Signature Injection Techniques
- Signature injection is a heterogeneous concept that involves embedding, inducing, or detecting compact signatures within host artifacts to verify authenticity and diagnose faults.
- It is applied in media authentication and cryptographic watermarking, where methods like BLS signatures and neural watermarks secure content integrity with minimal overhead.
- In AI and hardware security, signature injection strategies such as runtime hashing and causal attribution patterns provide efficient defenses against injection and fault attacks.
Searching arXiv for recent and directly relevant papers on “signature injection” and adjacent usages. Signature injection is a heterogeneous technical notion spanning several research areas. Across the cited literature, it denotes operations in which a signature is inserted, embedded, induced, or operationally detected within a host artifact, decision process, or physical system. In some works, the signature is cryptographic and explicitly carried inside media; in others it is a dynamical, causal, or statistical trace whose appearance signals an attack, a protected execution state, or an underlying injection process. Representative examples include croppable BLS-based image signatures stored in JPEG metadata, content-encoding watermarks that hide a signed latent code inside an image, universal adversarial signatures fine-tuned into generators, and causal-attribution signatures used to detect indirect prompt injection (Perazzo et al., 1 Dec 2025, Graf et al., 24 Apr 2026, Zeng et al., 2023, Kim et al., 8 Feb 2026).
1. Semantic Range
The literature does not use “signature injection” in a single, uniform sense. Instead, the term and its close variants recur in at least four forms: embedded authenticity metadata, intentionally induced detector-friendly traces, diagnostic patterns of malicious influence, and observational signatures of an injection process.
| Setting | “Signature” | Operational role |
|---|---|---|
| Media authentication | Cryptographic or watermark payload | Proves provenance or integrity |
| AI security | Attribution or rule-based pattern | Detects injection attempts |
| Hardware and systems | Hash, MAC, or control-state summary | Detects faults or enforces integrity |
| Physical science | Velocity-space or waveform trace | Diagnoses injection dynamics |
This diversity is not merely terminological. In image authentication, the signature is usually an object that can be serialized, embedded, extracted, and verified. In LLM security, the signature is often a measured pattern in support attribution or SQL structure. In hardware protection, the signature is a compact runtime summary of selected state. In collisionless-shock physics, it is an observational imprint of particle injection rather than an inserted token.
2. Physical and Microarchitectural Forms
A direct physical-layer instance appears in “High Efficiency Power Side-Channel Attack Immunity using Noise Injection in Attenuated Signature Domain” (Das et al., 2017). The work argues that noise injection alone is inefficient because the observable CPA correlation after adding noise becomes
so suppressing leakage before adding noise is preferable to burying the full AES current signature under large noise. Its AS-AES architecture therefore places the AES core inside signature attenuating hardware built around a hybrid shunt LDO. The shunt LDO suppresses the AES current signature by more than at the supply current, after which only injected noise is needed to reach MTD , versus for noise-only protection. At the chosen operating point, the total overhead current is , the total overhead power is , and the overall power efficiency is (Das et al., 2017). Here, “signature injection” is best understood as injecting noise only after the secret-dependent current signature has been shifted into an attenuated signature domain.
A different physical usage appears in “Embedding a chaotic signature in a periodic train: can periodic signals be chaotic?” (0811.0258). There, the injected object is a periodically replayed segment of the laser’s own chaotic intra-cavity field. The external injection term forces a chaotic semiconductor laser to emit a waveform that is exactly periodic on a long time scale, yet retains a local chaotic signature. At the main operating point, the injected power fraction is and the repeated period is 0; locking occurs after a transient of a few periods 1 (0811.0258). The paper’s central claim is that the injection of a periodic waveform can lock a chaotic system into a periodic trajectory belonging to its attractor, so the injected signature is dynamical and attractor-consistent rather than cryptographic.
Microarchitectural protection extends the same idea of compact signature verification to processor control semantics. “MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks” computes signatures not over raw instruction bytes but over a 64-bit decode-derived pipeline state. CACFI maintains a runtime signature over this state, while CSI duplicates selected control signals after decode. The implementation reports hardware area overheads of 2 for CBC-MAC/Prince and 3 for CRC32, with average code size and execution time overheads of 4 and 5 for CBC-MAC/Prince and 6 and 7 for CRC32 (Chamelot et al., 2023). The signature here is a running integrity summary of realized control behavior.
