Decoder Gradient Shield: Provable and High-Fidelity Prevention of Gradient-Based Box-Free Watermark Removal

Haonan An; Guang Hua; Zhengru Fang; Guowen Xu; Susanto Rahardja; Yuguang Fang

doi:10.1109/CVPR52734.2025.01253

Decoder Gradient Shield: Provable and High-Fidelity Prevention of Gradient-Based Box-Free Watermark Removal

Haonan An (Co-first Author), Guang Hua^* (Co-first Author), Zhengru Fang, Guowen Xu, Susanto Rahardja, Yuguang Fang^*

^*Corresponding author for this work

Department of Computer Science

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

Abstract

The intellectual property of deep image-to-image models can be protected by the so-called box-free watermarking. It uses an encoder and a decoder, respectively, to embed into and extract from the model's output images invisible copyright marks. Prior works have improved watermark robustness, focusing on the design of better watermark encoders. In this paper, we reveal an overlooked vulnerability of the unprotected watermark decoder which is jointly trained with the encoder and can be exploited to train a watermark removal network. To defend against such an attack, we propose the decoder gradient shield (DGS) as a protection layer in the decoder API to prevent gradient-based watermark removal with a closed-form solution. The fundamental idea is inspired by the classical adversarial attack, but is utilized for the first time as a defensive mechanism in the box-free model watermarking. We then demonstrate that DGS can reorient and rescale the gradient directions of watermarked queries and stop the watermark remover's training loss from converging to the level without DGS, while retaining decoder output image quality. Experimental results verify the effectiveness of proposed method. Code of paper is available at https://github.com/haonanAN309/CVPR-2025-Official-Implementation-Decoder-Gradient-Shield.

Original language	English
Title of host publication	2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition
Subtitle of host publication	CVPR 2025
Place of Publication	United States
Publisher	IEEE
Pages	13424-13433
ISBN (Electronic)	979-8-3315-4364-8
ISBN (Print)	979-8-3315-4365-5
DOIs	https://doi.org/10.1109/CVPR52734.2025.01253
Publication status	Presented - 14 Jun 2025
Event	2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2025) - Music City Center, Nashville, United States Duration: 11 Jun 2025 → 15 Jun 2025 https://cvpr.thecvf.com/Conferences/2025 https://cvpr.thecvf.com/

Conference

Conference	2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2025)
Abbreviated title	CVPR2025
Place	United States
City	Nashville
Period	11/06/25 → 15/06/25
Internet address	https://cvpr.thecvf.com/Conferences/2025 https://cvpr.thecvf.com/

Funding

The research work described in this paper was partially conducted in the JC STEM Lab of Smart City funded by The Hong Kong Jockey Club Charities Trust under Contract 2023-0108. The work was also supported in part by the Hong Kong SAR Government under the Global STEM Professorship and Research Talent Hub.

Access Output

10.1109/CVPR52734.2025.01253

https://openaccess.thecvf.com/content/CVPR2025/html/An_Decoder_Gradient_Shield_Provable_and_High-Fidelity_Prevention_of_Gradient-Based_Box-Free_CVPR_2025_paper.html

Permanent Link

Right click to copy link

Cite this

An, H., Hua, G., Fang, Z., Xu, G., Rahardja, S., & Fang, Y. (2025). Decoder Gradient Shield: Provable and High-Fidelity Prevention of Gradient-Based Box-Free Watermark Removal. Unpublished. In 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition: CVPR 2025 (pp. 13424-13433). IEEE. Advance online publication. https://doi.org/10.1109/CVPR52734.2025.01253

@inproceedings{459d0c5ddcf94fc495a6f6733ee9bab9,

title = "Decoder Gradient Shield: Provable and High-Fidelity Prevention of Gradient-Based Box-Free Watermark Removal",

abstract = "The intellectual property of deep image-to-image models can be protected by the so-called box-free watermarking. It uses an encoder and a decoder, respectively, to embed into and extract from the model's output images invisible copyright marks. Prior works have improved watermark robustness, focusing on the design of better watermark encoders. In this paper, we reveal an overlooked vulnerability of the unprotected watermark decoder which is jointly trained with the encoder and can be exploited to train a watermark removal network. To defend against such an attack, we propose the decoder gradient shield (DGS) as a protection layer in the decoder API to prevent gradient-based watermark removal with a closed-form solution. The fundamental idea is inspired by the classical adversarial attack, but is utilized for the first time as a defensive mechanism in the box-free model watermarking. We then demonstrate that DGS can reorient and rescale the gradient directions of watermarked queries and stop the watermark remover's training loss from converging to the level without DGS, while retaining decoder output image quality. Experimental results verify the effectiveness of proposed method. Code of paper is available at https://github.com/haonanAN309/CVPR-2025-Official-Implementation-Decoder-Gradient-Shield.",

