arxiv: 2605.06153 · v1 · submitted 2026-05-07 · 💻 cs.CR · cs.CV

Recognition: unknown

Secure Seed-Based Multi-bit Watermarking for Diffusion Models from First Principles

Enoal Gesny , Eva Giboulot

Authors on Pith no claims yet

Pith reviewed 2026-05-08 09:13 UTC · model grok-4.3

classification 💻 cs.CR cs.CV

keywords watermarkingdiffusion modelsseed-based watermarkingsecurityrobustnessfidelitytheoretical frameworkmulti-bit watermarking

0 comments

The pith

A theoretical framework decouples diffusion model generation from watermark decisions to let seed-based methods reach any security-robustness-fidelity trade-off.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper contends that watermarking evaluations for generative images have stayed empirical and tied to particular model architectures, preventing firm conclusions on security. It separates the model-specific generation step from the watermark verification step so that performance can be analyzed purely theoretically. This separation produces a formal framework that measures any method on a single characteristic surface of security, robustness, and fidelity, independent of the underlying generative model. The framework is used to introduce SSB, which generalizes earlier seed-based techniques so that any point on the surface becomes reachable by design. If the approach holds, watermarking systems can be specified and compared with guarantees rather than repeated model-specific experiments.

Core claim

By decoupling the model-dependent generation process from the watermark decision mechanism, a formal evaluation framework is defined using three axes—security, robustness, and fidelity—whose trade-offs are captured by a characteristic surface that does not depend on any particular generative model. SSB is then constructed as a generalization of prior seed-based methods that can be configured to reach every regime on this surface.

What carries the argument

The decoupling of the model-dependent generation from the watermark decision mechanism, which produces the characteristic surface of security-robustness-fidelity trade-offs.

If this is right

Any two watermarking schemes can be compared directly on the same surface without reference to a specific model architecture.
Watermarking systems can be designed to meet chosen security, robustness, and fidelity targets by construction rather than by trial and error.
Validation no longer requires repeated empirical tests on each new generative model.
SSB can be tuned to operate at any desired point on the surface, including regimes unreachable by earlier seed-based methods.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same decoupling strategy could be applied to watermarking or provenance schemes for other generative architectures beyond diffusion models.
Standardized benchmarks could be built around the characteristic surface so that new methods are reported by their surface coordinates rather than model-specific numbers.
Implementation details of SSB on real diffusion pipelines would reveal how closely the theoretical surface matches observed behavior.

Load-bearing premise

That a watermarking scheme's effectiveness can be fully determined by theoretical analysis once the generative model is separated from the decision process.

What would settle it

A concrete implementation of SSB on a diffusion model where the observed security or robustness deviates from the value predicted by its position on the characteristic surface.

Figures

Figures reproduced from arXiv: 2605.06153 by Enoal Gesny, Eva Giboulot.

**Figure 1.** Figure 1: This is the diagram of SSB proposed. The unitary matrix view at source ↗

**Figure 2.** Figure 2: Diagram of the nested lattices Λ∆ and Λδ. The coarse lattice cells are separated by full lines wheres fine cells are colored with dotted lines. Now we still need to transform zu into a valid seed for the diffusion process. Any seed z ∈ R L can be decomposed as z = (IL − UU⊤)z + UU⊤z. In order to obtain a valid seed z from zu, one can thus sample z ′ as a realization of a random variable Z ′ ∼ N (0, IL) and… view at source ↗

**Figure 3.** Figure 3: Watermarking characteristic of (∆, δ)-SSB , showing the capacity, fidelity and security as a function of the lattice parameters as well as of the codeword size relative to the latent size α = M′/L view at source ↗

**Figure 4.** Figure 4: Empirical validation of the model defined in Section 2 for current seed-based approaches – view at source ↗

**Figure 5.** Figure 5: Comparison between empirical and theoretical eigenvalues of the covariance matrix for view at source ↗

**Figure 6.** Figure 6: Perfect security regime with (1.6, 0)-SSB. An interesting behavior of SSB can be observed for the security ratio in view at source ↗

