To address the vulnerability of watermarks to tampering or removal and their low detection efficiency in AI-generated image provenance, this paper proposes a two-stage robust watermarking method leveraging the initial noise of diffusion models. The method introduces three key contributions: (1) a zero-distortion implicit encoding mechanism that embeds identifiers into the inherent initial noise of the diffusion process, preserving the original image distribution; (2) a two-level retrieval framework combining noise-group localization with intra-group similarity matching, balancing security and detection efficiency; and (3) integration of Fourier-domain pattern generation with a noise-indexed data structure to enhance resilience against forgery and removal attacks. Extensive experiments demonstrate that the proposed method achieves state-of-the-art robustness under diverse strong adversarial attacks—including JPEG compression, resizing, cropping, and Gaussian noise—significantly outperforming existing image watermarking schemes.

As the quality of image generators continues to improve, deepfakes become a topic of considerable societal debate. Image watermarking allows responsible model owners to detect and label their AI-generated content, which can mitigate the harm. Yet, current state-of-the-art methods in image watermarking remain vulnerable to forgery and removal attacks. This vulnerability occurs in part because watermarks distort the distribution of generated images, unintentionally revealing information about the watermarking techniques. In this work, we first demonstrate a distortion-free watermarking method for images, based on a diffusion model's initial noise. However, detecting the watermark requires comparing the initial noise reconstructed for an image to all previously used initial noises. To mitigate these issues, we propose a two-stage watermarking framework for efficient detection. During generation, we augment the initial noise with generated Fourier patterns to embed information about the group of initial noises we used. For detection, we (i) retrieve the relevant group of noises, and (ii) search within the given group for an initial noise that might match our image. This watermarking approach achieves state-of-the-art robustness to forgery and removal against a large battery of attacks.