Cai et al., 2022). In others, they are paired with watermark extraction or model behavior. FedSOV compresses all clients’ public keys into a fixed-length hash watermark and then requires the claimant to produce a valid digital signature under the corresponding private key, thereby ruling out ambiguity attacks under standard assumptions (Yang et al., 2023).

A second family replaces explicit credentials with succinct proofs of knowledge. ZKROWNN compiles watermark extraction into a Groth16 circuit and proves, non-interactively, that querying the suspect model on a secret trigger set yields an extracted watermark with bit-error rate at most θ\theta. The setup is one-time for a fixed circuit; the resulting proof size is 127 bytes, with verifier time 29.4 ms for the MLP circuit and 1 ms for the CNN circuit (Sheybani et al., 2023).

A third family relies on statistical adjudication rather than direct knowledge proofs. In diffusion-based authorship claims, the verifier computes a similarity statistic and then estimates a tail probability under the null hypothesis of random latent draws. The proof object is therefore not merely a secret string or credential; it is an evidentiary score with a confidence interval and an explicit false-claim probability (Lee et al., 18 Mar 2026).

3. Generated objects, authorship, and digital provenance

For latent diffusion models, proof of ownership is reformulated as proof of authorship. The central idea is that the author controls the LDM seed and can bind that seed to identity via a cryptographic pseudorandom function. Given generation parameters

AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]0

the author computes

AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]1

The public release is AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]2. During a dispute, the probabilistic adjudicator recomputes the latent, encodes both the regenerated image and the contested image, and evaluates

AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]3

It then estimates

AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]4

by Monte Carlo. Under Assumption A2, Theorem 4.1 gives additive error AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]5 with confidence AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]6 using

AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]7

samples, and authorship is accepted when the upper confidence bound falls below a threshold such as AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]8 (Lee et al., 18 Mar 2026).

This framework is notable for two reasons. First, it explicitly distinguishes proof-of-authorship from time-stamping and watermarking: only the generator who controlled the seed can mount the successful claim. Second, the framework “does not involve any secret”; the binding is public, the pseudorandomness is public-keyed by the author’s public identifier, and security rests on PRF indistinguishability plus the adjudicator’s statistical test (Lee et al., 18 Mar 2026). The same paper analyzes random forgers, malicious forgers, malicious model providers, colluding adjudicators, AdvAPoP(λ)=Pr[ExpAPoP(1λ)=1]Adv^{PoP}_{\mathcal A}(\lambda)=Pr[Exp^{PoP}_{\mathcal A}(1^\lambda)=1]9 perturbations, and mild affine transforms, and states that no PPT adversary can forge or remove the linkage with more than negligible probability.

A very different lineage appears in distributed-ledger ownership of digital property. In NFT-style systems, a transaction is a tuple

msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle0

the ledger is a time-ordered list

msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle1

and the current owner of token msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle2 is the o_new field in the suffix-most transaction involving msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle3. Verification consists of finding the latest transaction for the token, checking the signature and hash linkage, and reading the new-owner field (Trujillo, 2022). Hyperownership preserves this proof primitive and instead augments it with temporal bipartite graphs and hypertext traversal. This suggests two broad models of provenance: source-bound proof, in which the origin process itself yields the evidence, and ledger-bound proof, in which ordered transfer records constitute the evidence.

4. Neural-network ownership verification

Neural-network ownership verification has produced several distinct families of schemes. A classical watermarking line uses triggers and extraction tests. In knowledge-free black-box watermarking for image classification, a generator obtained from data-free distillation produces “anchors” that stabilize performance during trigger injection. The owner’s identity key is expanded into a one-way sequence of binary codes, each code is mapped to a trigger image and a pseudorandom label, and verification reveals a contiguous block of codes and applies four checks: trigger consistency, label consistency, model response consistency, and one-way linkage. If acc rows pass, the protocol computes

msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle4

and accepts when

msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle5

The reported theorems establish accuracy, unambiguity, and identity preservation (Li et al., 2022).

