This paper addresses the theoretical feasibility of simultaneously achieving public detectability, robustness, and unforgeability in image watermarking—a longstanding open question. Method: We formally define and rigorously prove, within a cryptographic framework, the existence of watermarking schemes satisfying all three properties. Our approach constructs a formal model integrating trapdoor hashing and robust feature extraction, augmented by an analysis of deep learning’s fundamental capability limits. Contribution/Results: We establish that, under current technological constraints, a publicly verifiable watermark detector and a robust embedder cannot coexist—revealing an inherent impossibility in constructing one of the core modules. Beyond foundational theoretical guarantees, our analysis precisely identifies deep learning’s intrinsic limitations in jointly modeling feature invariance and verifiability. The work thus pinpoints two critical research frontiers for trustworthy AI-generated content attribution: (i) verifiable robust representation learning and (ii) lightweight trapdoor mechanism design.

This work investigates the theoretical boundaries of creating publicly-detectable schemes to enable the provenance of watermarked imagery. Metadata-based approaches like C2PA provide unforgeability and public-detectability. ML techniques offer robust retrieval and watermarking. However, no existing scheme combines robustness, unforgeability, and public-detectability. In this work, we formally define such a scheme and establish its existence. Although theoretically possible, we find that at present, it is intractable to build certain components of our scheme without a leap in deep learning capabilities. We analyze these limitations and propose research directions that need to be addressed before we can practically realize robust and publicly-verifiable provenance.