ShadowMark: Nonintrusive Watermarking for DNNs
- ShadowMark is a nonintrusive watermarking mechanism for X-to-Image DNNs that uses a key-driven side channel to extract owner-defined watermarks without modifying the original model.
- It couples a frozen black-box model with learned key encoder and watermark decoder networks, ensuring that standard outputs remain unaffected while activating watermark functionality only with a secret key.
- Empirical results show high verification fidelity and robust transfer across various model architectures, though its resilience against some post-processing attacks remains to be fully characterized.
Searching arXiv for the specified paper and closely related watermarking context. (An et al., 24 Jul 2025) ShadowMark is a nonintrusive watermarking mechanism for X-to-Image deep neural networks, introduced as the concrete realization of Nonintrusive Watermarking as a Service (NWaaS). Its defining claim is that an owner-defined watermark can be extracted from model outputs without modifying the protected model at all, in contrast to white-box, black-box, and box-free watermarking schemes that alter parameters, structure, or behavior. In the formulation reported for NWaaS, ShadowMark establishes a key-driven side channel around a frozen black-box API by coupling the unmodified model with a learned key encoder and watermark decoder , thereby attaining what the paper calls absolute, or perfect, fidelity: for ordinary inputs, the model output remains exactly , and watermark functionality is activated only when a secret key is supplied (An et al., 24 Jul 2025).
1. Conceptual basis and nonintrusive watermarking
ShadowMark is motivated by a practical limitation of prior DNN watermarking: existing white-box, black-box, and box-free methods are described as inherently intrusive because they either modify model parameters or alter structure. The reported consequence is a watermarking-induced shift in model behavior, additional fine-tuning cost, and a fidelity–robustness trade-off that becomes more problematic as model size grows. NWaaS addresses this by hypothesizing that a watermark can be decoded from outputs of an untouched model, and ShadowMark is the implementation of that hypothesis for X-to-Image systems (An et al., 24 Jul 2025).
The protected model is strictly frozen and unmodified. Instead of binding watermark semantics into parameters or output behavior, ShadowMark adds an external side channel to the model’s black-box API. The owner provides a secret key , the key encoder maps that key into a trigger-like input compatible with the model’s input modality, the frozen model processes that input, and the watermark decoder recovers the owner-defined watermark . For ordinary inference, users submit standard inputs 0 and receive the original output 1 with no change to the prediction pipeline.
This construction underlies the paper’s notion of absolute fidelity. Because 2 is never altered, there is no separate fidelity loss applied to the protected model, and normal outputs are unchanged by construction. The decoder is additionally trained so that outputs induced by normal user queries remain far from 3, which prevents the watermark from interfering with user-facing predictions. A plausible implication is that ShadowMark repositions watermarking from a model-internal embedding problem to an API-level channel design problem, with auxiliary learning concentrated entirely in 4 and 5.
2. System architecture, API channels, and workflow
ShadowMark comprises three components: the protected model 6, the key encoder 7, and the watermark decoder 8. The protected model may be any X-to-Image model, including image-to-image, noise-to-image, noise-and-text-to-image, and text-to-image architectures. The key encoder learns to transform a secret key into a model-specific trigger input, while the decoder learns to map the protected model’s output on that trigger to the watermark 9 (An et al., 24 Jul 2025).
The API is described as exposing two decoupled channels. In the normal inference channel, users submit 0 and receive 1. In the watermarking channel, the owner submits a secret key 2 and the API executes
3
producing a decoded watermark. The system chooses which channel to execute based on the argument type, and intermediate artifacts such as 4 and 5 are not exposed.
The paper states the ShadowMark procedure explicitly:
- Generate Secret Key: 6
- Embed: 7
- Extract: 8
At train time, 9 and 0 are trained jointly while 1 is frozen. At inference time, extraction reduces to 2 inside the watermarking channel. For suspect verification, the owner replaces 3 with a suspect model 4 and evaluates the same decoding logic under the surrogate verification criterion. Because the watermarking algorithm is public and only the key remains private, the setup is described as decentralized and trustless under Kerckhoffs’s principle.
