A Crack in the Bark: Leveraging Public Knowledge to Remove Tree-Ring Watermarks
This work highlights a security risk for diffusion model users by exposing vulnerabilities in watermarking techniques due to the reuse of public autoencoders, which is an incremental but practical threat.
The paper tackles the problem of removing Tree-Ring watermarks from diffusion models by developing an attack that uses publicly available variational autoencoders, resulting in a dramatic reduction in detection AUC from 0.993 to 0.153 and 0.994 to 0.385 while maintaining image quality.
We present a novel attack specifically designed against Tree-Ring, a watermarking technique for diffusion models known for its high imperceptibility and robustness against removal attacks. Unlike previous removal attacks, which rely on strong assumptions about attacker capabilities, our attack only requires access to the variational autoencoder that was used to train the target diffusion model, a component that is often publicly available. By leveraging this variational autoencoder, the attacker can approximate the model's intermediate latent space, enabling more effective surrogate-based attacks. Our evaluation shows that this approach leads to a dramatic reduction in the AUC of Tree-Ring detector's ROC and PR curves, decreasing from 0.993 to 0.153 and from 0.994 to 0.385, respectively, while maintaining high image quality. Notably, our attacks outperform existing methods that assume full access to the diffusion model. These findings highlight the risk of reusing public autoencoders to train diffusion models -- a threat not considered by current industry practices. Furthermore, the results suggest that the Tree-Ring detector's precision, a metric that has been overlooked by previous evaluations, falls short of the requirements for real-world deployment.