author = "Haonan An and Guang Hua and Zhengru Fang and Guowen Xu and Susanto Rahardja and Yuguang Fang",

year = "2025",

month = jun,

day = "14",

doi = "10.1109/CVPR52734.2025.01253",

language = "English",

isbn = "979-8-3315-4365-5",

pages = "13424--13433",

booktitle = "2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition",

publisher = "IEEE",

address = "United States",

note = "2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2025), CVPR2025 ; Conference date: 11-06-2025 Through 15-06-2025",

url = "https://cvpr.thecvf.com/Conferences/2025, https://cvpr.thecvf.com/",

}

An, H, Hua, G, Fang, Z, Xu, G, Rahardja, S & Fang, Y 2025, Decoder Gradient Shield: Provable and High-Fidelity Prevention of Gradient-Based Box-Free Watermark Removal. in 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition: CVPR 2025. IEEE, United States, pp. 13424-13433, 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2025), Nashville, Tennessee, United States, 11/06/25. https://doi.org/10.1109/CVPR52734.2025.01253

Decoder Gradient Shield: Provable and High-Fidelity Prevention of Gradient-Based Box-Free Watermark Removal. / An, Haonan (Co-first Author); Hua, Guang (Co-first Author); Fang, Zhengru et al.
2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition: CVPR 2025. United States: IEEE, 2025. p. 13424-13433.

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Decoder Gradient Shield

T2 - 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2025)

AU - An, Haonan

AU - Hua, Guang

AU - Fang, Zhengru

AU - Xu, Guowen

AU - Rahardja, Susanto

AU - Fang, Yuguang

PY - 2025/6/14

Y1 - 2025/6/14

N2 - The intellectual property of deep image-to-image models can be protected by the so-called box-free watermarking. It uses an encoder and a decoder, respectively, to embed into and extract from the model's output images invisible copyright marks. Prior works have improved watermark robustness, focusing on the design of better watermark encoders. In this paper, we reveal an overlooked vulnerability of the unprotected watermark decoder which is jointly trained with the encoder and can be exploited to train a watermark removal network. To defend against such an attack, we propose the decoder gradient shield (DGS) as a protection layer in the decoder API to prevent gradient-based watermark removal with a closed-form solution. The fundamental idea is inspired by the classical adversarial attack, but is utilized for the first time as a defensive mechanism in the box-free model watermarking. We then demonstrate that DGS can reorient and rescale the gradient directions of watermarked queries and stop the watermark remover's training loss from converging to the level without DGS, while retaining decoder output image quality. Experimental results verify the effectiveness of proposed method. Code of paper is available at https://github.com/haonanAN309/CVPR-2025-Official-Implementation-Decoder-Gradient-Shield.

AB - The intellectual property of deep image-to-image models can be protected by the so-called box-free watermarking. It uses an encoder and a decoder, respectively, to embed into and extract from the model's output images invisible copyright marks. Prior works have improved watermark robustness, focusing on the design of better watermark encoders. In this paper, we reveal an overlooked vulnerability of the unprotected watermark decoder which is jointly trained with the encoder and can be exploited to train a watermark removal network. To defend against such an attack, we propose the decoder gradient shield (DGS) as a protection layer in the decoder API to prevent gradient-based watermark removal with a closed-form solution. The fundamental idea is inspired by the classical adversarial attack, but is utilized for the first time as a defensive mechanism in the box-free model watermarking. We then demonstrate that DGS can reorient and rescale the gradient directions of watermarked queries and stop the watermark remover's training loss from converging to the level without DGS, while retaining decoder output image quality. Experimental results verify the effectiveness of proposed method. Code of paper is available at https://github.com/haonanAN309/CVPR-2025-Official-Implementation-Decoder-Gradient-Shield.

U2 - 10.1109/CVPR52734.2025.01253

DO - 10.1109/CVPR52734.2025.01253

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 979-8-3315-4365-5

SP - 13424

EP - 13433

BT - 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition

PB - IEEE

CY - United States

Y2 - 11 June 2025 through 15 June 2025

ER -

Decoder Gradient Shield: Provable and High-Fidelity Prevention of Gradient-Based Box-Free Watermark Removal

Abstract

Conference

Funding

Access Output

Permanent Link

Fingerprint

Cite this