Shanxiang Lyu

Junlong Mao, Huiyi Tang, Yi Zhang et al.

The proliferation of Deep Neural Networks (DNN) in commercial applications is expanding rapidly. Simultaneously, the increasing complexity and cost of training DNN models have intensified the urgency surrounding the protection of intellectual property associated with these trained models. In this regard, DNN watermarking has emerged as a crucial safeguarding technique. This paper presents FedReverse, a novel multiparty reversible watermarking approach for robust copyright protection while minimizing performance impact. Unlike existing methods, FedReverse enables collaborative watermark embedding from multiple parties after model training, ensuring individual copyright claims. In addition, FedReverse is reversible, enabling complete watermark removal with unanimous client consent. FedReverse demonstrates perfect covering, ensuring that observations of watermarked content do not reveal any information about the hidden watermark. Additionally, it showcases resistance against Known Original Attacks (KOA), making it highly challenging for attackers to forge watermarks or infer the key. This paper further evaluates FedReverse through comprehensive simulations involving Multi-layer Perceptron (MLP) and Convolutional Neural Networks (CNN) trained on the MNIST dataset. The simulations demonstrate FedReverse's robustness, reversibility, and minimal impact on model accuracy across varying embedding parameters and multiple client scenarios.

Junren Qin, Shanxiang Lyu, Fan Yang et al.

Static deep neural network (DNN) watermarking techniques typically employ irreversible methods to embed watermarks into the DNN model weights. However, this approach causes permanent damage to the watermarked model and fails to meet the requirements of integrity authentication. Reversible data hiding (RDH) methods offer a potential solution, but existing approaches suffer from weaknesses in terms of usability, capacity, and fidelity, hindering their practical adoption. In this paper, we propose a novel RDH-based static DNN watermarking scheme using quantization index modulation (QIM). Our scheme incorporates a novel approach based on a one-dimensional quantizer for watermark embedding. Furthermore, we design two schemes to address the challenges of integrity protection and legitimate authentication for DNNs. Through simulation results on training loss and classification accuracy, we demonstrate the feasibility and effectiveness of our proposed schemes, highlighting their superior adaptability compared to existing methods.

Jieni Lin, Junren Qin, Shanxiang Lyu et al.

Lattices have been conceived as a powerful tool for data hiding. While conventional studies and applications focus on achieving the optimal robustness versus distortion tradeoff, in some applications such as data hiding in medical/physiological signals, the primary concern is to achieve a minimum amount of distortion to the cover signal. In this paper, we revisit the celebrated quantization index modulation (QIM) scheme and propose a minimum-distortion version of it, referred to as MD-QIM. The crux of MD-QIM is to move the data point to only the boundary of the Voronoi region of the lattice point indexed by a message, which suffices for subsequent correct decoding. At any fixed code rate, the scheme achieves the minimum amount of distortion by sacrificing the robustness to the additive white Gaussian noise (AWGN) attacks. Simulation results confirm that our scheme significantly outperforms QIM in terms of mean square error (MSE), peak signal to noise ratio (PSNR) and percentage residual difference (PRD).