PECCVAI: Overcoming the Brittleness of AI Image Watermarking Under Visual Paraphrasing Attacks

Shreyas Dixit, Ashhar Aziz, Shashwat Bajpai, Vasu Sharma, Aman Chadha, Vinija Jain, Amitava Das; Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2026, pp. 24471-24480

By 2026, up to 90% of online content may be synthetically generated, raising urgent concerns about the proliferation of AI-driven disinformation. In response, policymakers and technology companies are turning to watermarking as a safeguard: California's Bill AB 321 mandates watermarking of AI-generated media, while firms like Meta and Google have begun deploying watermarking systems to mitigate misuse. However, current watermarking methods remain brittle and vulnerable to attack. In this work, we introduce the visual paraphrase attack, a generative method that removes both visible and invisible watermarks from AI-generated images. The attack proceeds in two steps: (1) generating a descriptive caption from the original image, and (2) feeding this caption into a diffusion-based text-to-image model to produce a visually similar, watermark-free image. Our experiments show that this attack reliably removes watermarks while preserving semantic content of the original image, exposing a critical flaw in existing watermarking strategies. To counter this, we propose PECCAVI, the first watermarking technique explicitly designed to resist visual paraphrasing. PECCAVI embeds robust, high-fidelity watermarks (PSNR > 30 dB) in semantically stable image regions termed Non-Melting Points (NMPs) using multi-channel frequency domain encoding and noisy burnishing to obfuscate watermark locations and hinder reverse engineering. The method is model-agnostic and significantly more resilient than current alternatives. We also release the first benchmark dataset for visual paraphrasing attacks and open-source all code and resources, providing a foundation for future research on robust watermarking in the era of generative AI