A related model-integrity use appears in “HASHTAG: Hash Signatures for Online Detection of Fault-Injection Attacks on Deep Neural Networks” (Javaheripi et al., 2021). HASHTAG identifies vulnerable checkpoint layers, hashes their weights with Pearson hash, and compares fresh runtime hashes against stored references during inference. It reports 100% detection with very few checkpoint layers for several models, 0.0% false positive rate, and detection times from 0.1 ms to 1.8 ms on a Jetson TX2 (Javaheripi et al., 2021). This is a signature-based integrity check rather than embedding, but it belongs to the same family of compact runtime summaries guarding against injected faults.
3. Media Authentication and In-Band Embedding
A strict metadata-level construction appears in “JPEGs Just Got Snipped: Croppable Signatures Against Deepfake Images” (Perazzo et al., 1 Dec 2025). The signer generates a fresh ephemeral BLS key per image, signs each image block as
8
binds the ephemeral public key with a long-term signature
9
and allows an untrusted cropper to derive a constant-size cropped signature
0
For JPEG, the signature is injected into the file’s Comments section. The authenticated object is the uncompressed block representation, not the compressed JPEG scan, because compressed blocks are not independently represented. The method remains valid after cropping, is invalidated by other manipulations including deepfake creation, and yields 1 cropped signature size (Perazzo et al., 1 Dec 2025).
“DeepSignature: Digitally Signed, Content-Encoding Watermarks for Robust and Transparent Image Authentication” shifts the signature from metadata to watermark payload (Graf et al., 24 Apr 2026). A VQ-VAE encodes image content into a quantized latent, binarized as 2, which is signed using Ed25519ph: 3 The payload is
4
then BCH-coded and embedded by a neural watermark encoder. Verification first checks the extracted signature with the public key, then compares the signed latent against the received image’s latent using
5
The paper reports watermark verification rate 100% for authentic images across CASIA V1.0, CASIA V2.0, and Emu Edit, with tampering-score AUCs of 1.00, 1.00, and 0.98 respectively (Graf et al., 24 Apr 2026). Here the signature is not attached to the file; it is hidden in the image together with a signed content code.
A third media-oriented variant is proactive traceability of generative outputs. “Securing Deep Generative Models with Universal Adversarial Signature” learns an injector 6 and detector 7, where the signed image is 8, and then fine-tunes arbitrary generators on the signed dataset 9 (Zeng et al., 2023). On FFHQ, the stage-1 signed images achieve PSNR 51.4, FID 0.52, and detector accuracy 100.0%; after securing generators, detector accuracy remains 100.0% or 99.9% while FID remains close to the original generators. In this setting, the signature is an imperceptible, detector-aligned perturbation family that is internalized into the generator’s output distribution rather than stored as metadata (Zeng et al., 2023).
4. Injection Signatures as Detectors in AI Systems
In LLM-agent security, the signature is often not embedded content but a causal or structural pattern. “CausalArmor: Efficient Indirect Prompt Injection Guardrails via Causal Attribution” defines the support of a context component 0 for candidate action 1 by leave-one-out ablation: 2 The core detection rule flags suspicious spans when
3
A successful indirect prompt injection is therefore characterized by a dominance shift: the user request no longer provides decisive support for a privileged action, while a particular untrusted span provides disproportionate attributable influence. The system sanitizes only flagged spans and retroactively masks poisoned Chain-of-Thought. On AgentDojo, for Gemini-3-Pro, CausalArmor reports BU 86.60 and BL 1.22 versus PromptArmor’s BU 77.32 and BL 1.78 while both keep ASR near zero; on DoomArena, CausalArmor reduces ASR to 3.65 with BU 70.96 and BL 1.38 for Gemini-3-Pro (Kim et al., 8 Feb 2026). The signature here is a causal inversion at privileged decision points.
