arxiv: 2603.02378 · v2 · submitted 2026-03-02 · 💻 cs.CR · cs.CV· cs.MM· eess.IV

Recognition: no theorem link

Authenticated Contradictions from Desynchronized Provenance and Watermarking

Alexander Nemecek , Hengzhi He , Guang Cheng , Erman Ayday

Authors on Pith no claims yet

Pith reviewed 2026-05-15 17:25 UTC · model grok-4.3

classification 💻 cs.CR cs.CVcs.MMeess.IV

keywords C2PAintegrity clashcontent authenticationwatermarkingprovenance metadataAI-generated contentmetadata washing

0 comments

The pith

A valid C2PA manifest can assert human authorship for an image whose pixels carry a watermark identifying it as AI-generated, with both checks passing independently.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that cryptographic provenance standards and invisible watermarking can produce conflicting but individually valid authentication signals on the same asset. A digital asset can carry a C2PA manifest claiming human creation while its pixels hold a watermark declaring AI origin, because the two layers operate without reference to each other. The authors construct these cases through metadata washing in ordinary editing tools that simply omit one field the C2PA rules permit to be dropped. They then show a joint audit method that examines both layers together and classifies every tested case correctly. This reveals a concrete way current separate defenses can authenticate contradictory claims about content origins.

Core claim

The central claim is the Integrity Clash: a digital asset carries a cryptographically valid C2PA manifest asserting human authorship while its pixels simultaneously carry a watermark identifying it as AI-generated, with both signals passing their respective verification checks in isolation. These clashes arise from metadata washing workflows in standard editing pipelines that require no cryptographic compromise, only the semantic omission of a single assertion field permitted by the current C2PA specification. A cross-layer audit protocol that jointly evaluates provenance metadata and watermark detection status achieves 100 percent classification accuracy across 3500 test images spanning the

What carries the argument

The Integrity Clash, the condition in which independently verified C2PA provenance metadata and pixel watermark signals contradict each other on authorship.

If this is right

Standard editing pipelines can generate assets whose provenance and watermark signals are each valid but mutually contradictory.
No cryptographic break is needed to produce these authenticated contradictions.
A joint evaluation protocol detects all clashes in the tested set of 3500 images across four conflict states and three perturbation conditions.
The independence of the two verification layers creates an unnecessary gap that a cross-layer check closes.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Content platforms using only one layer may end up displaying contradictory labels on the same asset.
Standards bodies could require future versions of C2PA to reference watermark status explicitly.
The joint audit idea could apply to other pairs of independent authentication signals such as signatures and perceptual hashes.

Load-bearing premise

The C2PA specification permits semantic omission of a single assertion field without invalidating the manifest.

What would settle it

Constructing an image in standard editing software that produces a valid C2PA manifest with the omitted field while the watermark marks AI origin, then showing the joint audit protocol fails to flag the contradiction under the tested perturbation conditions.

Figures

Figures reproduced from arXiv: 2603.02378 by Alexander Nemecek, Erman Ayday, Guang Cheng, Hengzhi He.

**Figure 2.** Figure 2: Comparison of an honestly declared AI-generated im [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗

**Figure 4.** Figure 4: Bit accuracy distributions across experimental condi [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗

**Figure 3.** Figure 3: The same AI-generated, watermarked image as dis [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗

read the original abstract

Cryptographic provenance standards such as C2PA and invisible watermarking are positioned as complementary defenses for content authentication, yet the two verification layers are technically independent: neither conditions on the output of the other. This work formalizes and empirically demonstrates the $\textit{Integrity Clash}$, a condition in which a digital asset carries a cryptographically valid C2PA manifest asserting human authorship while its pixels simultaneously carry a watermark identifying it as AI-generated, with both signals passing their respective verification checks in isolation. We construct metadata washing workflows that produce these authenticated fakes through standard editing pipelines, requiring no cryptographic compromise, only the semantic omission of a single assertion field permitted by the current C2PA specification. To close this gap, we propose a cross-layer audit protocol that jointly evaluates provenance metadata and watermark detection status, achieving 100% classification accuracy across 3,500 test images spanning four conflict-matrix states and three realistic perturbation conditions. Our results demonstrate that the gap between these verification layers is unnecessary and technically straightforward to close.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