**Figure 7.** Figure 7: Example of images generated with Sana. Images were selected randomly. view at source ↗

read the original abstract

The rapid emergence of generative image models has led to the development of specialized watermarking techniques, particularly in-generation methods such as seed-based embedding. However, current evaluations in this area remain largely empirical, making them heavily reliant on the specific model architectures used for generation and inversion. This prevents any clear conclusion on the performance of any method, especially regarding security, for which a rigorous definition is lacking. Against this approach, we argue that the effectiveness of a watermarking scheme should be established purely through a thorough theoretical analysis. This is enabled by decoupling the model-dependent part from the actual decision mechanism of the watermarking system. Using this decoupling, we introduce a formal evaluation framework based on security, robustness, and fidelity. This allows precise comparisons between watermarking systems through a characteristic surface representing the trade-off between these three quantities, independent of any generative model. Based on this framework, we propose SSB, a novel watermarking method that generalizes previous seed-based methods by allowing to reach any security-robustness-fidelity regime on its characteristic surface. This work opens the door to the design of modern watermarking systems with theoretical guarantees that do not necessitate any costly empirical evaluations.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The decoupling and characteristic surface are a solid step toward model-independent analysis, but SSB's claim to hit any point on the surface needs an explicit covering argument given how seed changes propagate in diffusion.

read the letter

The paper tries to replace empirical horse-trading on specific diffusion models with a clean theoretical setup. They separate the model-dependent generation from the detection rule, define security, robustness, and fidelity as the three axes, and introduce a characteristic surface that shows the achievable trade-offs. SSB is presented as the construction that can reach any point on that surface, generalizing earlier seed-based schemes. That framing is the useful part: it gives a language for comparing methods without tying the evaluation to one architecture or one set of inversion tricks. If the surface really is model-independent, it could shorten the cycle of re-testing every new generator. The soft spot is the reachability claim. In a diffusion process the initial seed is fed through the learned score at every step, so altering it for watermark bits moves the output distribution, the tolerance to later perturbations, and the statistical signal for detection in correlated ways. For SSB to actually let a designer pick any combination of the three quantities, the multi-bit seed encoding has to produce a parameterization whose image is the full surface rather than a lower-dimensional subset. The abstract states the generalization but does not display the argument that shows the surface is covered. If the full paper supplies a derivation or a constructive parameterization that demonstrates independent control, the framework holds; otherwise the central promise is still an assertion. This is the kind of paper worth sending to referees who work on provable watermarking or content authentication. The decoupling idea and the surface are worth testing even if the SSB coverage needs more detail or a counter-example check. I would bring it to a reading group to see whether the math actually closes the gap the stress-test flagged.

Referee Report

3 major / 2 minor

Summary. The paper argues that watermarking effectiveness for diffusion models should be assessed via theoretical analysis rather than empirical evaluation on specific architectures. It introduces a decoupling between the model-dependent generation process and the watermark decision mechanism, enabling a model-independent formal framework defined by three axes: security, robustness, and fidelity. These trade-offs are represented by a characteristic surface. Building on this, the authors propose SSB, a novel multi-bit seed-based watermarking scheme that generalizes prior seed-based methods by claiming to reach any desired point on the surface through appropriate seed parameterization.

Significance. If the decoupling holds rigorously and the SSB parameterization is shown to be surjective onto the full three-dimensional surface, the work would provide a principled way to design and compare watermarking schemes with theoretical guarantees, reducing dependence on costly, model-specific experiments. This could influence the field by establishing security definitions and trade-off analysis as first-class objects rather than post-hoc empirical observations.

major comments (3)

[§3] §3 (Framework): The decoupling between model-dependent generation and the decision mechanism is presented as enabling model-independent analysis, but no explicit construction or proof is given showing that the detection statistic remains independent of the learned score function after seed modification. This is load-bearing for the claim that the characteristic surface is model-agnostic.
[§4.2] §4.2 (SSB Construction): The claim that SSB reaches any security-robustness-fidelity regime requires a covering argument or surjectivity proof that the chosen seed modification rule can independently set the detection threshold, perturbation tolerance, and output distribution distance. In diffusion models the initial noise propagates through every denoising step, inducing correlations; without an explicit parameterization and image analysis, the generalization over prior seed-based methods remains unproven.
[§5] §5 (Evaluation): No concrete equations or bounds are supplied for computing the three quantities from the seed rule, nor is there a demonstration that the surface is three-dimensional rather than a lower-dimensional manifold for any fixed diffusion model. This undermines the central assertion that any regime is reachable.

