Papers
Topics
Authors
Recent
Search
2000 character limit reached

ShadowMark: Nonintrusive Watermarking for DNNs

Updated 7 July 2026
  • ShadowMark is a nonintrusive watermarking mechanism for X-to-Image DNNs that uses a key-driven side channel to extract owner-defined watermarks without modifying the original model.
  • It couples a frozen black-box model with learned key encoder and watermark decoder networks, ensuring that standard outputs remain unaffected while activating watermark functionality only with a secret key.
  • Empirical results show high verification fidelity and robust transfer across various model architectures, though its resilience against some post-processing attacks remains to be fully characterized.

Searching arXiv for the specified paper and closely related watermarking context. (An et al., 24 Jul 2025) ShadowMark is a nonintrusive watermarking mechanism for X-to-Image deep neural networks, introduced as the concrete realization of Nonintrusive Watermarking as a Service (NWaaS). Its defining claim is that an owner-defined watermark mm can be extracted from model outputs without modifying the protected model MθM_\theta at all, in contrast to white-box, black-box, and box-free watermarking schemes that alter parameters, structure, or behavior. In the formulation reported for NWaaS, ShadowMark establishes a key-driven side channel around a frozen black-box API by coupling the unmodified model with a learned key encoder GγG_\gamma and watermark decoder DδD_\delta, thereby attaining what the paper calls absolute, or perfect, fidelity: for ordinary inputs, the model output remains exactly y=Mθ(x)y = M_\theta(x), and watermark functionality is activated only when a secret key is supplied (An et al., 24 Jul 2025).

1. Conceptual basis and nonintrusive watermarking

ShadowMark is motivated by a practical limitation of prior DNN watermarking: existing white-box, black-box, and box-free methods are described as inherently intrusive because they either modify model parameters or alter structure. The reported consequence is a watermarking-induced shift in model behavior, additional fine-tuning cost, and a fidelity–robustness trade-off that becomes more problematic as model size grows. NWaaS addresses this by hypothesizing that a watermark can be decoded from outputs of an untouched model, and ShadowMark is the implementation of that hypothesis for X-to-Image systems (An et al., 24 Jul 2025).

The protected model MθM_\theta is strictly frozen and unmodified. Instead of binding watermark semantics into parameters or output behavior, ShadowMark adds an external side channel to the model’s black-box API. The owner provides a secret key kk, the key encoder GγG_\gamma maps that key into a trigger-like input compatible with the model’s input modality, the frozen model processes that input, and the watermark decoder DδD_\delta recovers the owner-defined watermark mm. For ordinary inference, users submit standard inputs MθM_\theta0 and receive the original output MθM_\theta1 with no change to the prediction pipeline.

This construction underlies the paper’s notion of absolute fidelity. Because MθM_\theta2 is never altered, there is no separate fidelity loss applied to the protected model, and normal outputs are unchanged by construction. The decoder is additionally trained so that outputs induced by normal user queries remain far from MθM_\theta3, which prevents the watermark from interfering with user-facing predictions. A plausible implication is that ShadowMark repositions watermarking from a model-internal embedding problem to an API-level channel design problem, with auxiliary learning concentrated entirely in MθM_\theta4 and MθM_\theta5.

2. System architecture, API channels, and workflow

ShadowMark comprises three components: the protected model MθM_\theta6, the key encoder MθM_\theta7, and the watermark decoder MθM_\theta8. The protected model may be any X-to-Image model, including image-to-image, noise-to-image, noise-and-text-to-image, and text-to-image architectures. The key encoder learns to transform a secret key into a model-specific trigger input, while the decoder learns to map the protected model’s output on that trigger to the watermark MθM_\theta9 (An et al., 24 Jul 2025).

The API is described as exposing two decoupled channels. In the normal inference channel, users submit GγG_\gamma0 and receive GγG_\gamma1. In the watermarking channel, the owner submits a secret key GγG_\gamma2 and the API executes

GγG_\gamma3

producing a decoded watermark. The system chooses which channel to execute based on the argument type, and intermediate artifacts such as GγG_\gamma4 and GγG_\gamma5 are not exposed.

The paper states the ShadowMark procedure explicitly:

  1. Generate Secret Key: GγG_\gamma6
  2. Embed: GγG_\gamma7
  3. Extract: GγG_\gamma8

At train time, GγG_\gamma9 and DδD_\delta0 are trained jointly while DδD_\delta1 is frozen. At inference time, extraction reduces to DδD_\delta2 inside the watermarking channel. For suspect verification, the owner replaces DδD_\delta3 with a suspect model DδD_\delta4 and evaluates the same decoding logic under the surrogate verification criterion. Because the watermarking algorithm is public and only the key remains private, the setup is described as decentralized and trustless under Kerckhoffs’s principle.

