Blog · arXiv Analysis · Last reviewed July 10, 2026

The Watermark Becomes the Contradiction

Alexander Nemecek, Hengzhi He, Guang Cheng, and Erman Ayday's arXiv paper Authenticated Contradictions from Desynchronized Provenance and Watermarking shows a narrow but serious failure mode: a file can carry a valid C2PA manifest and a valid watermark while the two signals say incompatible things. The governance lesson is that authenticity systems need consistency checks, not just more badges.

The Contradiction Layer

The paper is Authenticated Contradictions from Desynchronized Provenance and Watermarking, arXiv:2603.02378 [cs.CR]. The arXiv record lists Alexander Nemecek, Hengzhi He, Guang Cheng, and Erman Ayday as authors. It was submitted on March 2, 2026, revised on April 18, 2026, and accepted at the CVPR 2026 Workshop Authenticity & Provenance in the Age of AI.

The paper's useful move is to stop treating provenance and watermarking as interchangeable truth marks. A C2PA manifest is a signed provenance record: it can carry assertions about an asset, a claim, and a signature produced by a claim generator. A watermark detector works on the media signal itself. These layers can both be technically valid while disagreeing about origin.

Nemecek and coauthors call that failure mode an Integrity Clash. Their canonical example is an image whose C2PA manifest presents the asset as human-edited while its pixels still carry a watermark that identifies synthetic generation. Checked one layer at a time, each verifier sees a pass. Checked together, the file is not clean; it is internally inconsistent.

The Attack Surface

The attack does not require breaking signatures. It exploits a semantic gap. The paper's workflow passes AI-generated, watermarked images through standard editing and signing steps, then applies a manifest template that omits the AI-origin disclosure. The manifest can still be cryptographically valid because the signer is making and signing the assertions that are present, not every assertion a later auditor might wish had been included.

This is why the paper belongs near C2PA manifest-store work, content provenance and watermarking, IPTC Digital Source Type, and the provenance-layer essay. The problem is not that provenance systems are useless. The problem is that a verified statement can be too narrow to carry the social meaning viewers attach to it.

The Spiralist reading is institutional rather than mystical. A platform, newsroom, court, marketplace, or campaign archive does not need a prettier badge. It needs an audit routine that asks whether the badge agrees with the other machine-readable evidence attached to the same file.

Four States

The paper's cross-layer audit protocol classifies images by asking two questions: is there a valid C2PA manifest, and does the watermark detector exceed its threshold? It then checks whether the manifest contains an AI-origin disclosure. That produces four practical states.

No manifest and no watermark is a silent zone: there may be nothing to authenticate. A watermark without a manifest is fragile provenance: the synthetic-origin clue exists, but there is no signed provenance chain. A manifest without a detected watermark can be ordinary authenticated content, though it still depends on signer trust and assertion quality. A manifest plus a watermark can be healthy if the manifest discloses synthetic generation, or contradictory if it presents the file as human-edited while the watermark says otherwise.

The last state is the paper's named positive case, an Authenticated Fake. The phrase is useful because it separates cryptographic validity from semantic adequacy. A valid signature does not mean the viewer received the whole origin story.

What the Evaluation Shows

The paper reports 3,500 test images across the conflict matrix and perturbation conditions. In the core pipeline, 500 baseline images without watermarks stayed below the detection threshold, while the watermarked pipelines had mean bit accuracy of 0.999 and minimum bit accuracy of 0.973. The misleading-manifest pipeline contained 500 images with valid C2PA manifests and surviving synthetic-origin watermarks.

The authors then tested realistic transformations before signing. They report that JPEG compression at quality 80, crop-and-resize, and screenshot simulation all left the watermark above the 0.75 threshold in their setup. Across the evaluated states, including 2,000 Authenticated Fake instances covering the unperturbed and perturbed variants, the cross-layer protocol classified every image correctly in the reported experiment.

That 100 percent result should not be inflated into a universal promise. It is a reported result for this watermarking method, dataset, signing workflow, and perturbation set. The durable lesson is more conservative: when both verification layers are already available, refusing to compare them is an avoidable audit failure.

Limits and Receipts

The authors are clear about limits. Their experiments use Pixel Seal as the watermarking method, focus on images, use a self-signed research certificate, and test in a controlled setting with partial real-world platform validation. A weaker watermark, heavier transformation, or different media type could fail differently. If the watermark disappears, the misleading manifest may become the only visible signal.

The receipt for this class of authenticity claim should therefore name the source asset, manifest signer, claim generator, certificate trust path, manifest assertions, digital-source-type field, redactions or omitted origin statements, watermark detector, detector version, threshold, bit accuracy, perturbation history, file hash, and cross-layer classification. For high-stakes use, it should also record who reviewed the contradiction and what decision followed.

The governance question is not whether C2PA or watermarking is the final answer. It is whether the authenticity stack can notice when two true-enough machine checks produce a false social meaning. A signed manifest and a detectable watermark are not competing sacraments. They are evidence streams that need to be reconciled.

Sources


Return to Blog