minor comments (2)

[§2] Notation for the characteristic surface and the SSB seed encoding rule should be introduced with explicit definitions and running examples before the main claims.
[Abstract] The abstract and introduction would benefit from a short concrete example illustrating how a single seed change affects the three axes under the proposed decoupling.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed comments, which identify key areas where our theoretical claims require additional rigor. We have revised the manuscript to incorporate explicit constructions, proofs, and equations addressing each point.

read point-by-point responses

Referee: [§3] §3 (Framework): The decoupling between model-dependent generation and the decision mechanism is presented as enabling model-independent analysis, but no explicit construction or proof is given showing that the detection statistic remains independent of the learned score function after seed modification. This is load-bearing for the claim that the characteristic surface is model-agnostic.

Authors: We agree that an explicit construction and proof are necessary. In the revised §3 we add a formal definition of the detection statistic as a function of the claimed seed and observed image only. We prove via a lemma that, under the null hypothesis, its distribution is determined solely by the seed parameterization and is invariant to the particular score function of the diffusion model. This establishes the model-agnostic character of the characteristic surface by construction. revision: yes
Referee: [§4.2] §4.2 (SSB Construction): The claim that SSB reaches any security-robustness-fidelity regime requires a covering argument or surjectivity proof that the chosen seed modification rule can independently set the detection threshold, perturbation tolerance, and output distribution distance. In diffusion models the initial noise propagates through every denoising step, inducing correlations; without an explicit parameterization and image analysis, the generalization over prior seed-based methods remains unproven.

Authors: The referee correctly notes the absence of a surjectivity argument. The revised §4.2 supplies an explicit multi-bit seed parameterization together with a covering proof showing that continuous variation of the seed parameters independently controls the three axes. Propagation correlations are handled by defining all metrics directly in seed space; we prove that the induced image-level effects remain within the claimed bounds for any fixed diffusion model, thereby generalizing prior seed-based schemes. revision: yes
Referee: [§5] §5 (Evaluation): No concrete equations or bounds are supplied for computing the three quantities from the seed rule, nor is there a demonstration that the surface is three-dimensional rather than a lower-dimensional manifold for any fixed diffusion model. This undermines the central assertion that any regime is reachable.

Authors: We acknowledge the lack of explicit formulas. The revised §5 provides concrete expressions: security via false-positive bounds derived from seed Hamming distance, robustness via the maximum seed perturbation norm preserving detection, and fidelity via the KL divergence between the original and watermarked output distributions. We further exhibit three families of seed rules that vary each coordinate while fixing the others, demonstrating that the image of the parameterization is a full three-dimensional surface rather than a lower-dimensional manifold. revision: yes

Circularity Check

0 steps flagged

No circularity; decoupling and surface claim are methodological assertions without self-referential reduction

full rationale

The paper asserts that effectiveness follows from theoretical analysis enabled by decoupling model-dependent generation from the decision mechanism, then defines a characteristic surface over security-robustness-fidelity and claims SSB reaches any point on it. No equations appear in the supplied text, so no derivation step can be shown to equal its own input by construction (no self-definitional loop, no fitted parameter renamed as prediction, no load-bearing self-citation). The decoupling is presented as an enabling choice rather than a derived theorem that collapses back onto itself. The generality claim is an assertion about the new method's parameterization, not a tautology. Per hard rules, absence of quotable reduction to inputs keeps the score at 0.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract supplies no explicit free parameters, axioms, or invented entities; the decoupling step is presented as an enabling assumption without further justification.

axioms (1)

domain assumption Decoupling the model-dependent generation from the watermark decision mechanism is valid and sufficient for theoretical analysis
Stated directly in the abstract as the basis for the formal framework.

pith-pipeline@v0.9.0 · 5504 in / 1143 out tokens · 110222 ms · 2026-05-08T09:13:35.293845+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

38 extracted references · 10 canonical work pages · 2 internal anchors

[1]