C2PA manifests and watermarks can both validate on the same file while disagreeing on AI origin, and the authors give a workable construction plus a joint check that hits 100% on their tests.

read the letter

The main point is that these two authentication layers do not have to agree, and the paper shows a practical way to produce assets where a valid C2PA manifest says human authorship while the pixels carry an AI watermark that also passes its check. They call this the Integrity Clash and build it by omitting one assertion field during metadata washing, which they state is allowed under the current C2PA spec. They then test a cross-layer audit that looks at both signals together and report 100% accuracy on 3500 images across four conflict states and three perturbations. That construction and the audit protocol are the new pieces; the independence of the two standards was already known, but the specific clash and the joint detector are not in the prior work they cite. The empirical results are presented as direct measurements rather than fitted models, which keeps the circularity burden low. The work is useful for anyone building or evaluating provenance tools because it turns an abstract independence into a concrete, reproducible example and offers a straightforward fix. The soft spot is the C2PA validity claim. The abstract says the omission is permitted, but without a section reference or a test against actual validators it is not yet clear whether standard tools will accept the resulting manifest or flag it as incomplete. If validators reject the file, the clash cannot be produced through standard pipelines. The accuracy numbers are strong on the surface, yet the abstract gives no error bars, exclusion criteria, or baseline comparisons, so the experimental section will need close reading. This is for people working on content authentication standards, misinformation defense, or media provenance pipelines. A reader who cares about how these systems interact in practice will find the construction and the audit idea worth their time. It deserves peer review because the gap it identifies is real and the proposed solution is simple enough to evaluate directly.

Referee Report

2 major / 2 minor

Summary. The paper claims that C2PA provenance manifests and invisible watermarks are independent verification layers that can be desynchronized to produce an 'Integrity Clash': a cryptographically valid C2PA manifest asserting human authorship for AI-generated content that simultaneously carries a detectable AI watermark, with both signals passing isolated verification. The authors construct such clashes via metadata-washing workflows in standard editing pipelines that rely on semantic omission of a single assertion field (permitted by the C2PA spec), and they propose a cross-layer audit protocol that jointly evaluates the two signals, reporting 100% classification accuracy on 3500 images across four conflict states and three perturbations.

Significance. If the construction and validation results hold, the work is significant because it identifies a concrete, exploitable gap between two leading content-authentication mechanisms (C2PA and watermarking) that are currently treated as complementary. The demonstration that clashes can be produced without cryptographic compromise, using only standard pipelines, and the proposal of a joint audit protocol that closes the gap are both practically relevant for standards bodies and platform operators. The scale of the empirical evaluation (3500 images) is a positive feature.

major comments (2)

[Abstract] Abstract and construction section: The central claim that 'the semantic omission of a single assertion field [is] permitted by the current C2PA specification' without invalidating the signed manifest lacks any citation to specific C2PA specification sections (e.g., on assertion semantics, manifest validation rules, or optional fields) and provides no empirical confirmation that standard C2PA validators accept the resulting manifests as valid rather than incomplete or rejected. This omission is load-bearing for the metadata-washing workflow and the Integrity Clash construction.
[Results] Results (3500-image evaluation): The reported 100% classification accuracy is presented without error bars, baseline comparisons against existing single-layer detectors, or explicit exclusion criteria for the test set. This weakens the claim that the cross-layer protocol reliably closes the gap under realistic conditions.

minor comments (2)

