Cryptographic image provenance research based on perceptual hashing as a more robust replacement to watermarks. More info at https://proteus.photos! Or check out our Twitter threads.
Advancements in AI (like @OpenAI's Sora!) are making it increasingly difficult to tell if content on the internet is real or AI-generated.
Social media cracked mass content distribution, and AI is cracking content creation at scale. So how do you recognize AI images/videos vs. camera content vs. edited media?
Previous efforts have focused on embedding watermarks—the white house recently announced related plans. However, existing methods to embed watermarks are not resilient to how content changes when transmitted (e.g., compression, crops, screenshots).
If you embed a watermark into an image, multiple transformations to that image will fundamentally remove the watermark. But interestingly, an image's perceptual representation varies much less amidst these same transformations. For example, while the pixels of a pre and post-screenshotted image may drastically differ, viewers can usually tell if they are looking at the same or different content.
Image steganography and watermarking don't work for image provenance.
C2PA can't handle a screenshot, digital signatures can't handle trivial modifications, and basically every watermarking algorithm is broken. The signatures attached to C2PA break when uploaded to any social media platform or when compressed/screenshotted.
Perceptual hashes (which produce similar outputs for similar images) quantify this notion of perceptual similarity—like an invisible watermark. Try uploading two slightly modified images to https://proteus.photos, and you can see the similarity in perceptual hashes of a transformed image versus the original image when common modifications are applied.
Since perceptual hashes give us a mapping between similar images, we can leverage (a combination of) them with proofs of transformations to track content provenance on the internet in two phases:
- Image generation
- Image consumption
Phase 1: Content-producing organization (e.g., Midjourney, camera, etc.) calculates the perceptual hashes of the produced image (and transformed versions of it) and commits to a timestamped public data store (e.g., a blockchain). Phase 2: when a user is consuming an image on the internet (e.g., on Twitter), the Morpheus system:
- computes the viewed image's perceptual hash to find approximate matches in the datastore
- computes proofs of transformation (if possible) from target phash to original phash
This two-phase protocol encompasses a robust, end-to-end solution to tracking content provenance online—from image conception to consumption -- most importantly, it's amenable to a private version of the protocol, in which GDPR-compliant image deletion rules to make it palatable for large organizations like OpenAI.
In general, signing tons of different perceptual hashes can be robust to cropping, screenshots, and compression, and can be private. And only the image generator needs to adopt it for anyone to use it, not the whole world. Good cryptography is the only robust solution to AI content detection.
- We want to ship a simple MVP Chrome Extension to show you if an image 1) was previously or partially generated by Midjourney and 2) if that fails, what a simple AI image discriminator predicts.
- Papers, formalizations, and benchmarks perceptual hashes, as well as newly trained ones in order to ensure we have the best possible perceptual hashing.
- Integrations into large AI image/video creators like Stable Diffusion, cameras, iPhones, OpenAI, and Midjourney!