Frequently asked questions for general users and implementors of the TrustMark image watermarking algorithm described in the official paper and code repository.
TrustMark is an invisible watermarking algorithm. The purpose of TrustMark is to encode an invisible identifier into an image that is machine readable i.e. may be read by software. This contrasts with visible watermarks such as words or logos overlaid on an image that are usually meant to be human readable.
Unlike visible watermarks, which can obstruct an image and be easily cropped out or removed, TrustMark is an invisible watermark that is embedded in the image at the pixel level, making it more persistent while maintaining image quality.
This is the official implementation of the TrustMark watermarking algorithm as described in the paper “TrustMark: Universal Watermarking for Arbitrary Resolution Images”, and is maintained for several languages by the authors of that paper. The software enables writing (encoding), reading (decoding), and removing of TrustMark watermarks.
Yes, TrustMark is open-source and provides libraries for multiple programming languages, making it easy to integrate into applications for encoding and decoding watermarks. TrustMark is released under the MIT License.
Yes, TrustMark is open-source under the MIT License, allowing commercial and non-commercial use.
TrustMark can help users make informed trust decisions about images they encounter. By linking the identifier within the image to a database of information about the image’s origins (so-called ‘provenance’), the user can discover more context about an image to help them make better decisions on whether to trust the image. As such, TrustMark is an open technology that can be applied to help build provenance systems in conjunction with open provenance standards such as the Coalition for Content Provenance and Authenticity (C2PA).
Yes, TrustMark can be applied to any image, including AI-generated images, and it may help in establishing provenance for synthetic content.
Open standards such as Content Credentials (C2PA), developed by the Coalition for Content Provenance and Authenticity, describe ways to encode information about an image’s history or ‘provenance’ such as how and when it was made. This information is usually carried within the image’s metadata.
However, C2PA metadata can be accidentally removed when the image is shared through platforms that do not yet support the standard. If a copy of that metadata is retained in a database, the TrustMark identifier carried inside the watermark can be used as a key to look up that information from the database. This is referred to as a Durable Content Credential. TrustMark appears within the approved list of C2PA watermarking algorithms, and we include a code example showing how to express the TrustMark watermarking action within C2PA metadata.
No, TrustMark only modifies pixel data and does not interact with image metadata. The software libraries (e.g., PIL in Python) should be used to persist metadata between the input and output image (as shown in the Python code example).
TrustMark operates on pixels in RGB space and is format agnostic. The code samples in this repository use standard libraries to load and save images in most formats and may be substituted for other libraries if needed. For example, using Python PIL, it is possible to load PNG, JPEG, WEBP formats and more. The alpha channel is not considered during watermarking. Please refer to the code where we show how to remove the alpha channel, watermark the image, and restore the alpha channel to handle transparent images (e.g., RGBA PNGs).
Yes, TrustMark operates on greyscale or colour image content.
When implemented on a consumer-grade GPU e.g. NVidia 3070, it is possible to encode an image in a few tens of milliseconds or decode an image in just a few milliseconds. This can be achieved using WebGPU in JS or CUDA in Pytorch. Examples of both are in this repository, and further details on timings are in the original paper.
TrustMark can operate reliably upon images as small as around 150 pixels (px) shortest side and has no upper resolution bound. We have verified watermarking large images beyond 12Kpx shortest side using this code.
TrustMark has been trained to withstand most non-editorial transformations, such as those that occur when images are reshared online, screenshotted, or even printed. The paper provides a histogram showing high levels of robustness to 18 different noise sources within the Kornia Python lib, e.g., image noise, blur, color shifts, and random four-sided cropping up to around 20% image area loss. TrustMark is also designed to be robust against JPEG compression. Please refer to the paper for extensive robustness evaluations.
