From an information theory perspective, digital watermarking solves the problem of reliable communication over a noisy channel. From a steganography perspective, the goal is undetectability of the channel (existence concealment). From a watermarking perspective, the goal is robustness of the signal under strong noise (attacks) — i.e., transmission reliability.

Evaluation Metrics for Watermarks

Imperceptibility: Measures the difference between the original carrier and the watermarked carrier.

  • PSNR (Peak Signal-to-Noise Ratio): The most commonly used image quality metric. For 8-bit images, a PSNR > 35dB generally indicates good imperceptibility.
  • SSIM (Structural Similarity Index): More aligned with the human visual system (HVS) than PSNR, considering luminance, contrast, and structural information. Values closer to 1 are better.
  • JND (Just Noticeable Difference): The minimum perceptible error, using the visual masking effect of the human eye to determine where more watermark data can be embedded without detection (e.g., in textured regions).

Robustness: Effectiveness against common attacks.

  • Signal processing attacks: Lossy compression (JPEG/MPEG), Gaussian noise, filtering (e.g., blurring), histogram equalization.
  • Geometric attacks: The hardest to defend against, including Rotation, Scaling, Translation — collectively known as RST attacks — as well as random cropping and aspect ratio changes.
  • Desynchronization attacks: Even if the watermark information persists, the synchronization bits are destroyed, so the detector doesn’t know where to start reading. Examples include mirroring and image splicing.
  • NC (Normalized Correlation Coefficient): Measures the similarity between the extracted watermark and the original.
  • BER (Bit Error Rate): The proportion of incorrectly extracted bits.

Watermark Capacity (Payload): The amount of embedded information, typically measured in bits/pixel (bpp) or bits/second.

  • Zero-bit watermarking (1-bit): Only detects whether a watermark is “present” or “absent.” Commonly used for copyright verification.
  • Multi-bit watermarking: Embeds specific serial numbers, user IDs, timestamps, etc.

Trade-off: Higher capacity typically means sacrificing either robustness (more errors) or imperceptibility (more noise).

Security: Security defends against hostile analysis, assuming the attacker fully knows the watermarking algorithm but not the key.

Reliability:

  • False Positive Rate (FPR): An unwatermarked image is falsely detected as watermarked.
  • False Negative Rate (FNR): A watermarked image fails to be detected.

Image Watermarking

Color Space:

  • RGBA (Red, Green, Blue, Alpha): Universal standard for computer displays. Image format: PNG.
  • YUV (Luma + Chroma): Y (Luminance): brightness component (grayscale), U (Cb) / V (Cr): chrominance components (blue/red color difference). Image formats: WebP and JPEG.

Spatial Domain: Directly modifies pixel grayscale or color values.

  • LSB (Least Significant Bit): Modifies the last bit of a pixel’s binary value. Minimal visual impact, but weakest robustness.
  • ROI (Region of Interest): Embeds in background regions with complex textures, since the human eye is less sensitive to noise in textured areas (visual masking effect).
  • Dot-matrix watermarks: Overlays nearly invisible yellow dots or noise matrices at specific coordinates in the image.
  • High-transparency watermarks: Embeds watermark information by fine-tuning the display color through background image transparency adjustments — essentially an LSB method, commonly used for overlay backgrounds.

Transform Domain: Applies mathematical transforms to the image, embeds the watermark in the transformed coefficients, then inverse-transforms back.

  • DCT (Discrete Cosine Transform) mid-frequency coefficients: The core of JPEG compression. DCT separates an image into low frequency (general contours), mid frequency (structural information), and high frequency (detail/noise).
    • Low frequency: Modifying it causes visible distortion.
    • High frequency: Modifications get discarded as noise by compression algorithms (like JPEG).
    • Mid frequency: This is the optimal embedding location, balancing both robustness and imperceptibility.
  • DWT (Discrete Wavelet Transform): Decomposes the image into LL (low-frequency approximation), LH (horizontal detail), HL (vertical detail), HH (diagonal detail). Typically embedded in low-frequency subband coefficients, offering better robustness than DCT.
  • DFT (Discrete Fourier Transform): Has rotational invariance, commonly used to resist geometric attacks (RST attacks).

Audio Watermarking

Time Domain: Echo Hiding: Introduces extremely short echoes that the human ear cannot distinguish (e.g., < 2ms). Encodes “0” and “1” by varying the echo’s delay or amplitude. Frequency Domain:

  • Phase Coding: Modifies the phase spectrum of the audio signal. The human ear has low sensitivity to “relative phase,” making it suitable for data hiding.
  • Spread Spectrum: Similar to wireless communication technology, spreads the watermark signal across a wide frequency band as low-power noise, making it extremely difficult to remove.

Video Watermarking

Compressed Domain / Bitstream: Embeds within the H.264/H.265 encoding structure. Adds stable watermark information by locking and modifying keyframes (I-frames). This approach has good robustness but can cause error propagation, leading to poor visual quality. Modifying predicted frames (P/B frames) has relatively less impact. Motion Vectors: Embeds watermark information by subtly adjusting motion vectors, using technology similar to DLSS frame interpolation logic.

Text Watermarking

Font Formatting (Word Watermarking)

  • Line/Word Shifting: Subtly adjusts the spacing between lines or between words to embed watermark information.
  • Zero-width Characters: Uses Unicode zero-width joiners (ZWJ, U+200D) or zero-width spaces. The document shows no visible watermark in preview mode — it only appears in edit mode.
  • Font Perturbation: Slightly alters the glyph of certain characters. Methods include adjusting common character glyphs, CJK variant rendering, and Unicode homoglyph substitution.

Semantic Watermarking (NLP Watermarking)

  • Keyword Substitution: Creates a cipher table using abbreviations, synonyms, hypernyms, etc. to embed watermark information.
  • Syntactic Substitution: Adjusts text syntax without affecting semantics to embed watermark information.

Database Watermarking

Numeric Data: Uses methods that don’t affect statistical properties — adjusting the standard deviation of values, modifying the least significant bits. Follows the LSB watermarking approach.

Text Data: Can follow the text watermarking methods described above.

Machine Learning Model Watermarking

White-box Watermarking: Fine-tunes model parameters using an LSB-like approach to adjust specific weights. Adding watermarks to the least significant bits of FP16 parameters has essentially zero impact on the model. Embedding can be done using CPU streaming to modify model weights, making it more economical compared to post-training approaches.

Black-box Watermarking: Uses post-training to add watermark knowledge to a base model. The training dataset must be designed to follow natural language conversation patterns and not be easily triggered by the model. Requires adding a large volume of trigger-encoded samples to the watermark dataset, and the dataset needs fine-tuning to avoid significantly impacting model performance before and after training.

Statistical Watermarking: Adjusts word frequencies by modifying the LLM’s tokenizer. This approach has the best concealment, but embeds fewer effective bits, making forensic interpretation more costly.