Removing Box-Free Watermarks for Image-to-Image Models via Query-Based Reverse Engineering

Authors

  • Haonan An City University of Hong Kong
  • Guang Hua Singapore Institute of Technology
  • Hangcheng Cao City University of Hong Kong
  • Zhengru Fang City University of Hong Kong
  • Guowen Xu University of Electronic Science and Technology of China
  • Susanto Rahardja Singapore Institute of Technology
  • Yuguang Fang City University of Hong Kong

DOI:

https://doi.org/10.1609/aaai.v40i24.39041

Abstract

The intellectual property of deep generative networks (GNets) can be protected using a cascaded hiding network (HNet) which embeds watermarks (or marks) into GNet outputs, known as box-free watermarking. Although both GNet and HNet are encapsulated in a black box (called operation network, or ONet), with only the generated and marked outputs from HNet being released to end users and deemed secure, in this paper, we reveal an overlooked vulnerability in such systems. Specifically, we show that the hidden GNet outputs can still be reliably estimated via query-based reverse engineering, leaking the generated and unmarked images, despite the attacker's limited knowledge of the system. Our first attempt is to reverse-engineer an inverse model for HNet under the stringent black-box condition, for which we propose to exploit the query process with specially curated input images. While effective, this method yields unsatisfactory image quality. To improve this, we subsequently propose an alternative method leveraging the equivalent additive property of box-free model watermarking and reverse-engineering a forward surrogate model of HNet, with better image quality preservation. Extensive experimental results on image processing and image generation tasks demonstrate that both attacks achieve impressive watermark removal success rates (100%) while also maintaining excellent image quality (reaching the highest PSNR of 34.69 dB), substantially outperforming existing attacks, highlighting the urgent need for robust defensive strategies to mitigate the identified vulnerability in box-free model watermarking.
AAAI-26 / IAAI-26 / EAAI-26 Proceedings Cover

Downloads

Published

2026-03-14

How to Cite

An, H., Hua, G., Cao, H., Fang, Z., Xu, G., Rahardja, S., & Fang, Y. (2026). Removing Box-Free Watermarks for Image-to-Image Models via Query-Based Reverse Engineering. Proceedings of the AAAI Conference on Artificial Intelligence, 40(24), 19615–19622. https://doi.org/10.1609/aaai.v40i24.39041

Issue

Vol. 40 No. 24: AAAI-26 Technical Tracks 24

Section

AAAI Technical Track on Machine Learning I