Semi-Fragile Watermark Module

Updated 28 December 2025

Semi-fragile watermark modules are systems that embed digital watermarks robustly against benign changes yet sensitive to malicious tampering.
They employ varied techniques from classical transform-domain methods to modern deep neural architectures for embedding and error-correction.
Evaluation relies on metrics like PSNR, SSIM, bit-recovery accuracy, and tamper localization to balance robustness with fragility.

A semi-fragile watermark module is a computational system for embedding information into digital images in a manner that is robust against benign transformations (e.g., compression, mild filtering) but sensitive to malicious tampering or semantic modifications. The goal is proactive content authentication, enabling detection and localization of image modifications while maintaining high visual fidelity and minimal payload overhead. Modern approaches span deterministic signal-processing pipelines, adaptive quantization, and deep neural architectures, with evaluation criteria centered on robustness/fragility trade-offs, imperceptibility (PSNR, SSIM), bit-recovery accuracy, and tamper localization resolution.

1. Architectural Paradigms and Data Flow

Semi-fragile watermark modules typically comprise the following primary stages:

Feature Extraction: Transform the input image (e.g., via Gaussian pre-filtering and central finite differences (Zhuvikin et al., 2016), content-aware block statistics (Hosseini et al., 2021), or neural feature encoding (Neekhara et al., 2022, Nadimpalli et al., 2 Oct 2024, Fernando et al., 7 Nov 2025)) to yield a discriminative feature vector.
Watermark Bitstring Generation: Map desired payload and/or signature (possibly cryptographically signed) alongside feature-dependent perturbation bits.
Error-Correction Coding: Encode watermark and auxiliary bits using LDPC, BCH, or deep redundancy for resilience against benign distortions (Zhuvikin et al., 2016, Neekhara et al., 2022).
Embedding: Modulate selected transform coefficients (Haar, LWT, DWT, CNN latent codes, or neural feature space) to insert message bits or codewords under quantization constraints or neural optimization (Zhuvikin et al., 2016, Haghighi et al., 2018, Wang et al., 13 Apr 2025, Fernando et al., 7 Nov 2025).
Extraction/Authentication: For a possibly transformed image, invert embedding steps, decode the watermark, and authenticate based on feature, signature, or bit-matching tests, producing a binary authenticity label and—when supported—a tampering map.

A canonical workflow (see (Zhuvikin et al., 2016)):

$I \rightarrow$ [Feature Extraction] $\rightarrow (d_\Delta, p) \rightarrow$ [Hash & Signature] $\rightarrow s \rightarrow$ [ECC] $\rightarrow b_e$
$I, b_e \rightarrow$ [Embedding] $\rightarrow \tilde{I}$
$\tilde{I}^* \rightarrow$ [Extraction & Authentication] $\rightarrow$ authenticity decision and (optionally) tamper localization.

2. Embedding Techniques: Algorithms and Quantization Schemes

Traditional Transform-Domain Methods

Finite-Difference and Haar Embedding (Zhuvikin et al., 2016): Apply Gaussian filtering and central finite difference (CFD) to extract gradient magnitudes, downsample to compact descriptors, then deploy scalar quantization and 3-bit perturbation encoding. Concatenate bits, apply LDPC, and embed into $HL_3, LH_3$ coefficients of a three-level Haar transform. Each coefficient encodes a bit via quantized modulation:

$\tilde{S}_k = \begin{cases} \gamma \cdot (\mathrm{round}(S_k/\gamma) + 1/4), & \text{if } b_{e_k}=1 \ \gamma \cdot (\mathrm{round}(S_k/\gamma) - 1/4), & \text{if } b_{e_k}=0 \end{cases}$

Wavelet-Domain and DCT Embedding (Haghighi et al., 2018, Hosseini et al., 2021): Lifting wavelet transform splits the image; low- and high-frequency coefficients are further partitioned (e.g., $2\times2$ blocks for DCT DC coefficient manipulation or $4\times4$ for LWT redundancy). Watermark bits are embedded via gain-adaptive modulation or LSB replacement in quantized coefficients. Multi-copy embedding and block overlap enable error-resilient, fine-grained tampering detection.

