ML Security PapersSLICE: Semantic Latent Injection via Compartmentalized Embedding for Image Watermarking
Zheng Gao 1, Yifan Yang 1, Xiaoyu Li 1, Xiaoyan Feng 1, Haoran Fan 1, Yang Song 2, Jiaojiao Jiang 1
Published on arXiv
2603.12749
Output Integrity Attack
OWASP ML Top 10 — ML09
Key Finding
Significantly outperforms existing baselines against semantic-guided regeneration attacks while enabling fine-grained tamper localization
SLICE
Novel technique introduced
Watermarking the initial noise of diffusion models has emerged as a promising approach for image provenance, but content-independent noise patterns can be forged via inversion and regeneration attacks. Recent semantic-aware watermarking methods improve robustness by conditioning verification on image semantics. However, their reliance on a single global semantic binding makes them vulnerable to localized but globally coherent semantic edits. To address this limitation and provide a trustworthy semantic-aware watermark, we propose $\underline{\textbf{S}}$emantic $\underline{\textbf{L}}$atent $\underline{\textbf{I}}$njection via $\underline{\textbf{C}}$ompartmentalized $\underline{\textbf{E}}$mbedding ($\textbf{SLICE}$). Our framework decouples image semantics into four semantic factors (subject, environment, action, and detail) and precisely anchors them to distinct regions in the initial Gaussian noise. This fine-grained semantic binding enables advanced watermark verification where semantic tampering is detectable and localizable. We theoretically justify why SLICE enables robust and reliable tamper localization and provides statistical guarantees on false-accept rates. Experimental results demonstrate that SLICE significantly outperforms existing baselines against advanced semantic-guided regeneration attacks, substantially reducing attack success while preserving image quality and semantic fidelity. Overall, SLICE offers a practical, training-free provenance solution that is both fine-grained in diagnosis and robust to realistic adversarial manipulations.
Key Contributions
- Compartmentalized semantic watermarking that decouples image semantics into four factors (subject, environment, action, detail) anchored to distinct noise regions
- Training-free watermark verification with tamper localization capabilities against semantic-guided regeneration attacks
- Theoretical guarantees on false-accept rates and statistical justification for tamper detection
🛡️ Threat Analysis
Watermarks AI-generated images by injecting semantic bindings into the initial noise of diffusion models to verify content provenance and detect semantic tampering — this is output integrity and content authentication, not model IP protection.