Invisible image watermarks, often embedded using generative AI, can be effectively removed by this project's proposed "regeneration attacks." It offers a provable method for watermark destruction by manipulating image embeddings and reconstructing the image. Targeted at researchers and practitioners in AI, computer vision, and digital security, this work provides tools to understand and bypass invisible watermarking schemes.

How It Works

The core approach involves a two-stage process: destruction and construction. First, a watermarked image ($x_w$) is mapped to an embedding space using a function $\phi$. Noise is then added to this embedding, destructively altering the watermark. Finally, a reconstruction algorithm $\mathcal{A}$ generates a new image ($\hat{x}$) from the noised embedding. This method is instantiated using generative models like Stable Diffusion, where the embedding involves encoding the image into a latent space and adding noise during the diffusion process, followed by denoising to reconstruct the image.

Quick Start & Requirements

• Installation: Clone the repository and install dependencies using pip install -r requirements.txt.
• Usage: Run the provided demo.ipynb notebook.
• Prerequisites: Python environment with necessary libraries (specified in requirements.txt). Specific generative models like Stable Diffusion or VAEs are leveraged.
• Configuration: Attack parameters like noise_step (for Regen-Diffusion) or quality (for Regen-VAE) control the noise level and effectiveness of watermark removal.

Highlighted Details

• The method is presented as a "provably removable" technique for invisible image watermarks.
• It leverages generative AI models, specifically demonstrating instantiations with Stable Diffusion and VAEs.
• The attack framework is general, allowing for various embedding ($\phi$) and reconstruction ($\mathcal{A}$) algorithms.

Maintenance & Community

The project welcomes contributions. No specific community channels (like Discord/Slack) or notable contributors/sponsorships are mentioned in the README.

Licensing & Compatibility

The README does not specify a software license. This omission requires further investigation for compatibility with commercial or closed-source use.

Limitations & Caveats

The effectiveness of the attack is dependent on the specific generative model used for watermarking and the chosen parameters for noise injection and reconstruction. The README does not detail unsupported platforms or known bugs.