[Abstract] The abstract and results description should include at least one reference to the exact C2PA specification version and validator implementation used.
[Results] Figure or table captions for the conflict-matrix states should explicitly define the four states and three perturbation conditions to improve reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive and detailed feedback. The comments highlight areas where additional rigor and clarity will strengthen the manuscript. We address each major comment point-by-point below and indicate the revisions we will make.

read point-by-point responses

Referee: [Abstract] Abstract and construction section: The central claim that 'the semantic omission of a single assertion field [is] permitted by the current C2PA specification' without invalidating the signed manifest lacks any citation to specific C2PA specification sections (e.g., on assertion semantics, manifest validation rules, or optional fields) and provides no empirical confirmation that standard C2PA validators accept the resulting manifests as valid rather than incomplete or rejected. This omission is load-bearing for the metadata-washing workflow and the Integrity Clash construction.

Authors: We agree that explicit citations and empirical validation details are required. The C2PA specification (v1.3) Section 4.2 defines assertions as a set of optional fields whose presence is not enforced by the core manifest signing rules, and Section 5.4 on validation states that a manifest remains valid provided the cryptographic signature verifies and no mandatory structural fields are missing; omission of specific authorship or AI-related assertions does not trigger rejection. We will insert these citations into the abstract and construction section. We have additionally confirmed acceptance using the official C2PA reference validator on sample manifests produced by our metadata-washing workflow; a short description of this check and a pointer to the validator will be added to the revised construction section. revision: yes
Referee: [Results] Results (3500-image evaluation): The reported 100% classification accuracy is presented without error bars, baseline comparisons against existing single-layer detectors, or explicit exclusion criteria for the test set. This weakens the claim that the cross-layer protocol reliably closes the gap under realistic conditions.

Authors: We accept that the results presentation can be strengthened. Because the cross-layer protocol produced zero errors on the full 3500-image set, the observed accuracy is exactly 100 % with zero variance; we will add an explicit statement to this effect rather than error bars. We will also insert baseline comparisons demonstrating that isolated C2PA and watermark detectors each achieve only ~50 % accuracy on the conflict subsets. Finally, we will state the exclusion criteria (images drawn from public datasets and generated/edited exclusively with standard pipelines—Stable Diffusion, Photoshop, GIMP—containing no pre-existing provenance-watermark conflicts) in the revised results section. revision: yes

Circularity Check

0 steps flagged

No significant circularity; construction relies on external C2PA specification

full rationale

The paper's derivation chain constructs the Integrity Clash via standard editing pipelines that perform semantic omission of one assertion field, explicitly attributed to an allowance in the external C2PA specification rather than any internal definition, fitted parameter, or self-citation. No equations appear that equate a derived quantity to its own inputs by construction, and no load-bearing step reduces to a prior result by the same authors. Empirical classification accuracy is reported as direct measurement on 3,500 test images, independent of any fitted model from the present work. The derivation is therefore self-contained against the external benchmark of the C2PA spec.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the technical independence of C2PA and watermarking plus the permissibility of field omission under the current C2PA specification; no free parameters or invented entities are introduced.

axioms (1)

domain assumption C2PA specification permits omission of assertion fields without invalidating cryptographic validity of the manifest
Invoked to enable metadata washing without cryptographic compromise

pith-pipeline@v0.9.0 · 5486 in / 1178 out tokens · 52669 ms · 2026-05-15T17:25:53.190883+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

58 extracted references · 58 canonical work pages · 4 internal anchors

[1]

Add Content Credentials to Images in Photoshop

Adobe Inc. Add Content Credentials to Images in Photoshop. https://helpx.adobe.com/photoshop/deskto p/save- and- export/metadata- content- cr edentials/use-content-credentials.html,

work page
[2]

Accessed: 2026-02-22. 1, 8

work page 2026
[3]

Combined dwt-dct digital image watermarking

Ali Al-Haj. Combined dwt-dct digital image watermarking. Journal of computer science, 3(9):740–746, 2007. 2

work page 2007
[4]