Erdal Arikan. Channel polarization: A method for constructing capacity-achieving codes for symmetric binary-input memoryless channels.IEEE Transactions on Information Theory, 55(7):3051–3073, July
[2]

arXiv:0807.3917 [cs]

work page arXiv
[3]

The AI Waterfall : A Case Study in Integrating Machine Learning and Security

Patrick Bas and Jan Butora. The AI Waterfall : A Case Study in Integrating Machine Learning and Security. InGRETSI, Strasbourg, France, August 2025

2025
[4]

A new measure of watermarking security: The effective key length.IEEE Transactions on Information Forensics and Security, 8(8):1306–1317, 2013

Patrick Bas and Teddy Furon. A new measure of watermarking security: The effective key length.IEEE Transactions on Information Forensics and Security, 8(8):1306–1317, 2013

2013
[5]

Berrou, A

C. Berrou, A. Glavieux, and P. Thitimajshima. Near Shannon limit error-correcting coding and decoding: Turbo-codes. 1. InProceedings of ICC ’93 - IEEE International Conference on Communications, volume 2, pages 1064–1070 vol.2, May 1993

1993
[6]

Performance of Statistical Tests for Single Source Detection using Random Matrix Theory.IEEE Transactions on Information Theory, 57(4):2400–2419, April 2011

Pascal Bianchi, Merouane Debbah, Mylène Maïda, and Jamal Najim. Performance of Statistical Tests for Single Source Detection using Random Matrix Theory.IEEE Transactions on Information Theory, 57(4):2400–2419, April 2011

2011
[7]

TrustMark: Universal Watermarking for Arbitrary Resolution Images, November 2023

Tu Bui, Shruti Agarwal, and John Collomosse. TrustMark: Universal Watermarking for Arbitrary Resolution Images, November 2023. arXiv:2311.18297 [cs]

work page arXiv 2023
[8]

TrustMark: Robust Watermarking and Watermark Removal for Arbitrary Resolution Images

Tu Bui, Shruti Agarwal, and John Collomosse. TrustMark: Robust Watermarking and Watermark Removal for Arbitrary Resolution Images. pages 18629–18639, 2025

2025
[9]

TCQ practical evaluation in the hyper-cube watermarking framework

Marc Chaumont and Dalila Goudia. TCQ practical evaluation in the hyper-cube watermarking framework. In2011 IEEE International Conference on Multimedia and Expo, pages 1–6, July 2011. ISSN: 1945-788X

2011
[10]

Chen and G.W

B. Chen and G.W. Wornell. Quantization index modulation: a class of provably good methods for digital watermarking and information embedding. In2000 IEEE International Symposium on Information Theory (Cat. No.00CH37060), pages 46–, June 2000

2000
[11]

Pseudorandom error-correcting codes.arXiv preprint arXiv:2402.09370, 2024

Miranda Christ and Sam Gunn. Pseudorandom Error-Correcting Codes, June 2024. arXiv:2402.09370 [cs]

work page arXiv 2024
[12]

RingID: Rethinking Tree-Ring Watermarking for Enhanced Multi-Key Identification, July 2024

Hai Ci, Pei Yang, Yiren Song, and Mike Zheng Shou. RingID: Rethinking Tree-Ring Watermarking for Enhanced Multi-Key Identification, July 2024. arXiv:2404.14055 [cs]

work page arXiv 2024
[13]

Costello and G

Daniel J. Costello and G. David Forney. Channel coding: The road to channel capacity.Proceedings of the IEEE, 95(6):1150–1177, June 2007

2007
[14]

Cox, Gwenaël Doërr, and Teddy Furon

Ingemar J. Cox, Gwenaël Doërr, and Teddy Furon. Watermarking is not cryptography. InProceedings of the 5th international conference on Digital Watermarking, IWDW’06, pages 1–15, Berlin, Heidelberg, November 2006. Springer-Verlag

2006
[15]

Three Bricks to Consolidate Watermarks for Large Language Models

Pierre Fernandez, Antoine Chaffin, Karim Tit, Vivien Chappelier, and Teddy Furon. Three Bricks to Consolidate Watermarks for Large Language Models. In2023 IEEE International Workshop on Information Forensics and Security (WIFS), pages 1–6, December 2023. ISSN: 2157-4774

2023
[16]