TrustMark is designed for RGB images, but it can be applied before converting to CMYK for printing. Robustness may vary depending on the print and scanning process. We have found that increasing the strength (WM_STRENGTH) of TrustMark from 1.0 (default 100%) to 1.5 (150%) is sufficient to have TrustMark survive printing to paper, card, and even some materials (e.g., tote bags). Please check out this demo of printed TrustMark shown as Project KnowHow at Adobe MAX 2024 Sneaks.
No, TrustMark is designed for raster images, as it relies on pixel-level modifications.
TrustMark models in this repo were trained on licensed Adobe Stock images.
TrustMark can be applied to any image, even one already containing a TrustMark. In this case the watermark will simply overwrite the previous one. Since this can cause visual degradation if done many times over, it is recommended to detect and run the watermark removal code beforehand, if a TrustMark is already present. See the paper for comparison.
TrustMark achieves state of the art robustness whilst maintain high visual quality. As the paper reports, in default operation (variant Q) TrustMark can exceed 96% bit accuracy at around 42-45dB PSNR quality under severe noise degradations. Given 100 bits of raw payload, that allows for 4 bit flips which are correctable using BCH error correction at a cost of around 30 bits, providing a protected identifier space of around 70 bits. The paper compares several state of the art watermarking techniques which can achieve only around 70% bit accuracy at this level of payload and robustness. On the other hand, if less severe noise robustness is required TrustMark can still perform very robustly via perceptual (variant P) model which achieves 95% bit accuracy at 48-50dB PSNR. Combined with zero padding tricks, TrustMark can comfortably exceed 50dB PSNR though please see warnings about artificially inflated PSNR scores with this trick. All of this can be achieved using a decoder package of around 40MB (models are distributed as float16) using a compact ResNet50 architecture for the decoder that is practical to deploy. Training TrustMark with much larger decoders such as ConvNext can score a few PSNR but can compromise deployability with decoders up to three times this size.
Uniquely TrustMark can co-exist well with most other image watermarking technologies without compromising robustness or capacity, and with only minimal quality reduction (2-3 dB PSNR). Please see this study for details. Please note that TrustMark can not co-exist with itself (see above question on re-watermarking). Also it does not co-exist well with watermark technologies derived/adapted from TrustMark's codebase i.e. that have retrained a model using our code, or that re-use the MUNIT/1x1 conv architecture and losses (particularly the focal frequency loss) introduced in our paper.
TrustMark currently ships in four variants: the original TrustMark-B and TrustMark-Q variants are described in the paper, and offer a good balance between robustness and quality. The decoder models for TrustMark are around 35MB (ResNet50 based), which is suitable for many deployment use cases. Both B and Q variants average PSNR (visual quality) around 43db (higher is better). TrustMark-C is a compact model, that has a decoder model of about half the size (20MB, ResNet18 based) but a lower PSNR of around 40db. This might be useful for resource constrained deployment scenarios. TrustMark-P is the ‘perceptual’ model that gives high visual quality with PSNR exceeding 50db but less robustness to more severe noise degradations, yet it will survive most content distribution platforms. It is also only 35MB decoder size (ResNet50 again, but trained with a higher perceptual loss). You must choose a variant for your deployment use case.
Important: TrustMarks encoded with one variant will not decode with another.
TrustMark encodes 100 bits of raw payload. By default, BCH error correction is applied to improve robustness at the cost of payload size. The level of error correction is user-selectable at the time of encoding and auto-detected at decoding. This allows a flexible level of robustness within a given TrustMark variant. Read more about the data schemas available for selection.
TrustMark encodes with a default strength (WM_STRENGTH) of 1.0 (i.e. 100%) but can be detected quite reliably at strengths down to about 0.7-0.8 (70-80%) in low noise situations (including passing through most social content platforms). This can give a quality boost of almost 5dB of PSNR in itself (PSNR is a quality measure, the higher the better). The strength parameter is available on the encode function, and has no bearing on the function of the decode. Thus adjusting the strength according to likely robustness scenarios provides a flexible robustness/quality trade-off parameter within a given TrustMark variant.