Neural and Latent-Space Approaches

U-Net Encoder-Decoder Watermarking (Neekhara et al., 2022, Nadimpalli et al., 2 Oct 2024): Payload bit-strings are projected into message maps, concatenated as additional spatial channels, and injected via U-Net encoders. The network is trained with multifactor losses: image fidelity (L1/L2), learned perceptual similarity (LPIPS), adversarial loss (GAN or Wasserstein/critic), and explicit bit-reconstruction accuracy. Fragility is induced by training with a curriculum of benign transforms (for robustness) and malicious (Deepfake) transforms (actively penalizing successful extraction).
Latent-Space and Multi-Agent Reinforcement (Fernando et al., 7 Nov 2025): In DeepForgeSeal, CLIP encoder features serve as the embedding manifold. Bit-strings are encoded by constraining projections onto orthonormal directions derived from the key; neural MLPs generate feature perturbations, which are then decoded back to image space. A multi-agent adversarial reinforcement setup trains a watermarking agent (for optimal balance) against an attacker agent simulating both benign and malicious manipulations, with joint optimization over watermark embedding and attack policies.

Fractal and Structured Watermarks

Fractal Hilbert-Curve Watermarks (Wang et al., 13 Apr 2025): Watermarks are generated as Hilbert-curve–ordered matrices, diversified by geometric operations and one-way chaotic encryption (logistic map). Each spatial patch of the image carries 4 bits of the encrypted code (entry-to-patch), embedded via a dedicated deep fusion network. The structure enables spatial localization of attacks by tracking bit loss per patch.

3. Authentication, Tamper Detection, and Localization

The extraction process recapitulates embedding: feature recomputation, code decoding, and reconstructing quantized descriptors or payload bits.

Signature Verification: Hashes of computed descriptors compared to those extracted—matching indicates authentication; significant disagreement implies tampering (Zhuvikin et al., 2016).
Patch- or Block-wise Matching: In matrix-based or patch-coded schemes, successful decoding in all (or thresholded proportion of) patches signifies authenticity; partial failures localize manipulations (Wang et al., 13 Apr 2025, Hosseini et al., 2021).
Bit-Recovery Accuracy (BRA) and ROC/AUC: For neural methods, authentication thresholds are applied to BRA (proportion of bits recovered) to decide benign ( $\mathrm{BRA}\geq \tau$ ) vs. malicious. ROC/AUC statistics summarize separation power (Neekhara et al., 2022, Nadimpalli et al., 2 Oct 2024).
Error Mapping and Classification: Multi-level and majority-vote error maps provide pixel-level tamper localization (Hosseini et al., 2021). Feature vectors from error maps drive SVMs for multiclass discrimination of benign (JPEG, no tamper), malicious, or mixed conditions.

4. Robustness and Fragility: Evaluation Metrics

Key evaluation axes include:

Imperceptibility: PSNR and SSIM after watermark embedding. For instance, (Zhuvikin et al., 2016) reports PSNR $\geq$ 40 dB and SSIM $\geq$ 0.98; (Haghighi et al., 2018) achieves PSNR $\approx$ 43.5 dB, SSIM $\approx$ 0.999; neural approaches obtain PSNR $>$ 36 dB, typically with SSIM $>$ 0.97 (Neekhara et al., 2022).
Robustness: True positive and bit-recovery rates under benign processes (e.g., JPEG compression with CR $\leq$ 30%, Gaussian blur, mild rescaling). Robustness is quantified along with tolerance thresholds: e.g., (Serra-Ruiz et al., 9 Jul 2025) yields zero BER at JPEG2000 CR_th≈20:1, PSNR_th≈32 dB.
Fragility: Sensitivity to malicious edits (object insertion, Deepfake, local forgeries). Malicious scenarios yield large jumps in quantized descriptors (Zhuvikin et al., 2016), drastic reductions in bit-recovery accuracy (Nadimpalli et al., 2 Oct 2024, Fernando et al., 7 Nov 2025), and concentrated error maps (Hosseini et al., 2021).
Localization Accuracy: Resolution at which tampered regions can be mapped (determined by patch/block size and redundancy). Structured methods achieve $4\times4$ block precision (Haghighi et al., 2018, Hosseini et al., 2021); neural entry-to-patch (Wang et al., 13 Apr 2025) and multi-agent schemes (Fernando et al., 7 Nov 2025) provide patch-wise or spatially aligned detection.