Federated learning adds a multi-owner dimension. FedSOV compresses all clients’ public keys into a fixed-length hash watermark

msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle6

and embeds it by regularizing the batch-norm scale parameters:

msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle7

Verification first extracts the watermark and checks its similarity against a security boundary, then challenges a claimant to sign a fresh message with the client’s private key. Theoretical security is tied to q-SDH unforgeability of the signature and near-collision resistance of the hash. Reported results include fidelity drop msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle8 versus FedAvg, watermark detection rate msg0=timeH(key)H(verify)H(info)msg_0=\langle time \,\Vert\, H(key)\,\Vert\, H(verify)\,\Vert\, H(info)\rangle9 for msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle0 up to 200 clients, msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle1 for msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle2 even after fine-tuning or 80% pruning, signing msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle3 ms, and verification msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle4 ms (Yang et al., 2023).

Privacy-preserving verification is the focus of ZKROWNN. There, a proof of ownership is a non-interactive zero-knowledge proof that a suspect model, queried on a secret trigger set, yields an extracted watermark with

msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle5

The prover runs Prove(PK,x,w) for public statement msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle6 and witness msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle7, and the verifier runs Verify(VK,x,\pi). Because the circuit is fixed for a given model, the trusted setup is one-time; subsequent proofs are public, non-interactive, and constant-size at 127 B (Sheybani et al., 2023).

Other schemes avoid watermark exposure by using model behavior itself. In the gray-box ownership framework based on white-box adversarial attacks, the owner uses white-box access to the original model to generate an adversarial example msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle8 whose output probability for a chosen target class is driven toward a designated value while preserving the original top-1 class. Verification measures

msg1=Mkeyverifymsg_1=\langle M \,\Vert\, key \,\Vert\, verify\rangle9

On 100 random ImageNet validation images, with ResNet50-v1 as the owner’s model and ResNet50-v1, ResNet50-v2, and VGG variants as suspects, the reported outcomes are s=fi(κ)s=f_i(\kappa)0, s=fi(κ)s=f_i(\kappa)1, and average s=fi(κ)s=f_i(\kappa)2 (2505.17579).

Passport-based schemes bind ownership to affine parameters in normalization layers. “Steganographic Passport” hides a user identity image into an owner-side passport via an invertible steganographic network,

s=fi(κ)s=f_i(\kappa)3

and uses an irreversible, collision-resistant hash function to derive a model signature from the owner passport. Ownership verification combines integrity, fidelity, and sign-agreement tests; the reported tables show zero AD in integrity and resilience under pruning, fine-tuning, and Expanded Residual Block ambiguity attacks (Cui et al., 2024). CHIP replaces the irreversible hash with a discrete-log-based chameleon hash

s=fi(κ)s=f_i(\kappa)4

derives owner and user passports plus licensee certificates through trapdoor collisions, and verifies ownership through four tests s=fi(κ)s=f_i(\kappa)5, s=fi(κ)s=f_i(\kappa)6, s=fi(κ)s=f_i(\kappa)7, and s=fi(κ)s=f_i(\kappa)8. On AlexNet and ResNet-18 over CIFAR-10, CIFAR-100, Caltech-101, and Caltech-256, passport-free and passport-aware accuracies are reported to remain within 0.1–0.3% of clean baselines, while training time increases by s=fi(κ)s=f_i(\kappa)9 for AlexNet and t=PRFki(c)t=PRF_{k'_i}(c)0 for ResNet-18 (Xu et al., 30 May 2025).

5. Training traces, distributed computation, and work-based proof

A separate line treats ownership as evidence of computational effort rather than of an embedded watermark. Proof-of-Learning defines a scheme

t=PRFki(c)t=PRF_{k'_i}(c)1

in which the prover stores checkpointed model states, batch indices, and data-signature hashes during SGD. Verification decrypts the proof, checks the initialization, identifies the largest inter-checkpoint jumps, and re-executes selected updates. The formal intuition is entropy accumulation in stochastic optimization: for SGD with additive noise,

t=PRFki(c)t=PRF_{k'_i}(c)2

Theorem 1 states linear entropy growth in forward SGD, Theorem 2 states that reverse entropy is at least forward entropy, and the corollary states that any adversary must perform at least t=PRFki(c)t=PRF_{k'_i}(c)3 work to forge a valid transcript. With t=PRFki(c)t=PRF_{k'_i}(c)4, verification is reported to be less than 10% of original training time (Jia et al., 2021).