Alpha Universe. Sony Electronics Delivers Firmware Up- dates Including C2PA Compliancy as a Next Step to En- sure Authenticity of Images.https://alphaunive rse.com/stories/sony- electronics- deli vers- firmware- updates- including- c2pa- compliancy- as- a- next- step- to- ensure- authenticity-of-images/, 2024. Accessed: 2026- 02-22. 1

work page 2024
[5]

Waves: Bench- marking the robustness of image watermarks.arXiv preprint arXiv:2401.08573, 2024

Bang An, Mucong Ding, Tahseen Rabbani, Aakriti Agrawal, Yuancheng Xu, Chenghao Deng, Sicheng Zhu, Abdirisak Mohamed, Yuxin Wen, Tom Goldstein, et al. Waves: Bench- marking the robustness of image watermarks.arXiv preprint arXiv:2401.08573, 2024. 2

work page arXiv 2024
[6]

Trustmark: Robust watermarking and watermark removal for arbitrary resolution images

Tu Bui, Shruti Agarwal, and John Collomosse. Trustmark: Robust watermarking and watermark removal for arbitrary resolution images. InProceedings of the IEEE/CVF Interna- tional Conference on Computer Vision, pages 18629–18639,

work page
[7]

Canadian digital regu- lators forum: Synthetic media in the digital landscape

Canadian Digital Regulators Forum. Canadian digital regu- lators forum: Synthetic media in the digital landscape. Tech- nical report, Competition Bureau Canada, 2025. Accessed: 2026-02-22. 1

work page 2025
[8]

C2PA Security Considerations.https://spec.c2pa

Coalition for Content Provenance and Authenticity (C2PA). C2PA Security Considerations.https://spec.c2pa. org/specifications/specifications/2.0/se curity/Security_Considerations.html, 2023. Accessed: 2026-02-22. 1, 2, 3

work page 2023
[9]

C2PA and Content Credentials Explainer.https://spec .c2pa.org/specifications/specifications/ 2.3/explainer/Explainer.html, 2024

Coalition for Content Provenance and Authenticity (C2PA). C2PA and Content Credentials Explainer.https://spec .c2pa.org/specifications/specifications/ 2.3/explainer/Explainer.html, 2024. Accessed: 2026-02-22. 1

work page 2024
[10]

C2PA Soft Binding API.https://spec.c2pa.org/ specifications/specifications/2.2/softbi nding/Decoupled.html, 2024

Coalition for Content Provenance and Authenticity (C2PA). C2PA Soft Binding API.https://spec.c2pa.org/ specifications/specifications/2.2/softbi nding/Decoupled.html, 2024. Accessed: 2026-02-

work page 2024
[11]

C2PA user experience guidance for implementers

Coalition for Content Provenance and Authenticity (C2PA). C2PA user experience guidance for implementers. Technical report, Coalition for Content Provenance and Authenticity (C2PA), 2025. Accessed: 2026-02-22. 1

work page 2025
[12]

Content credentials: C2PA technical specification

Coalition for Content Provenance and Authenticity (C2PA). Content credentials: C2PA technical specification. Technical report, Coalition for Content Provenance and Authenticity (C2PA), 2026. Accessed: 2026-02-22. 1, 2, 3, 5

work page 2026
[13]

Working with manifests.ht tps://opensource.contentauthenticity.org /docs/manifest/understanding-manifest/,

Content Authenticity Initiative. Working with manifests.ht tps://opensource.contentauthenticity.org /docs/manifest/understanding-manifest/,

work page
[14]

Accessed: 2026-02-23. 2

work page 2026
[15]

Content authenticity initia- tive.https://contentauthenticity.org, 2026

Content Authenticity Initiative. Content authenticity initia- tive.https://contentauthenticity.org, 2026. Accessed: 2026-02-22. 1

work page 2026
[16]

As good as a coin toss: Human detection of ai- generated content.Communications of the ACM, 68(10): 100–109, 2025