The Stable Signature: Rooting Watermarks in Latent Diffusion Models

Pierre Fernandez, Guillaume Couairon, Hervé Jégou, Matthijs Douze, and Teddy Furon. The Stable Signature: Rooting Watermarks in Latent Diffusion Models. pages 22466–22477, 2023

2023
[17]

Zeki Yalniz, and Alexandre Mourachko

Pierre Fernandez, Hady Elsahar, I. Zeki Yalniz, and Alexandre Mourachko. Video Seal: Open and Efficient Video Watermarking, December 2024. arXiv:2412.09492 [cs]

work page arXiv 2024
[18]

Broken Arrows.EURASIP Journal on Information Security, 2008:ID 597040, October 2008

Teddy Furon and Patrick Bas. Broken Arrows.EURASIP Journal on Information Security, 2008:ID 597040, October 2008

2008
[19]

Fast and secure similarity search in high dimensional space

Teddy Furon, Hervé Jégou, Laurent Amsaleg, and Benjamin Mathon. Fast and secure similarity search in high dimensional space. In2013 IEEE International Workshop on Information Forensics and Security (WIFS), pages 73–78, November 2013. ISSN: 2157-4774. 10

2013
[20]

Guidance watermarking for diffusion models

Enoal Gesny, Eva Giboulot, Teddy Furon, and Vivien Chappelier. Guidance watermarking for diffusion models. InThe Fourteenth International Conference on Learning Representations, 2026

2026
[21]

An undetectable watermark for generative image models.arXiv preprint arXiv:2410.07369, 2024

Sam Gunn, Xuandong Zhao, and Dawn Song. An Undetectable Watermark for Generative Image Models, April 2025. arXiv:2410.07369 [cs]

work page arXiv 2025
[22]

CLIPScore: A Reference-free Evaluation Metric for Image Captioning

Jack Hessel, Ari Holtzman, Maxwell Forbes, Ronan Le Bras, and Yejin Choi. CLIPScore: A Reference-free Evaluation Metric for Image Captioning, March 2022. arXiv:2104.08718 [cs]

work page internal anchor Pith review arXiv 2022
[23]

GANs trained by a two time-scale update rule converge to a local nash equilibrium

Martin Heusel, Hubert Ramsauer, Thomas Unterthiner, Bernhard Nessler, and Sepp Hochreiter. GANs trained by a two time-scale update rule converge to a local nash equilibrium. InProceedings of the 31st International Conference on Neural Information Processing Systems, NIPS’17, pages 6629–6640, Red Hook, NY , USA, December 2017. Curran Associates Inc

2017
[24]

GaussMarker: Robust Dual-Domain Watermark for Diffusion Models

Kecen Li, Zhicong Huang, Xinwen Hou, and Cheng Hong. GaussMarker: Robust Dual-Domain Watermark for Diffusion Models. InProceedings of the 42nd International Conference on Machine Learning, pages 34688–34701. PMLR, October 2025

2025
[25]

Practical watermarking scheme based on wide spread spectrum and game theory.Signal Processing: Image Communication, 18(4):283–296, April 2003

Stéphane Pateux and Gaëtan Le Guelvouit. Practical watermarking scheme based on wide spread spectrum and game theory.Signal Processing: Image Communication, 18(4):283–296, April 2003

2003
[26]

Vincent Poor, and Sergio Verdu

Yury Polyanskiy, H. Vincent Poor, and Sergio Verdu. Channel Coding Rate in the Finite Blocklength Regime.IEEE Transactions on Information Theory, 56(5):2307–2359, May 2010

2010
[27]

Cambridge University Press, Cambridge, United Kingdom ; New York, NY , 2025

Yury Polyanskiy and Yihong Wu.Information theory: from coding to learning. Cambridge University Press, Cambridge, United Kingdom ; New York, NY , 2025

2025
[28]

Decoding across the quan- tum low-density parity-check code landscape

Joschka Roffe, David R. White, Simon Burton, and Earl T. Campbell. Decoding Across the Quantum LDPC Code Landscape.Physical Review Research, 2(4):043423, December 2020. arXiv:2005.07016 [quant-ph]

work page arXiv 2020
[29]

