Vivien Chappelier
explain purpose of the method
7b97ec7
metadata
license: mit
tags:
  - stable-diffusion
  - stable-diffusion-diffusers
inference: false

Watermarked (extreme) VAE for SDXL

You can use this watermarked VAE for your existing SDXL image generation pipelines to make sure generated images are watermarked.

Usage

from diffusers.models import AutoencoderKL
from diffusers import StableDiffusionXLPipeline

model = "stabilityai/sdxl-turbo"

vae = AutoencoderKL.from_pretrained("imatag/stable-signature-bzh-sdxl-vae-extreme")

pipe = StableDiffusionXLPipeline.from_pretrained(model, vae=vae)

For more information, please have a look at the official demo

Purpose

This model was finetuned from the original StableDiffusion-XL autoencoder with the additional objective of including an extremely strong watermark, following the procedure of StableSignature. This watermark is detectable by IMATAG's demo BZH decoder, available via API.

Compared to other watermarking solutions such as invisible-watermark:

  • the watermark is quite robust to many unintentional editing transforms such as cropping, resizing, changing contrast or brightness, and JPEG compression
  • the watermark has zero overhead in terms of computational power
  • the watermark is embedded in the model weights and not as a post-processing of the non-watermarked image
  • the probability of detecting the watermark by chance on non-watermarked images may be computed analytically and limited to a specific threshold

Detecting the watermark

For security reasons we cannot release the weights of the detector. Instead, you may check for the presence of a watermark with the detect_api.py script like this:

python detect_api.py test.png

Visual

Visualization of watermark impact on 512x512 images from the COCO2017 validation dataset prompts with SDXL-turbo.


512x512: original (left), watermarked (middle), difference (right)

Robustness

The watermark is robust to most editorial changes to an image, such as cropping, changing brightness or contrast, resizing or JPEG compression:


from left to right: original, watermarked, difference, 'crop 50% + brigthen 50% + jpeg 80%' attack, 'downscale 2x + crop 50% + brigthen 50% + jpeg 50%' attack

The Receiver Operating Characteristic curve shows its performance under no modification and when modified by the two scenarios illustrated above:

More details available in our announcement and our lab's blog post. For watermarked models with a different key, support for payload, other perceptual compromises, robustness to other attacks, or faster detection, please contact IMATAG.