Invisible, crypto-verified, AI-training-resilient image watermarks

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for mweinzierl from gravatar.com mweinzierl

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: AI Escape
  • Requires: Python >=3.12
  • Provides-Extra: dev , docs , gpu
Classifiers
Report project as malware

Project description

Sigil Watermark

PyPI version CI Python 3.12+ License: Apache-2.0

Invisible, crypto-verified, AI-training-resilient image watermarks. A pure signal-processing system — no neural networks, no training infrastructure, no GPU required.

Features

  • Invisible: 40+ dB PSNR on real photographs and artwork (adaptive embedding strength)
  • Crypto-verified: Ed25519 keypairs with HKDF-derived parameters — each watermark is cryptographically unique
  • Three independent layers: DFT ring anchor, DWT spread-spectrum payload, ghost spectral signal
  • Robust: Survives JPEG compression (Q60+), resize, crop, rotation, noise, bilateral filtering
  • VAE-resilient: Ghost signal layer survives Stable Diffusion VAE encode/decode
  • False positive rate: < 10^-30 (analytically proven, empirically validated)
  • Fast: Pure NumPy/SciPy — embeds a 1024x1024 image in ~200ms on CPU
  • Typed: Full PEP 561 compliance with type annotations

Installation

pip install sigil-watermark

Quick Start

import numpy as np
from sigil_watermark import SigilEmbedder, SigilDetector, generate_author_keys

# Generate author keypair (or derive from a seed for reproducibility)
keys = generate_author_keys()

# Load your image as a float64 array (0-255), grayscale or RGB
image = np.array(Image.open("artwork.png").convert("RGB"), dtype=np.float64)

# Embed watermark
embedder = SigilEmbedder()
watermarked = embedder.embed(image, keys)

# Save (the watermark survives JPEG, PNG, and other formats)
Image.fromarray(np.clip(watermarked, 0, 255).astype(np.uint8)).save("watermarked.png")

# Detect watermark
detector = SigilDetector()
result = detector.detect(watermarked, keys.public_key)

print(f"Detected: {result.detected}")           # True
print(f"Author match: {result.author_id_match}") # True
print(f"Confidence: {result.confidence:.3f}")     # ~0.7

Architecture

Sigil embeds three independent watermark layers, each targeting a different attack class:

                    ┌─────────────────────────────────┐
                    │         Input Image              │
                    └──────────────┬──────────────────┘
                                   │
                    ┌──────────────▼──────────────────┐
                    │  Layer 1: DFT Ring Anchor        │
                    │  8 concentric frequency rings     │
                    │  (key-derived + sentinel + content)│
                    │  Survives: rotation, crop, scale  │
                    └──────────────┬──────────────────┘
                                   │
                    ┌──────────────▼──────────────────┐
                    │  Layer 2: DWT Spread-Spectrum    │
                    │  RS-encoded payload in wavelets   │
                    │  Tiled for crop robustness        │
                    │  Survives: JPEG, noise, resize    │
                    └──────────────┬──────────────────┘
                                   │
                    ┌──────────────▼──────────────────┐
                    │  Layer 3: Ghost Spectral Signal  │
                    │  Multiplicative modulation at     │
                    │  VAE-transparent frequency bands   │
                    │  Survives: VAE encode/decode      │
                    └──────────────┬──────────────────┘
                                   │
                    ┌──────────────▼──────────────────┐
                    │       Watermarked Image           │
                    │       PSNR: 35-47 dB              │
                    └─────────────────────────────────┘

Detection is three-tier:

  1. Beacon — "Is this a Sigil watermark?" (universal marker)
  2. Author Index — "Whose watermark is it?" (20-bit index for blind scanning)
  3. Author Verification — "Cryptographic proof of authorship" (48-bit author ID)

Documentation

Development

git clone https://github.com/AI-Escape/sigil-watermark.git
cd sigil-watermark
uv sync --extra dev
uv run pytest              # ~1,900 tests (GPU/slow excluded by default)
uv run pytest -n auto      # parallel execution
uv run ruff check .        # lint
uv run ruff format --check # format check

GPU tests

Some tests require a GPU with PyTorch and diffusers installed:

uv sync --extra gpu
uv run pytest -m gpu       # real SD VAE encode/decode, LoRA propagation

Building docs locally

uv sync --extra docs
uv run mkdocs serve        # http://127.0.0.1:8000

Origin

Sigil Watermark was originally developed as part of the Signarture artist protection platform.

License

Apache-2.0 — see LICENSE for details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for mweinzierl from gravatar.com mweinzierl

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: AI Escape
  • Requires: Python >=3.12
  • Provides-Extra: dev , docs , gpu
Classifiers

Release history Release notifications | RSS feed

This version

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sigil_watermark-0.2.0.tar.gz (3.0 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sigil_watermark-0.2.0-py3-none-any.whl (38.7 kB view details)

Uploaded Python 3

File details

Details for the file sigil_watermark-0.2.0.tar.gz.

File metadata

  • Download URL: sigil_watermark-0.2.0.tar.gz
  • Upload date:
  • Size: 3.0 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for sigil_watermark-0.2.0.tar.gz
Algorithm Hash digest
SHA256 76afc57396f0c4336fd3e8f583d5591b379f81f5621d9c9071635b5c3123e9d4
MD5 01f0b99322027a6f8d14546cef09945f
BLAKE2b-256 bed82d83cb8daf8327e50e3bbb5b2fdd2f167c537549bd44dc4e30d1298d2bf6

See more details on using hashes here.

Provenance

The following attestation bundles were made for sigil_watermark-0.2.0.tar.gz:

Publisher: publish.yml on AI-Escape/sigil-watermark

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sigil_watermark-0.2.0-py3-none-any.whl.

File metadata

File hashes

Hashes for sigil_watermark-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 fbfcab76710f0a79955c248aab79f9d4f36c830bbe1a64b4f41a7ccfbbb3e6da
MD5 3f0f56825e01b035a228f868161bacfc
BLAKE2b-256 12b709b2c300b13061a874776fd1c1e1795d11cee55ae85dad3ff1e54ea26745

See more details on using hashes here.

Provenance

The following attestation bundles were made for sigil_watermark-0.2.0-py3-none-any.whl:

Publisher: publish.yml on AI-Escape/sigil-watermark

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page