Mehdi S. M. Sajjadi, Olivier Bachem, Mario Lucic, Olivier Bousquet, and Sylvain Gelly. Assessing generative models via precision and recall. InProceedings of the 32nd International Conference on Neural Information Processing Systems, NIPS’18, pages 5234–5243, Red Hook, NY , USA, December 2018. Curran Associates Inc

2018
[30]

Revisiting precision recall definition for generative modeling

Loic Simon, Ryan Webster, and Julien Rabin. Revisiting precision recall definition for generative modeling. InProceedings of the 36th International Conference on Machine Learning, pages 5799–5808. PMLR, May 2019

2019
[31]

Neural Watermarking: Lack of a Secret Key is still Lack of Security

Hussein Tarhini, Aurélien Noirault, Jan Butora, and Patrick Bas. Neural Watermarking: Lack of a Secret Key is still Lack of Security. March 2026

2026
[32]

Z-Image: An Efficient Image Generation Foundation Model with Single-Stream Diffusion Transformer, November 2025

Image Team, Huanqia Cai, Sihan Cao, Ruoyi Du, Peng Gao, Steven Hoi, Zhaohui Hou, Shijie Huang, Dengyang Jiang, Xin Jin, Liangchen Li, Zhen Li, Zhong-Yu Li, David Liu, Dongyang Liu, Junhan Shi, Qilong Wu, Feng Yu, Chi Zhang, Shifeng Zhang, and Shilin Zhou. Z-Image: An Efficient Image Generation Foundation Model with Single-Stream Diffusion Transformer, Nov...

2025
[33]

Improved subspace estimation for multivariate observations of high dimension: the deterministic signals case.IEEE Transactions on Information Theory, 58(2):1043–1068, February 2012

Pascal Vallet, Philippe Loubaton, and Xavier Mestre. Improved subspace estimation for multivariate observations of high dimension: the deterministic signals case.IEEE Transactions on Information Theory, 58(2):1043–1068, February 2012. arXiv:1002.3234 [cs]

work page arXiv 2012
[34]

Tree-rings watermarks: Invisible fingerprints for diffusion images

Yuxin Wen, John Kirchenbauer, Jonas Geiping, and Tom Goldstein. Tree-rings watermarks: Invisible fingerprints for diffusion images. InThirty-seventh Conference on Neural Information Processing Systems, 2023

2023
[35]

Qwen-Image Technical Report

Chenfei Wu, Jiahao Li, Jingren Zhou, Junyang Lin, Kaiyuan Gao, Kun Yan, Sheng-ming Yin, Shuai Bai, Xiao Xu, Yilei Chen, Yuxiang Chen, Zecheng Tang, Zekai Zhang, Zhengyi Wang, An Yang, Bowen Yu, Chen Cheng, Dayiheng Liu, Deqing Li, Hang Zhang, Hao Meng, Hu Wei, Jingyuan Ni, Kai Chen, Kuan Cao, Liang Peng, Lin Qu, Minggang Wu, Peng Wang, Shuting Yu, Tingkun...

work page internal anchor Pith review arXiv 2025
[36]

SANA: Efficient High-Resolution Image Synthesis with Linear Diffusion Transformers, October 2024

Enze Xie, Junsong Chen, Junyu Chen, Han Cai, Haotian Tang, Yujun Lin, Zhekai Zhang, Muyang Li, Ligeng Zhu, Yao Lu, and Song Han. SANA: Efficient High-Resolution Image Synthesis with Linear Diffusion Transformers, October 2024. 11

2024
[37]

Gaussian shading: Provable performance-lossless image watermarking for diffusion models

Zijin Yang, Kai Zeng, Kejiang Chen, Han Fang, Weiming Zhang, and Nenghai Yu. Gaussian shading: Provable performance-lossless image watermarking for diffusion models. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 12162–12171, 2024

2024
[38]

hard decision

Ram Zamir.Lattice Coding for Signals and Networks: A Structured Coding Approach to Quantization, Modulation and Multiuser Information Theory. Cambridge University Press, Cambridge, 2014. A Notation Spaces •Pixel space: inR D with observations denotedx. •Latent space: inR L with observations denotedz. •Watermark space: inR M ′ with observations denotedz u....

2014