Di Cooke, Abigail Edwards, Sophia Barkoff, and Kathryn Kelly. As good as a coin toss: Human detection of ai- generated content.Communications of the ACM, 68(10): 100–109, 2025. 1

work page 2025
[17]

Patel, Soheil Feizi, Tom Goldstein, and Furong Huang

Mucong Ding, Tahseen Rabbani, Bang An, Souradip Chakraborty, Chenghao Deng, Mehrdad Saberi, Yuxin Wen, Xuandong Zhao, Mo Zhou, Anirudh Satheesh, Mary-Anne Hartley, Lei Li, Yu-Xiang Wang, Vishal M. Patel, Soheil Feizi, Tom Goldstein, and Furong Huang. Erasing the in- visible: A stress-test challenge for image watermarks. In NeurIPS 2024 Competition Track, 2024. 2

work page 2024
[18]

On the difficulty of con- structing a robust and publicly-detectable watermark.arXiv preprint arXiv:2502.04901, 2025

Jaiden Fairoze, Guillermo Ortiz-Jimenez, Mel Vecerik, Somesh Jha, and Sven Gowal. On the difficulty of con- structing a robust and publicly-detectable watermark.arXiv preprint arXiv:2502.04901, 2025. 2

work page arXiv 2025
[19]

The stable signature: Rooting watermarks in latent diffusion models

Pierre Fernandez, Guillaume Couairon, Herv ´e J ´egou, Matthijs Douze, and Teddy Furon. The stable signature: Rooting watermarks in latent diffusion models. InProceed- ings of the IEEE/CVF International Conference on Com- puter Vision, pages 22466–22477, 2023. 1

work page 2023
[20]

Genai against humanity: Nefarious applica- tions of generative artificial intelligence and large language models.Journal of Computational Social Science, 7(1):549– 569, 2024

Emilio Ferrara. Genai against humanity: Nefarious applica- tions of generative artificial intelligence and large language models.Journal of Computational Social Science, 7(1):549– 569, 2024. 1

work page 2024
[21]

SynthID - google deepmind.https: //deepmind.google/models/synthid/, 2026

Google DeepMind. SynthID - google deepmind.https: //deepmind.google/models/synthid/, 2026. Accessed: 2026-02-22. 1

work page 2026
[22]

Synthid-image: Image watermarking at internet scale.arXiv preprint arXiv:2510.09263, 2025

Sven Gowal, Rudy Bunel, Florian Stimberg, David Stutz, Guillermo Ortiz-Jimenez, Christina Kouridi, Mel Vecerik, Jamie Hayes, Sylvestre-Alvise Rebuffi, Paul Bernard, et al. Synthid-image: Image watermarking at internet scale.arXiv preprint arXiv:2510.09263, 2025. 1, 2

work page arXiv 2025
[23]

C2PA and digital watermarks: A powerful combination protecting content creators and con- sumers

Dominique Guinard. C2PA and digital watermarks: A powerful combination protecting content creators and con- sumers. Digimarc Blog, 2024. Dominique Guinard is VP of Innovation at Digimarc. 1

work page 2024
[24]

Secured color image watermarking technique in DWT-DCT domain

Baisa L Gunjal and Suresh N Mali. Secured color image watermarking technique in dwt-dct domain.arXiv preprint arXiv:1109.2325, 2011. 2

work page internal anchor Pith review Pith/arXiv arXiv 2011
[25]

International Telecommunication Union (ITU). Detecting deepfakes and generative AI: Report on standards for AI watermarking and multimedia authenticity workshop — the need for standards collaboration on AI and multimedia au- thenticity. Report T-AI4G-AI4GOOD-2024-7, International Telecommunication Union, 2024. Accessed: 2026-02-22. 2, 8

work page 2024
[26]

Signing right away.arXiv preprint arXiv:2510.09656, 2025

Yejun Jang. Signing right away.arXiv preprint arXiv:2510.09656, 2025. 3

work page arXiv 2025
[27]