Summary of representative results:

Method (arXiv)	PSNR/SSIM	BRA (benign)	BRA (malicious)	AUC	Localization
(Zhuvikin et al., 2016)	$\geq$ 40 dB/0.98	>0.99 TPR	TNR $\geq$ 0.95	N/A	8 $\times$ 8 blocks
(Haghighi et al., 2018)	~43.5 dB/0.999	>0.95 TPR	FPR<0.10	N/A	4 $\times$ 4 blocks
(Wang et al., 13 Apr 2025)	$\sim$ 38 dB/0.98	99.7%	~40%	99.99%	Patch-precise
(Neekhara et al., 2022)	$\sim$ 36 dB/0.98	$\sim$ 99.5%	31–65%	0.996	Face region
(Fernando et al., 7 Nov 2025)	48.4 dB/0.97	1.00	0.06	+5% vs SOTA	Spatial/latent
(Hosseini et al., 2021)	$>$ 41 dB	Robust QF75	Localized	97.97% (SVM)	Multi-scale blocks

5. Algorithmic Complexity and Real-World Constraints

Computational Cost: Signal-processing modules (CFD, Haar, LWT) are $O(N)$ in image size, with constant factors determined by filter separability or tree depths (Zhuvikin et al., 2016, Haghighi et al., 2018). Adaptive or content-driven vector quantization and block-optimized workflows increase overhead but enable high-dimensional processing for large-band images (Serra-Ruiz et al., 9 Jul 2025).
Neural Methods: CNN-based encoder-decoder architectures scale with parameter count and batch size; adversarial and multi-agent training adds further computational cost (e.g., DeepForgeSeal: 8.3 M params, $\sim$ 7.8 s/100 inference, (Fernando et al., 7 Nov 2025)).
Parameter Selection: Gain factors for robustness-invisibility trade-off, quantizer step sizes, block/patch dimensions, ECC parameters. These are empirically tuned for specific imperceptibility and BER targets (Zhuvikin et al., 2016, Haghighi et al., 2018, Serra-Ruiz et al., 9 Jul 2025).
Integration: Systemic use of secure key management, error-correction payloads, face pre-processing, and cloud/server-side decoding is required for deployment in authentication scenarios (Nadimpalli et al., 2 Oct 2024).

6. Limitations, Open Problems, and Future Directions

Trade-off Management: Robustness to benign processing versus fragility to semantic change remains a fundamental challenge; neural curriculum learning, MAARL, and patch-structured codes represent distinct approaches (Neekhara et al., 2022, Fernando et al., 7 Nov 2025, Wang et al., 13 Apr 2025).
Localization vs. Capacity: Block/pixel-level detection increases spatial precision but may reduce payload size and raise overhead; structured fractal codes and block-voting seek to optimize this balance (Wang et al., 13 Apr 2025, Hosseini et al., 2021).
Threats and Security: Countering adversarial querying, copy-paste attacks, and proxy-encoder training via payload randomization (per-image keys/timestamps), secret sharing, and periodic retraining. Secure key distribution and SVM-based detection of sophisticated tampering are under continuous investigation (Neekhara et al., 2022, Hosseini et al., 2021).
Extension to Video/Multimodal: Temporal coherence, higher-resolution, multimodal embeddings (audio/video), and low-latency/low-overhead neural inferencing for edge devices are ongoing research objectives (Fernando et al., 7 Nov 2025).

The field is characterized by multi-disciplinary integration of signal processing, computer vision, cryptography, error-correction coding, and neural adversarial training, with continuous progress toward real-world-deployable authentication and forensic solutions.