For some task settings, the paper notes model-dependent auxiliary inputs. In style transfer, for example, Figure 1 mentions a fixed, model-dependent “Style Key.” The core mechanism nevertheless remains unchanged: the side channel activates only when the owner submits the secret key used for verification.
3. Mathematical formulation, training objective, and verification criteria
The underlying X-to-Image mapping is defined by a pretrained model parameterized by 5, accessible through a black-box API, which maps an input 6 from some modality to an image 7. The paper first gives a generic nonintrusive encoding/decoding view,
8
9
and then extends it in ShadowMark by introducing a key-driven trigger generator 0 (An et al., 24 Jul 2025).
Correctness is expressed through two constraints:
1
2
These constraints are operationalized using three losses while keeping 3 frozen:
4
5
6
The overall objective is
7
The general verification template is given as
8
and 9 otherwise. In the reported experiments, the only criteria used are NCC and NCCD. For original model verification, the threshold is stringent:
0
and 1 otherwise. For suspected surrogate models, the paper defines
2
where 3 is decoded from a wrong key 4 on the suspect model 5, and verifies ownership if
6
The metric design is deliberately narrow. The paper does not report BER, 7-values, or hypothesis tests, and it does not define PSNR, FID, or CLIP for evaluation. Key security is instead evaluated through a brute-force “key ambiguity” success rate 8, defined as the number of discovered ambiguous keys divided by the number of trials.
4. Empirical coverage across model families and reported results
The empirical study spans image-to-image, noise-to-image, noise-and-text-to-image, and text-to-image models, with demonstrations across CNNs, Transformers, GANs, and diffusion models. The watermark is image-like and, by default, has the same size as the model output, namely 9. The paper does not introduce explicit coding schemes, error-correcting codes, or formal capacity limits; the reported evidence of practicality comes from decoding image watermarks of output size across multiple architectures (An et al., 24 Jul 2025).
| Task family | Dataset | Model |
|---|---|---|
| Image-to-Image | NYU Depth V2 | AODNet |
| Image-to-Image | PASCAL VOC + WikiArt | LinearTransfer |
| Image-to-Image | CelebA | MAT |
| Image-to-Image | CDD-11 | OneRestore |
| Image-to-Image | PASCAL VOC | SwinIR |
| Noise-to-Image | data-free | GAN |
| Noise-and-Text-to-Image | not separately specified beyond task label | CGAN |
| Text-to-Image | not separately specified beyond model label | Stable Diffusion |
The architecture choices for the auxiliary networks vary with the protected model. The key encoder 0 is a CGAN Generator by default in many image-to-image tasks, and the paper also reports UNet, ResNet Generator, MLP, and an Upsampler for Stable Diffusion. The watermark decoder 1 is CEILNet across most settings, while EEENet is additionally tested for AODNet. Example key dimensions include 2 for many image-to-image cases, 3 for GAN, 4 for CGAN, and 5 for text-to-image.
The quantitative results reported in Table 2 are specific. For original model verification using the threshold 6, 15 of 16 experiments pass, with NCC reported as 7 in those passing cases. The single failure is OneRestore, indexed as experiment 9, with NCC 8. For surrogate verification using 9, surrogate training is feasible in 12 settings, and 10 of those pass. Two failures occur among experiments 11–14, where only the choice of watermark content 0 varies, indicating sensitivity of surrogate detection to watermark content. Example NCCD values in AODNet cases are reported in the range 1–2, depending on the choices of 3 and 4.
Qualitative results reinforce the metric-based picture. Figure 2 is described as showing that correct keys decode the intended watermark, wrong keys produce meaningless patterns, and normal inputs 5 decode to outputs far from 6. This suggests that the learned side channel is selective in the sense intended by the loss design: it is active for the owner’s key, inactive for ordinary traffic, and resistant to naive wrong-key queries.
5. Threat model, robustness claims, and attack coverage
The threat model is explicitly attacker-friendly. The watermarking algorithm is public under Kerckhoffs’s principle; only the secret key is secret. The extraction and verification modules are black-box accessible to the public, and the verified watermark 7 is observable to an attacker. The attacker is assumed to know the training data distribution, observe outputs from the black-box API, submit unlimited queries, and exploit the fact that out-of-distribution queries are not filtered by the API (An et al., 24 Jul 2025).