A trick that has been explored in some watermarks derived from this codebase is zero padding TrustMark to confine the watermarked region to a smaller region in the centre of the image. This is quite effective at helping the watermark survive platforms that crop content, and raises the PSNR score since fewer pixels are changed. But beware this trick as PSNR is not always a good indicator of visual quality – it is possible to score very high on PSNR with a lot of zero padding (we have see TrustMark P exceed 55db PSNR with this simple trick) but unfortunately the score is misleading as this will leave most pixels unchanged but concentrate the watermark in the middle of the image so it is very visible! There is now a parameter available in the code to introduce zero padding if desired but heavy use of it is not recommended.
TrustMark distributes the watermark across the entire image to maximize robustness. However, implementers can adjust encoding parameters (e.g., zero padding) to localize the watermark - see above.
TrustMark makes small pixel-level modifications but does not significantly increase the file size when saved in the save format as the original. If you experience significant changes in file size e.g. for JPEG then check your code is saving with a similar quality level to the original image, which may differ from the default settings of the software library.
Yes, like all invisible watermarks, TrustMark can be removed via image processing. In fact, we provide code for removing the watermark within this repository, allowing for redaction or replacement.
No, TrustMark does not track users. It encodes a generic identifier that can be used to look up provenance information for an image.
No, TrustMark is an open and transparent technology designed for ethical use in media provenance. The open nature of TrustMark means that anyone can implement a detector to determine the presence of TrustMark in an image or to remove it.
No, the goal of steganography ('hidden writing') is to secretly embed a message in an image. Unlike watermarking algorithms that require a secret key to detect or to extract the watermarked identifier, TrustMark is an open technology that anyone can apply to detect or decode a watermark. Thus TrustMark is an example of non-steganographic watermarking. We take the non-steganographic approach as, for the media provenance use case, it is desirable for anyone to read the watermark to determine the origin of an image.
TrustMark is developed as an open technology, that helps enhance the durability of open metadata standards for media provenance such as Content Credentials (C2PA). This is achieved by using the TrustMark watermark to lookup metadata that may go missing during content distribution. It is sometimes desirable to update watermarks as content is modified or otherwise passes down the creative supply chain. For such replacement, we show in the paper that it is better to remove and reapply TrustMark that blindly overwrite it, for quality (PSNR) purposes.
C2PA is opt-in, and enables good actors to add value to content by attesting to its authenticity via provenance information. The absence of provenance data does not directly carry any trust signal, though may imply one if usually present in an actor’s published content. Much as metadata can be stripped, so can invisible watermarks (though various image processing means), and releasing code to do so does not change this functionality or threat calculus.
No, TrustMark is designed to be visually imperceptible and should not interfere with computer vision tasks.
Not directly, however this is possible when TrustMark is used to retrieve image provenance metadata such as Content Credentials (C2PA). This metadata commonly contains an image thumbnail that may be visually compared to the watermark-bearing images to spot any manipulations. It is possible to automate this comparison using an image fingerprint (perceptual hash).
Not directly, however this software may be used to decode the watermark from one image and encode it in another. In scenarios were TrustMark is used to retrieve image provenance metadata such as Content Credentials (C2PA), we recommend that a check be made to verify that the retrieved metadata matches the watermark-bearing image. This is commonly achieved using a digital fingerprint (perceptual hash) stored within the metadata, that is compared against a similarly computed hash of the watermark-bearing image. Please see this IEEE technical paper for detail.
While an attacker could generate a fake TrustMark identifier, the strength of TrustMark comes from linking it to a trusted provenance system. Metadata validation or other means of verification (e.g., perceptual hashes) helps detect fraudulent use as outlined above.
TrustMark is currently designed for images, with other media types being considered.
TrustMark can be used as a key for looking up provenance information stored in decentralized databases, including blockchain-based registries. Some implementors have harnessed TrustMark for this purpose.
Yes, TrustMark can be integrated with NFT platforms to embed persistent identifiers within images, linking them to their digital provenance records.