watermarking.media
Reliability

How robust is digital watermarking?

By The watermarking.media team
6 min read
Contents

How robust a digital watermark is depends almost entirely on where the mark lives, so the answer is a short taxonomy rather than a single number: pixel-level marks are the most removable, latent or seeded marks survive more, and container-level provenance survives only while the file is untouched. Robustness is not a property a watermark simply has or lacks. It is the outcome of a specific tier of mark meeting a specific class of attack. Once you know which tier a scheme belongs to, its strengths and its failure modes are largely predictable, across both images and audio.

Three tiers, by where the mark lives

The whole field sorts into three layers.

The first is the pixel-additive and post-hoc neural tier: the mark is added on top of finished content. Classical LSB and DCT steganography sit here, and so do the modern neural schemes descended from HiDDeN, which Zhu, Kaplan and Johnson introduced as “the first end-to-end trainable framework for data hiding” (ECCV 2018). StegaStamp (Tancik, Mildenhall and Ng, CVPR 2020) pushes the amplitude up so the mark survives print-scan and screen-cam, and SynthID-Image (Gowal, Bunel and Stimberg, 2025), which has been used to watermark over ten billion images and video frames, is the internet-scale version of the same idea. Because every mark in this tier is painted onto finished pixels, a fresh generative pass can paint over it.

The second tier is latent or seeded. Instead of touching the output pixels, the mark is placed upstream, in the generator’s own process. Tree-Ring (Wen, Kirchenbauer and Geiping, NeurIPS 2023) seeds its pattern in the initial noise before the image is decoded, which makes it robust to crops, flips and rotations by mechanism rather than by training. Gaussian Shading (Yang, Zeng and Chen, CVPR 2024) is a distribution-preserving latent mark whose watermarked output is statistically indistinguishable from an unwatermarked one. Marks in this tier survive a same-architecture round-trip that would erase a pixel-additive mark, but they are still open to a break that regenerates the content through a different model.

The third tier is container-level provenance. C2PA Content Credentials do not alter a single pixel; they attach a cryptographically signed manifest to the file. That manifest carries a full, verifiable edit history, but it survives only while the pixels it was signed over are untouched. Any pixel-touching edit that does not re-sign the manifest strips it.

The image evidence

The image research maps cleanly onto those tiers. For the first tier, Zhao, Zhang and Wang proved that pixel-level invisible watermarks are provably removable by a regeneration attack, which adds noise to destroy the mark and then reconstructs the image, and showed it “across four different pixel-level watermarking schemes” (NeurIPS 2024). The WAVES benchmark widened the lens: standardizing attacks from ordinary distortions up to diffusive and adversarial ones, it “reveals previously undetected vulnerabilities of several modern watermarking algorithms” (An, Ding and Rabbani, ICML 2024). Diffusion purification is the same story from another angle, removing low-perturbation marks “by applying minimal changes to images” (Saberi, Sadasivan and Rezaei, ICLR 2024).

Then there is the attack that runs the other way. Forgery does not remove a mark, it fabricates one. WMCopier embeds a target watermark into a clean, non-watermarked image “without requiring any prior knowledge of or access to the target watermarking algorithm”, and the forged image “effectively deceives both open-source and closed-source watermark systems” (Dong, Shuai and Ba, NeurIPS 2025). That inverts the threat model: robustness is usually framed as a mark surviving, but a mark that can be forged onto innocent content is a different failure, false attribution used as a weapon.

The same logic holds for audio

Sound follows the identical pattern. The post-hoc audio marks behave like the pixel-additive image tier: an overwriting attack that re-embeds a fresh mark is reported to drive AudioSeal, WavMark and TimbreWatermarking to a “nearly 100% attack success rate” (Yao, Huang and Wang, AAAI 2026), and a benchmark measures a neural codec such as EnCodec or DAC pushing AudioSeal’s bit-error rate to 98% or higher (Liu, Guo and Jiang, NeurIPS 2024). Both are the source papers’ own single-source results, not independently replicated. Re-synthesis is to audio what regeneration is to images: it rebuilds the signal from a learned representation, and the added mark does not survive the rebuild. The tier a mark belongs to, not the medium it lives in, predicts how it fails. For the audio view in full, see How reliable is audio watermarking?.

Low false alarms or graceful failure, not both

Robustness has a second axis that the tiers expose: how a scheme fails, not just whether it does. Crypto-binary schemes, meaning C2PA and fragile marks, give an astronomically low false-positive rate, because a signature either verifies or it does not. But they offer zero graceful degradation: any edit at all fails the check. Detector-based neural marks sit at the opposite corner. Gaussian Shading and its family run near a 10^-6 false-positive rate by default and degrade gradually as content is distorted, giving a soft score rather than a hard pass or fail. That trade decides the use case. Legal-grade attribution, where a false accusation is unacceptable, wants the crypto-binary family. Soft content-flagging at scale, where you want a signal that fades rather than snaps, can use the neural family. Neither is more robust in the abstract; they are robust against different things.

Robustness by tier

TierExample schemesSurvivesBreaks under
Pixel-additive, post-hocHiDDeN, StegaStamp, SynthIDRoutine distortion and compressionGenerative regeneration
Latent or seededTree-Ring, Gaussian ShadingSame-model codec round-tripCross-model regeneration
Container-levelC2PA Content CredentialsUntouched filesAny pixel-touching edit

How to read it

No watermark class is robust on every axis. Pixel-additive marks are the easiest to remove but the easiest to deploy on any finished file. Latent marks survive more but need control of the generator. Container-level provenance carries the richest history but is the most brittle to a routine edit, which is why a metadata manifest is different from a watermark rather than a stronger version of one, and why SynthID and C2PA sit next to each other rather than replacing each other. Robustness is a property of the tier plus the attack, never a yes or no, so the useful question is never “is this watermark robust” but “robust against which operation”. If your goal is the reverse, keeping your own file from being traced back to you, see can you remove SynthID from your file?.

Sources

  • Zhu, Kaplan, Johnson (2018). HiDDeN: Hiding Data With Deep Networks. ECCV.
  • Tancik, Mildenhall, Ng (2020). StegaStamp: Invisible Hyperlinks in Physical Photographs. CVPR.
  • Gowal, Bunel, Stimberg (2025). SynthID-Image: Image Watermarking at Internet Scale. Google DeepMind.
  • Wen, Kirchenbauer, Geiping (2023). Tree-Ring Watermarks: Fingerprints for Diffusion Images that are Invisible and Robust. NeurIPS.
  • Yang, Zeng, Chen (2024). Gaussian Shading: Provable Performance-Lossless Image Watermarking for Diffusion Models. CVPR.
  • Zhao, Zhang, Wang (2024). Invisible Image Watermarks Are Provably Removable Using Generative AI. NeurIPS.
  • An, Ding, Rabbani (2024). WAVES: Benchmarking the Robustness of Image Watermarks. ICML.
  • Saberi, Sadasivan, Rezaei (2024). Robustness of AI-Image Detectors: Fundamental Limits and Practical Attacks. ICLR.
  • Dong, Shuai, Ba (2025). WMCopier: Forging Invisible Image Watermarks on Arbitrary Images. NeurIPS.
  • Yao, Huang, Wang (2025). Yours or Mine? Overwriting Attacks Against Neural Audio Watermarking. AAAI 2026.
  • Liu, Guo, Jiang (2024). AudioMarkBench: Benchmarking Robustness of Audio Watermarking. NeurIPS Datasets and Benchmarks.
#watermarking#robustness#provenance#c2pa#synthid