Within this model, the paper evaluates two attack classes: surrogate model stealing and brute-force key ambiguity. In surrogate attacks, a suspect model 8 is trained to approximate 9. For LinearTransfer, MAT, SwinIR, and Stable Diffusion, the paper reports that viable surrogate training conditions were not met under the stated cost constraints, so NCCD results are not reported for those cases. In the 12 successful surrogate attack settings, 10 pass the surrogate verification threshold, which is presented as evidence that the side channel can transfer to stolen surrogates without any modification of 0. Figure 3 is described as showing that, during surrogate training, correct-key NCC on the surrogate rises while wrong-key NCC remains low and the surrogate loss converges.
For brute-force key ambiguity, each of 16 experiments tests 1,000,000 random key guesses. The reported success rate is 1 across all settings. The paper does not provide formal proofs or bounds on attack success probability beyond this empirical result. A plausible implication is that the security argument is presently experimental rather than reductionist or information-theoretic.
Equally important is the negative space of the evaluation. The paper explicitly does not report robustness to weight pruning, fine-tuning of 2, output filtering or denoising, adversarial post-processing, collusion by multi-model averaging, or removal attacks other than surrogate stealing and brute-force key search. These omissions define the present boundary of the robustness claim: ShadowMark is empirically supported for original-model verification, partially supported for surrogate transfer, and not yet characterized against several attack classes standard in watermarking and model protection.
6. Deployment properties, comparison to prior paradigms, and limitations
For deployment, ShadowMark requires only that 3 remain unchanged and be available through a black-box API. Two internal components are added: 4, which maps keys to valid model inputs, and 5, which maps the protected model’s outputs on those triggers to the watermark. The API exposes two modes: normal inference, which accepts 6 and returns 7, and verification, which accepts 8 and returns the decoded watermark together with the verification result. Key management is owner-centric: 9 is a public algorithm, but the owner generates and retains the actual key, and verification does not require a trusted third party (An et al., 24 Jul 2025).
The comparison with prior watermarking paradigms is structurally important. White-box methods require parameter modification for embedding and parameter access for extraction; black-box backdoor watermarking requires training or tuning the protected model to associate triggers with behaviors; box-free output watermarking still modifies the model because the model acts as its own embedder. ShadowMark differs by decoupling watermark embedding and decoding into auxiliary networks around a frozen black-box model. In the paper’s framing, this is why it eliminates the fidelity–robustness trade-off: robustness is pursued through the learned side channel, while fidelity is guaranteed by leaving 0 untouched.
Interoperability is broad but not uniform. The method is demonstrated across CNNs, Transformers, GANs, and diffusion models, but the key encoder must be adapted to the input modality and dimensions of the protected model. For Stable Diffusion, in particular, the paper specifies an Upsampler as the key encoder to produce inputs compatible with the diffusion stack. The watermark decoder likewise uses image-decoding architectures such as CEILNet. This suggests that the paradigm is architecture-agnostic at the level of principle, but implementation remains model-specific at the level of auxiliary network design.
Several limitations are explicit. Surrogate transfer can depend on the watermark content 1, as shown by the two failures in the noise-to-image experiments where only 2 differed. The paper provides no latency, throughput, scalability, or cost analysis, although it notes that normal inference retains the original cost because 3 is unchanged and that verification adds one forward pass through 4, 5, and 6. It also provides no code URL in the main text, though it reports architecture choices, data settings, and full tables and figures intended to support reproduction.
In summary, ShadowMark reframes DNN watermarking as an external, key-driven side channel over a frozen black-box model. The reported evidence supports three central properties: absolute fidelity by construction on original inference, high original-model verification success with NCC-based criteria, and partial but substantial transferability to surrogates under model-stealing attacks. At the same time, the present formulation remains bounded by empirical rather than formal security guarantees, no explicit capacity or error-correction analysis, and incomplete attack coverage.