A rule-based variant appears in “When Prompts Become Payloads: A Framework for Mitigating SQL Injection Attacks in LLM-Driven Applications” (Motlagh et al., 11 May 2026). Its Query Signature Control layer is a final SQL-side gate with two sublayers: a character/symbol restriction layer and a blacklist derived from SQLmap-inspired keyword categories such as create, alter, drop, rename, update, insert, delete, truncate, union, and join. As a standalone layer, QSC reports F1 scores of 88.00 for SQLi attack, 98.00 for completion attack, 91.89 for obfuscation attack, 97.96 for ignore attack, and 94.44 for combination attack, with false positive rate 4 (Motlagh et al., 11 May 2026). Here “signature” denotes known lexical attack patterns in generated SQL, not a cryptographic object.
5. Faults, Forged Signatures, and Adversarially Induced Outputs
Some literature uses the term in the opposite direction: not injecting a signature into an artifact, but causing a system to emit exploitable signatures. “Signature Correction Attack on Dilithium Signature Scheme” induces a single-bit flip in Dilithium’s secret key component 5 before the signing step
6
collects the faulty signature 7, and then uses the public key and the verification algorithm to correct the malformed signature offline (Islam et al., 2022). The attack recovers 1,851 bits out of 3,072 bits of secret key 8 for security level 2 and reduces estimated security from 9 to 0 classically and from 1 to 2 quantumly. This is a fault injection attack against signature generation, but it belongs in the broader signature-injection landscape because the exploitable object is an attacker-caused malformed signature (Islam et al., 2022).
In multicast security, the relevant problem is forged packet injection. “Comparison analysis in Multicast Authentication based on Batch Signature (MABS) in Network Security” treats injected packets carrying forged or mismatched authentication material as a denial-of-service vector (Bethu et al., 2013). MABS-B eliminates correlation among packets and provides perfect resilience to packet loss, while MABS-E adds Merkle-tree-based separation of authentic and forged packets into disjoint sets. Its verification-rate metric is
3
This usage is not about embedding signatures into content; it is about preventing acceptance of injected signed-looking traffic and limiting verification cost under attack (Bethu et al., 2013).
6. Provenance, Observation, and Conceptual Limits
A major conceptual limitation is stated explicitly in “Witnessd: Proof-of-process via Adversarial Collapse” (Condrey, 2 Feb 2026): digital signatures prove key possession, not authorship. A signer can construct intermediate document states post hoc and sign each hash, producing a signature chain indistinguishable from genuine composition. Witnessd answers this with a jitter seal that injects imperceptible microsecond delays—500 to 3000 4—derived via HMAC from a session secret, keystroke ordinal, cumulative document hash, timestamp, zone transition, interval bucket, and previous jitter. The chained evidence update is
5
Across 31,000 verification trials, the paper reports deterministic rejection of invalid proofs (Condrey, 2 Feb 2026). This shifts the discussion from signature injection as content marking to the more general question of whether cryptographic attestation can certify physical process.
An even looser but important use appears in collisionless-shock physics. Sundberg et al., in “Ion Acceleration at the Quasi-Parallel Bow Shock: Decoding the Signature of Injection,” identify a dispersed reflected-ion velocity distribution as the observable signature of the first step of ion injection at a quasi-parallel bow shock (Sundberg et al., 2015). The reflected ions cover a much larger region in velocity space than cold reflected ion beams, with a spread in parallel velocities from the shock frame to beyond the reflection plane and a spread in gyrophase over nearly half the gyro-circle. The signature occurs at the trailing edge of large-amplitude upstream waves where the local geometry changes from quasi-perpendicular to quasi-parallel, and within three to five gyroperiods some ions gain enough parallel velocity to escape upstream (Sundberg et al., 2015). Here the signature is neither cryptographic nor deliberately embedded; it is a diagnostic imprint of an injection process.
Taken together, these works show that “signature injection” is best understood as a family of operations rather than a single method. The common structure is the deliberate coupling of a compact signature-like object or pattern to a host process, followed by extraction, verification, or diagnosis. The crucial differences lie in what is being coupled: current traces, chaotic waveforms, image blocks, neural latents, generator outputs, SQL patterns, causal attributions, faulty signatures, document-state transitions, or reflected-ion distributions.