Secure Difference Contraction Watermarking for Static Deep Neural Networks

Static deep neural network (DNN) watermarking techniques typically employ irreversible methods to embed watermarks into the DNN model weights. However, this approach causes permanent damage to the watermarked model and fails to meet the requirements for integrity authentication. Reversible data hiding (RDH) methods offer a potential solution, but existing approaches suffer from limitations in usability, capacity, and fidelity, hindering their practical adoption. In this paper, we propose a secure static DNN watermarking scheme called Secure Difference Contraction (SDC). Our scheme utilizes a one-dimensional quantizer for watermark embedding and employs dithering to ensure key-dependent security, i.e., the watermark cannot be correctly extracted without the secret key used during embedding. Additionally, we design two schemes to address the challenges of integrity protection and legitimate authentication for DNNs. Simulation results on training loss and classification accuracy demonstrate the feasibility and effectiveness of our proposed methods, highlighting their advantages in capacity and fidelity over existing techniques.