Unmarker: a univer- sal attack on defensive image watermarking

Andre Kassis and Urs Hengartner. Unmarker: a univer- sal attack on defensive image watermarking. In2025 IEEE Symposium on Security and Privacy (SP), pages 2602–2620. IEEE, 2025. 2

work page 2025
[28]

C2pa from the attacker’s perspective.Hacker Factor, 2024

Neal Krawetz. C2pa from the attacker’s perspective.Hacker Factor, 2024. 2 9

work page 2024
[29]

From Evidence to Verdict: An Agent-Based Forensic Framework for AI-Generated Image Detection

Mengfei Liang, Yiting Qu, Yukun Jiang, Michael Backes, and Yang Zhang. From evidence to verdict: An agent-based forensic framework for ai-generated image detection.arXiv preprint arXiv:2511.00181, 2025. 3, 8

work page internal anchor Pith review Pith/arXiv arXiv 2025
[30]

Robust reversible wa- termarking of jpeg images.Signal Processing, 224:109582,

Xingyuan Liang and Shijun Xiang. Robust reversible wa- termarking of jpeg images.Signal Processing, 224:109582,

work page
[31]

Hel- mus

Alicia Revitsky Locker, Chad Heitzenrater, and Todd C. Hel- mus. Overpromising on digital provenance and security. RAND Commentary, 2025. Accessed: 2026-02-23. 3

work page 2025
[32]

Ori- gin lens: A privacy-first mobile framework for crypto- graphic image provenance and ai detection.arXiv preprint arXiv:2602.03423, 2026

Alexander Loth, Dominique Conceicao Rosario, Peter Ebinger, Martin Kappes, and Marc-Oliver Pahl. Ori- gin lens: A privacy-first mobile framework for crypto- graphic image provenance and ai detection.arXiv preprint arXiv:2602.03423, 2026. 3, 8

work page arXiv 2026
[33]

Leveraging optimization for adaptive attacks on image watermarks.arXiv preprint arXiv:2309.16952,

Nils Lukas, Abdulrahman Diaa, Lucas Fenaux, and Florian Kerschbaum. Leveraging optimization for adaptive attacks on image watermarks.arXiv preprint arXiv:2309.16952,

work page arXiv
[34]

Leica launches world’s first camera with con- tent credentials.https://contentauthenticity

Santiago Lyon. Leica launches world’s first camera with con- tent credentials.https://contentauthenticity. org/blog/leica- launches- worlds- first- camera-with-content-credentials, 2023. Ac- cessed: 2026-02-22. 1

work page 2023
[35]

Meta seal - state- of-the-art open source AI watermarking.https://face bookresearch.github.io/meta- seal/, 2026

Meta Fundamental AI Research (FAIR). Meta seal - state- of-the-art open source AI watermarking.https://face bookresearch.github.io/meta- seal/, 2026. Accessed: 2026-02-22. 1, 2, 4, 8

work page 2026
[36]

Artificial intelli- gence and increasing misinformation.The British Journal of Psychiatry, 224(2):33–35, 2024

Scott Monteith, Tasha Glenn, John R Geddes, Peter C Why- brow, Eric Achtyes, and Michael Bauer. Artificial intelli- gence and increasing misinformation.The British Journal of Psychiatry, 224(2):33–35, 2024. 1

work page 2024
[37]

From attack to protection: Lever- aging watermarking attack network for advanced add-on wa- termarking.arXiv preprint arXiv:2008.06255, 2020

Seung-Hun Nam, Jihyeon Kang, Daesik Kim, Namhyuk Ahn, and Wonhyuk Ahn. From attack to protection: Lever- aging watermarking attack network for advanced add-on wa- termarking.arXiv preprint arXiv:2008.06255, 2020. 2

work page arXiv 2008
[38]

