Remarkable Breakthroughs In AI Watermarking: 2025

Posted on by Brian Colwell

The first five months of 2025 have witnessed remarkable breakthroughs in watermarking technology across all domains – responses, to be sure, to increasing concerns about AI deepfakes, piracy, and counterfeiting. Today, I’m highlighting six new watermarking innovations – each with the potential to truly advance the rights of creators to the attribution of their content and to the ownership of their intellectual property.

Table Of Contents:

1. GaussianSeal

2. Multi-Bit Paraphrasing

3. MultiNeRF  

4. Robust Binary Code (RBC)

5. Watermark Ensembling

6. zkDL++

1. GaussianSeal: Advanced Watermarking For 3D Gaussian Splatting (3DGS) Models

GaussianSeal (Li et al., 2025) represents the first bit watermarking framework specifically designed for 3D Gaussian Splatting (3DGS) generative models. This breakthrough approach embeds copyright identifiers directly into the generation process while maintaining high visual quality.

Key Features

  • Embeds watermarks through adaptive bit modulation at three strategic points in the generation network:
    1. Input image processing stage
    2. Middle of UNet blocks
    3. Output of the UNet
  • Uses learnable adaptive coefficients to constrain modulation degree
  • Enables extraction of watermarks from rendered images via Discrete Wavelet Transform (DWT) and a specialized decoder network

Advantages Over Previous Approaches

GaussianSeal addresses two major limitations of earlier 3D content watermarking methods such as GS-Hider (Zhang et al., 2024), GaussianStego (Li et al., 2024), and GaussianMarker (Huang et al., 2024):

  1. Efficiency: Previous post-generation approaches required watermarking one 3D object at a time after creation, which was time-consuming and computationally expensive
  2. Quality Preservation: Traditional fine-tuning methods that modified model weights often compromised the quality of generated outputs

Results & Impact

  • Experimental results show superior watermark decoding accuracy while preserving generation quality compared to post-processing methods
  • Sets a new standard for copyright protection in 3D generative models
  • Has significant implications for protecting intellectual property in metaverse applications, gaming environments, and other 3D content creation fields

2. Multi-Bit Paraphrasing For Text Watermarking

A groundbreaking approach introduced by Xu et al. (2025) leverages Large Language Models (LLMs) to create imperceptible multi-bit text watermarks through paraphrasing. This technique represents a significant advance over earlier lexical-based watermarks that relied on simple synonym substitutions.

Key Features

  • Uses a pair of fine-tuned LLM paraphrasers designed to behave differently
  • Embeds watermark by alternating between the two paraphrasers to encode a predefined binary code at the sentence level
  • Employs a text classifier as the decoder to extract each bit of the watermark
  • Implements a co-training framework with the decoder trained using standard classification loss and the encoder fine-tuned using reinforcement learning (PPO-based methods)

Advantages Over Previous Approaches

  • Offers a larger action space for watermark injection compared to lexical-based watermarks
  • Provides greater robustness against detection and removal attempts
  • Builds on earlier work by Xu et al. (2024), which showed that the decoder can effectively serve as a reward model

Results & Impact

  • Achieves over 99.99% detection AUC (Area Under the Curve) even with relatively small (1.1B parameter) text paraphrasers
  • Preserves the semantic information of the original content
  • Demonstrates robust performance when subjected to word substitution and sentence paraphrasing perturbations
  • Generalizes well to out-of-distribution data

3. MultiNeRF: Advanced Watermarking For Neural Radiance Fields

MultiNeRF (Kulthe et al., 2025) enables embedding multiple, uniquely keyed watermarks within a single Neural Radiance Field (NeRF) model. This technique addresses the limitations of earlier approaches that were limited to embedding single watermarks with low capacity.

Key Features

  • Adds a dedicated watermark grid alongside existing geometry and appearance grids
  • Implements a FiLM-based (Feature-wise Linear Modulation) conditional modulation mechanism to dynamically activate specific watermarks
  • Allows watermarks to be independently triggered and extracted based on input identifiers
  • Enables embedding without retraining the entire NeRF model

Advantages Over Previous Approaches

MultiNeRF overcomes limitations of earlier NeRF watermarking techniques like CopyRNeRF (Luo et al., 2023), NeRFProtector (Song et al., 2024), and WateRF (Jang et al., 2024) that were restricted to:

  • Single watermarks only
  • Low capacity (typically 16-48 bits)
  • Limited flexibility for attribution

Results & Impact

  • Provides scalability for multiple watermarks within one NeRF, supporting multi-party ownership or licensing scenarios
  • Maintains robustness by preventing watermark signals from interfering with scene content
  • Enables effective attribution for proving authorship or tracking unauthorized use
  • Offers significant advantages for collaborative environments such as co-developed metaverse worlds
  • Particularly valuable as NeRFs find applications in online gaming, immersive experiences, and large-scale metaverse environments

4. Robust Binary Code (RBC) Watermarking

The Robust Binary Code (RBC) watermark (Chao et al., 2025) embeds statistical signals in text through error-correcting codes. This approach represents a breakthrough in balancing robustness, detection power, and output quality.