For some task settings, the paper notes model-dependent auxiliary inputs. In style transfer, for example, Figure 1 mentions a fixed, model-dependent “Style Key.” The core mechanism nevertheless remains unchanged: the side channel activates only when the owner submits the secret key used for verification.

3. Mathematical formulation, training objective, and verification criteria

The underlying X-to-Image mapping is defined by a pretrained model parameterized by DδD_\delta5, accessible through a black-box API, which maps an input DδD_\delta6 from some modality to an image DδD_\delta7. The paper first gives a generic nonintrusive encoding/decoding view,

DδD_\delta8

DδD_\delta9

and then extends it in ShadowMark by introducing a key-driven trigger generator y=Mθ(x)y = M_\theta(x)0 (An et al., 24 Jul 2025).

Correctness is expressed through two constraints:

y=Mθ(x)y = M_\theta(x)1

y=Mθ(x)y = M_\theta(x)2

These constraints are operationalized using three losses while keeping y=Mθ(x)y = M_\theta(x)3 frozen:

y=Mθ(x)y = M_\theta(x)4

y=Mθ(x)y = M_\theta(x)5

y=Mθ(x)y = M_\theta(x)6

The overall objective is

y=Mθ(x)y = M_\theta(x)7

The general verification template is given as

y=Mθ(x)y = M_\theta(x)8

and y=Mθ(x)y = M_\theta(x)9 otherwise. In the reported experiments, the only criteria used are NCC and NCCD. For original model verification, the threshold is stringent:

MθM_\theta0

and MθM_\theta1 otherwise. For suspected surrogate models, the paper defines

MθM_\theta2

where MθM_\theta3 is decoded from a wrong key MθM_\theta4 on the suspect model MθM_\theta5, and verifies ownership if

MθM_\theta6

The metric design is deliberately narrow. The paper does not report BER, MθM_\theta7-values, or hypothesis tests, and it does not define PSNR, FID, or CLIP for evaluation. Key security is instead evaluated through a brute-force “key ambiguity” success rate MθM_\theta8, defined as the number of discovered ambiguous keys divided by the number of trials.

4. Empirical coverage across model families and reported results

The empirical study spans image-to-image, noise-to-image, noise-and-text-to-image, and text-to-image models, with demonstrations across CNNs, Transformers, GANs, and diffusion models. The watermark is image-like and, by default, has the same size as the model output, namely MθM_\theta9. The paper does not introduce explicit coding schemes, error-correcting codes, or formal capacity limits; the reported evidence of practicality comes from decoding image watermarks of output size across multiple architectures (An et al., 24 Jul 2025).

Task family Dataset Model
Image-to-Image NYU Depth V2 AODNet
Image-to-Image PASCAL VOC + WikiArt LinearTransfer
Image-to-Image CelebA MAT
Image-to-Image CDD-11 OneRestore
Image-to-Image PASCAL VOC SwinIR
Noise-to-Image data-free GAN
Noise-and-Text-to-Image not separately specified beyond task label CGAN
Text-to-Image not separately specified beyond model label Stable Diffusion

The architecture choices for the auxiliary networks vary with the protected model. The key encoder kk0 is a CGAN Generator by default in many image-to-image tasks, and the paper also reports UNet, ResNet Generator, MLP, and an Upsampler for Stable Diffusion. The watermark decoder kk1 is CEILNet across most settings, while EEENet is additionally tested for AODNet. Example key dimensions include kk2 for many image-to-image cases, kk3 for GAN, kk4 for CGAN, and kk5 for text-to-image.

The quantitative results reported in Table 2 are specific. For original model verification using the threshold kk6, 15 of 16 experiments pass, with NCC reported as kk7 in those passing cases. The single failure is OneRestore, indexed as experiment 9, with NCC kk8. For surrogate verification using kk9, surrogate training is feasible in 12 settings, and 10 of those pass. Two failures occur among experiments 11–14, where only the choice of watermark content GγG_\gamma0 varies, indicating sensitivity of surrogate detection to watermark content. Example NCCD values in AODNet cases are reported in the range GγG_\gamma1–GγG_\gamma2, depending on the choices of GγG_\gamma3 and GγG_\gamma4.

Qualitative results reinforce the metric-based picture. Figure 2 is described as showing that correct keys decode the intended watermark, wrong keys produce meaningless patterns, and normal inputs GγG_\gamma5 decode to outputs far from GγG_\gamma6. This suggests that the learned side channel is selective in the sense intended by the loss design: it is active for the owner’s key, inactive for ordinary traffic, and resistant to naive wrong-key queries.