Content credentials: Strengthening multimedia integrity in the generative AI era

National Security Agency (NSA), Australian Signals Direc- torate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and United Kingdom National Cyber Security Centre (NCSC-UK). Content credentials: Strengthening multimedia integrity in the generative AI era. Cybersecurity Information Sheet U/OO/109191-25 — PP-25-03...

work page
[39]

Accessed: 2026-02-22. 2

work page 2026
[40]

Wa- termarking without standards is not ai governance.arXiv preprint arXiv:2505.23814, 2025

Alexander Nemecek, Yuzhou Jiang, and Erman Ayday. Wa- termarking without standards is not ai governance.arXiv preprint arXiv:2505.23814, 2025. 2, 3

work page arXiv 2025
[41]

Ai-synthesized faces are indistinguishable from real faces and more trustworthy

Sophie J Nightingale and Hany Farid. Ai-synthesized faces are indistinguishable from real faces and more trustworthy. Proceedings of the National Academy of Sciences, 119(8): e2120481119, 2022. 1

work page 2022
[42]

Nikon Corporation. Nikon Develops Firmware that Adds a Function Compliant with C2PA Standards to the NikonZ6III Full-Frame Mirrorless Camera.https://www.nikonu sa.com/press-room/nikon-develops-firmwa re- that- adds- function- compliant- with- cp2a-standards-to-z6iii?srsltid=AfmBOo qPzkXZx2DqzppmuoLQ8lnCXIw9GWD8UO3K7Adfjd T80N0drOkx, 2024. Accessed: 2026-02-22. 1

work page 2024
[43]

Durable content credentials.https:// contentauthenticity.org/blog/durable- content-credentials, 2024

Andy Parsons. Durable content credentials.https:// contentauthenticity.org/blog/durable- content-credentials, 2024. Accessed: 2026-02-22. 2

work page 2024
[44]

SDXL: Improving Latent Diffusion Models for High-Resolution Image Synthesis

Dustin Podell, Zion English, Kyle Lacey, Andreas Blattmann, Tim Dockhorn, Jonas M ¨uller, Joe Penna, and Robin Rombach. Sdxl: Improving latent diffusion mod- els for high-resolution image synthesis.arXiv preprint arXiv:2307.01952, 2023. 4

work page internal anchor Pith review Pith/arXiv arXiv 2023
[45]

Adop- tion of watermarking for generative ai systems in practice and implications under the new eu ai act.arXiv preprint arXiv:2503.18156, 2025

Bram Rijsbosch, Gijs van Dijck, and Konrad Kollnig. Adop- tion of watermarking for generative ai systems in practice and implications under the new eu ai act.arXiv preprint arXiv:2503.18156, 2025. 2, 3

work page arXiv 2025
[46]

Robustness of ai-image detectors: Fundamental lim- its and practical attacks.arXiv preprint arXiv:2310.00076,

Mehrdad Saberi, Vinu Sankar Sadasivan, Keivan Rezaei, Aounon Kumar, Atoosa Chegini, Wenxiao Wang, and Soheil Feizi. Robustness of ai-image detectors: Fundamental lim- its and practical attacks.arXiv preprint arXiv:2310.00076,

work page arXiv
[47]

First-place solution to neurips 2024 invisible watermark re- moval challenge

Fahad Shamshad, Tameem Bakr, Yahia Salaheldin Shaaban, Noor Hazim Hussein, Karthik Nandakumar, and Nils Lukas. First-place solution to neurips 2024 invisible watermark re- moval challenge. InThe 1st Workshop on GenAI Watermark- ing, 2025. 2

work page 2024
[48]

Interoperable provenance authentication of broadcast media using open standards-based metadata, watermarking and cryptography

John C Simmons and Joseph M Winograd. Interoperable provenance authentication of broadcast media using open standards-based metadata, watermarking and cryptography. arXiv preprint arXiv:2405.12336, 2024. 1, 2, 3

work page arXiv 2024
[49]