Key Features

RBC watermark works through three primary mechanisms:

  1. Reducing to Binary Vocabulary: Assigning each token a unique bit string
  2. Applying Error-Correcting Codes: Introducing redundancy to enable recovery from perturbations
  3. Using Correlated Binary Symmetric Channels: Generating bits that encode the watermark signal while minimizing output distortion

Advantages Over Previous Approaches

RBC improves upon previous watermarking schemes like those by Kirchenbauer et al. (2023) by:

  • Better balancing the trade-offs between robustness, detection power, and output quality
  • Maintaining nearly identical output quality to non-watermarked text while still enabling reliable detection
  • Avoiding the noticeable alterations to token distribution probabilities that characterized earlier methods

Results & Impact

  • Tests on the Llama-3-8B model showed minimal changes in perplexity compared to baseline unwatermarked text
  • Demonstrates particular robustness against common attacks and modifications:
    • Edits and deletions of significant portions of text
    • Translation attacks (where text is translated to another language and back)
    • Paraphrasing attempts
  • Successfully balances the “trade-off triangle” between quality, robustness, and detection capability

5. Watermark Ensembling And Ensembling

A significant breakthrough in 2025 was the discovery that multiple watermarks can effectively coexist within the same media without completely overwriting each other (Petrov et al., 2025). This finding led to the development of watermark ensembling—deliberately combining multiple watermarking techniques to achieve enhanced capabilities.

Key Features

Watermark ensembling can be implemented in two primary ways:

  1. Series ensembling: Applying watermarks sequentially, where the second watermark is applied to an image already containing the first
  2. Parallel ensembling: Applying both watermarks independently to the original image, then averaging their residuals and applying the result to the original image

When testing watermark coexistence patterns:

  • No watermarking method can effectively coexist with itself—applying the same method twice results in the first message being overwritten
  • The second applied watermark can almost always be detected with high accuracy
  • The first watermark often remains detectable with only moderate accuracy reduction

Advantages Over Previous Approaches

This approach challenges the traditional assumption that applying a second watermark would completely overwrite the first. When combined with modification techniques like strength clipping and error-correcting codes, ensembling offers several benefits:

  • Increased capacity: Combining two methods with capacities of m1 and m2 bits effectively creates a new method with m1+m2 bits capacity
  • New trade-offs: Enables novel balances between capacity, accuracy, robustness, and image quality without requiring retraining
  • Enhanced performance: In some cases, ensembling improves all dimensions of a base watermarking method

Results & Impact

  • Enables “super watermarks” where lightweight identification watermarks act as signposts indicating which decoder should be used for the main watermark
  • Supports multi-actor provenance chains where different stakeholders can add their own watermarks:
    • Original creator for attribution
    • Editing tool for provenance recovery
    • Publisher for copyright protection
    • Generative model provider for content attribution
  • Experiment results show parallel ensembling generally yields higher image quality, while series ensembling produces higher accuracy
  • Specific examples demonstrate significant improvements: When HiDDeN (48-bit capacity) is ensembled with RoSteALS, capacity increases to 102 bits while maintaining or improving other metrics

6. zkDL++: Cryptographic Watermarking with Zero-Knowledge Proofs

zkDL++ framework (Bagad et al., 2025) represents a significant advancement in cryptographic watermarking, leveraging zero-knowledge proofs—specifically succinct non-interactive arguments of knowledge (SNARKs)—to enable secure watermark verification without exposing sensitive details.

Key Features

The zkDL++ system involves:

  1. Embedding the watermark in the output of a deep neural network
  2. Generating cryptographic commitments to the weights (similar to a hash)
  3. Using sumcheck proofs and witness commitments to verify the correctness of each layer’s computation
  4. Providing a verification mechanism that confirms the watermark’s presence without exposing the extraction model

Advantages Over Previous Approaches

zkDL++ was specifically designed to address key challenges in Meta’s Stable Signature watermarking system and other conventional approaches:

  • Solves the critical problem where watermark extractors must remain private (exposing them would make watermarks vulnerable to attacks)
  • Allows proving watermark presence without compromising the entire watermarking system
  • Significantly outperforms alternative zero-knowledge virtual machine (zkVM) approaches like Jolt and SP1, particularly as input sizes increase
  • For networks with approximately 0.3 million parameters, zkDL++ generates proofs approximately 200 times faster than competing systems

Results & Impact

  • Enables platforms like Meta to attach a proof of watermark extraction to AI-generated images without revealing model details
  • Allows clients, including mobile devices, to run lightweight verification processes to identify AI-generated content
  • Can be integrated with blockchain technologies to eliminate the need for trusted third parties, with decentralized consensus mechanisms validating watermarking transactions
  • While current proof generation times (approximately 5.4 minutes) could limit scalability, identified optimizations could reduce times to seconds, making large-scale deployment feasible

Thanks for reading!