5. Threat model, robustness claims, and attack coverage

The threat model is explicitly attacker-friendly. The watermarking algorithm is public under Kerckhoffs’s principle; only the secret key is secret. The extraction and verification modules are black-box accessible to the public, and the verified watermark GγG_\gamma7 is observable to an attacker. The attacker is assumed to know the training data distribution, observe outputs from the black-box API, submit unlimited queries, and exploit the fact that out-of-distribution queries are not filtered by the API (An et al., 24 Jul 2025).

Within this model, the paper evaluates two attack classes: surrogate model stealing and brute-force key ambiguity. In surrogate attacks, a suspect model GγG_\gamma8 is trained to approximate GγG_\gamma9. For LinearTransfer, MAT, SwinIR, and Stable Diffusion, the paper reports that viable surrogate training conditions were not met under the stated cost constraints, so NCCD results are not reported for those cases. In the 12 successful surrogate attack settings, 10 pass the surrogate verification threshold, which is presented as evidence that the side channel can transfer to stolen surrogates without any modification of DδD_\delta0. Figure 3 is described as showing that, during surrogate training, correct-key NCC on the surrogate rises while wrong-key NCC remains low and the surrogate loss converges.

For brute-force key ambiguity, each of 16 experiments tests 1,000,000 random key guesses. The reported success rate is DδD_\delta1 across all settings. The paper does not provide formal proofs or bounds on attack success probability beyond this empirical result. A plausible implication is that the security argument is presently experimental rather than reductionist or information-theoretic.

Equally important is the negative space of the evaluation. The paper explicitly does not report robustness to weight pruning, fine-tuning of DδD_\delta2, output filtering or denoising, adversarial post-processing, collusion by multi-model averaging, or removal attacks other than surrogate stealing and brute-force key search. These omissions define the present boundary of the robustness claim: ShadowMark is empirically supported for original-model verification, partially supported for surrogate transfer, and not yet characterized against several attack classes standard in watermarking and model protection.

6. Deployment properties, comparison to prior paradigms, and limitations

For deployment, ShadowMark requires only that DδD_\delta3 remain unchanged and be available through a black-box API. Two internal components are added: DδD_\delta4, which maps keys to valid model inputs, and DδD_\delta5, which maps the protected model’s outputs on those triggers to the watermark. The API exposes two modes: normal inference, which accepts DδD_\delta6 and returns DδD_\delta7, and verification, which accepts DδD_\delta8 and returns the decoded watermark together with the verification result. Key management is owner-centric: DδD_\delta9 is a public algorithm, but the owner generates and retains the actual key, and verification does not require a trusted third party (An et al., 24 Jul 2025).

The comparison with prior watermarking paradigms is structurally important. White-box methods require parameter modification for embedding and parameter access for extraction; black-box backdoor watermarking requires training or tuning the protected model to associate triggers with behaviors; box-free output watermarking still modifies the model because the model acts as its own embedder. ShadowMark differs by decoupling watermark embedding and decoding into auxiliary networks around a frozen black-box model. In the paper’s framing, this is why it eliminates the fidelity–robustness trade-off: robustness is pursued through the learned side channel, while fidelity is guaranteed by leaving mm0 untouched.

Interoperability is broad but not uniform. The method is demonstrated across CNNs, Transformers, GANs, and diffusion models, but the key encoder must be adapted to the input modality and dimensions of the protected model. For Stable Diffusion, in particular, the paper specifies an Upsampler as the key encoder to produce inputs compatible with the diffusion stack. The watermark decoder likewise uses image-decoding architectures such as CEILNet. This suggests that the paradigm is architecture-agnostic at the level of principle, but implementation remains model-specific at the level of auxiliary network design.

Several limitations are explicit. Surrogate transfer can depend on the watermark content mm1, as shown by the two failures in the noise-to-image experiments where only mm2 differed. The paper provides no latency, throughput, scalability, or cost analysis, although it notes that normal inference retains the original cost because mm3 is unchanged and that verification adds one forward pass through mm4, mm5, and mm6. It also provides no code URL in the main text, though it reports architecture choices, data settings, and full tables and figures intended to support reproduction.

In summary, ShadowMark reframes DNN watermarking as an external, key-driven side channel over a frozen black-box model. The reported evidence supports three central properties: absolute fidelity by construction on original inference, high original-model verification success with NCC-based criteria, and partial but substantial transferability to surrogates under model-stealing attacks. At the same time, the present formulation remains bounded by empirical rather than formal security guarantees, no explicit capacity or error-correction analysis, and incomplete attack coverage.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to ShadowMark.