Proof-of-Training refines this idea by asking what distinguishes honest training records from forged ones. The record is a quadruple

t=PRFki(c)t=PRF_{k'_i}(c)5

with trajectory updates

t=PRFki(c)t=PRF_{k'_i}(c)6

The key claim is a universal distinction criterion: honest records encode enough information about the underlying data distribution that trajectory matching can recover higher-fidelity synthetic data from them than from forged records. The paper models four attacks, proves a mutual-information separation

t=PRFki(c)t=PRF_{k'_i}(c)7

and evaluates a verifier that synthesizes data from candidate records and scores it by retraining accuracy. The discrimination degree is

t=PRFki(c)t=PRF_{k'_i}(c)8

with success iff t=PRFki(c)t=PRF_{k'_i}(c)9. Reported experiments show zero false accepts, zero false rejects, and end-to-end verification time of h=H(pk1pkK)h=H(pk_1\Vert\cdots\Vert pk_K)0 min on a single GPU for SDS=500 (Chang et al., 2024).

PoLO unifies proof-of-learning and proof-of-ownership through chained watermarking. Training is partitioned into shards, each shard embeds a watermark generated from the hash of the preceding shard, the full chain serves as PoL, and the final watermark serves as PoO. The reported evaluation gives 99% watermark detection accuracy for ownership verification, verification cost at 1.5–10% of traditional methods, forging cost at 1.1–4× honest proof generation, and original proofs retaining over 90% detection accuracy even after attacks (Deng et al., 18 May 2025).

Distributed training introduces commitment-oriented variants. Binary Linear Tree Commitment–based ownership protection commits to a weight vector

h=H(pk1pkK)h=H(pk_1\Vert\cdots\Vert pk_K)1

supports coordinate openings with proof size h=H(pk1pkK)h=H(pk_1\Vert\cdots\Vert pk_K)2, supports updates in h=H(pk1pkK)h=H(pk_1\Vert\cdots\Vert pk_K)3, and aggregates many openings via inner-product arguments. Proofs are watermarked by worker identity keys so that stolen proofs cannot be replayed by another worker. For h=H(pk1pkK)h=H(pk_1\Vert\cdots\Vert pk_K)4, the reported benchmarks include 0.44 s total for 1024 commitment updates, 0.94 s total for updating all proofs, and aggregation times that grow linearly with the number of opened positions (Xie et al., 2024).

6. Decentralization, transfer, and fundamental limits

Operational deployments often require public verifiability, transferability, and revocation. In decentralized DNN ownership verification, the verification community stores time-stamped hashes of the owner’s watermark key and verification algorithm, then later re-executes verification collectively through a consensus protocol. This design is intended to prevent redeclaration and to avoid reliance on a single trusted notary, while introducing “spoil-attack resistance” as an explicit system-level goal (Li et al., 2021).

For consumer IoT devices, ownership proof is carried by self-sovereign identity infrastructure rather than by watermark extraction. The main entities are the manufacturer, distributor, buyers and sellers, a mediator, and a ledger. The manufacturer issues a ProofOfOwnership verifiable credential to the first buyer, later revokes it on-chain during transfer, and issues a new credential to the next buyer after DIDComm-based challenge/response. The credential contains the issuer DID, tracking ID, owner DID, status, and an Ed25519Signature2018 proof; the ledger stores DIDs, schema and credential definitions, and revocation registry entries. In the ProVerif analysis, secrecy and authenticity queries all returned “RESULT is true” (Sakib et al., 2024).

The strongest general limitation comes from the formal theory of black-box model ownership. Under correlation-intractable hash families for poly-time evasive relations, a family of binary classifiers admits an unremovable black-box proof of ownership if and only if it does not admit a correctable canonicalization, or equivalently is not self-correctable (Canetti et al., 29 Jun 2026). The constructive direction marks a classifier on pseudorandomly chosen inputs and tests whether the suspect model reproduces the hidden labels often enough; the impossibility direction shows that a self-corrector would strip the watermark while preserving functionality. This result does not say that all practical ownership schemes fail; rather, it isolates a precise boundary for one black-box notion of proof.

A recurring misconception is that any watermark automatically yields a decisive ownership claim. The surveyed literature is more restrictive. Ambiguity attacks, trigger exposure, watermark overwriting, fine-tuning, pruning, public verification leakage, and malicious infrastructure all require separate treatment. Some schemes answer with signatures, some with zero knowledge, some with statistical tail bounds, some with public ledgers and revocation, and some with work-based transcripts. The modern literature therefore treats proof of ownership not as a single algorithmic trick but as a family of evidentiary systems whose validity depends on the adversarial model, the object being claimed, and the precise meaning of “ownership” in that domain.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (16)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Proof of Ownership.