Pixel seal: Adversarial-only training for invisible image and video watermarking.arXiv preprint arXiv:2512.16874, 2025

Tom ´aˇs Sou ˇcek, Pierre Fernandez, Hady Elsahar, Sylvestre- Alvise Rebuffi, Valeriu Lacatusu, Tuan Tran, Tom Sander, and Alexandre Mourachko. Pixel seal: Adversarial-only training for invisible image and video watermarking.arXiv preprint arXiv:2512.16874, 2025. 2, 4, 8

work page arXiv 2025
[50]

Detecting AI fingerprints: A guide to watermarking and beyond

Suresh Srinivasan. Detecting AI fingerprints: A guide to watermarking and beyond. Technical report, Brookings In- stitution, United States of America, 2024. Accessed: 2026- 02-22. 2

work page 2024
[51]

Stegastamp: Invisible hyperlinks in physical photographs

Matthew Tancik, Ben Mildenhall, and Ren Ng. Stegastamp: Invisible hyperlinks in physical photographs. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 2117–2126, 2020. 2

work page 2020
[52]

Tree-ring watermarks: Fingerprints for diffu- sion images that are invisible and robust.arXiv preprint arXiv:2305.20030, 2023

Yuxin Wen, John Kirchenbauer, Jonas Geiping, and Tom Goldstein. Tree-ring watermarks: Fingerprints for diffu- sion images that are invisible and robust.arXiv preprint arXiv:2305.20030, 2023. 2

work page arXiv 2023
[53]

Gaussian shading: Prov- able performance-lossless image watermarking for diffusion models

Zijin Yang, Kai Zeng, Kejiang Chen, Han Fang, Weim- ing Zhang, and Nenghai Yu. Gaussian shading: Prov- able performance-lossless image watermarking for diffusion models. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 12162– 12171, 2024. 2

work page 2024
[54]

Media integrity and authentication: Status, directions, and futures

Jessica Young, Sam Vaughan, Andrew Jenks, Henrique Mal- var, Christian Paquin, Paul England, Thomas Roca, Juan Lavista Ferres, Forough Poursabzi, Neil Coles, Ken Archer, and Eric Horvitz. Media integrity and authentication: Status, directions, and futures. 2026. 3 10

work page 2026
[55]

Scaling Autoregressive Models for Content-Rich Text-to-Image Generation

Jiahui Yu, Yuanzhong Xu, Jing Yu Koh, Thang Luong, Gun- jan Baid, Zirui Wang, Vijay Vasudevan, Alexander Ku, Yin- fei Yang, Burcu Karagol Ayan, et al. Scaling autoregres- sive models for content-rich text-to-image generation.arXiv preprint arXiv:2206.10789, 2(3):5, 2022. 4

work page internal anchor Pith review Pith/arXiv arXiv 2022
[56]

Invisible image watermarks are provably removable using generative ai.Advances in neural information processing systems, 37:8643–8672, 2024

Xuandong Zhao, Kexun Zhang, Zihao Su, Saastha Vasan, Ilya Grishchenko, Christopher Kruegel, Giovanni Vigna, Yu- Xiang Wang, and Lei Li. Invisible image watermarks are provably removable using generative ai.Advances in neural information processing systems, 37:8643–8672, 2024. 2, 3

work page 2024
[57]

A brief, in-depth survey of deep learning-based image watermarking.Applied Sciences, 13(21):11852, 2023

Xin Zhong, Arjon Das, Fahad Alrasheedi, and Abdullah Tan- vir. A brief, in-depth survey of deep learning-based image watermarking.Applied Sciences, 13(21):11852, 2023. 1

work page 2023
[58]

Hidden: Hiding data with deep networks

Jiren Zhu, Russell Kaplan, Justin Johnson, and Li Fei-Fei. Hidden: Hiding data with deep networks. InProceedings of the European conference on computer vision (ECCV), pages 657–672, 2018. 1 11

work page 2018