Sigil: Cryptographic Image Watermarking for AI Training Detection

AI companies scrape billions of images from the internet to train their models. Artists, photographers, and creators rarely consent to this — or even know it's happening. By the time you discover your work was used, the model is already trained and deployed.

What if you could prove your work was stolen? What if you could embed an invisible signature that survives model training and lets you detect unauthorized use?

That's Sigil.

The Problem: Invisible Theft

Modern AI image generators are trained on massive datasets scraped from social media, art portfolios, stock photo sites, and personal blogs. There's no opt-out, no consent, no compensation. And traditional watermarks don't help — they're easily cropped, blurred, or removed.

My Solution: Radioactive Data Marking

Sigil is based on research from Facebook AI Research's ICML 2020 paper on "radioactive data." Instead of adding visible watermarks, it embeds cryptographically secure signatures directly into pixel values. These perturbations are:

Imperceptible to human eyes (controlled by an epsilon parameter)
Robust to compression, resizing, and augmentation
Detectable after model training by analyzing model behavior

How It Works

Each user gets a unique 256-bit cryptographic signature generated with HMAC-SHA256. Using PyTorch and Projected Gradient Descent (PGD), Sigil optimizes pixel perturbations that encode this signature while remaining invisible:

def poison_image(image, signature, epsilon=0.01):
    perturbation = pgd_optimize(
        image=image,
        target_signature=signature,
        epsilon=epsilon,
        iterations=100
    )
    poisoned = image + perturbation
    return clamp(poisoned, 0, 1)

PGD Robustness Mode

Standard embedding can be fragile. PGD robustness mode adds adversarial training to make signatures survive real-world transformations:

for step in range(iterations):
    augmented = random_transform(poisoned_image)
    loss = signature_loss(augmented, target_signature)
    gradient = compute_gradient(loss)
    perturbation = project(perturbation - lr * gradient, epsilon)

This makes signatures survive JPEG compression (quality 60+), resizing (50%-200%), random crops, color jittering, and Gaussian noise.

Features

Single and batch processing: Sign one image or thousands
Configurable strength: Balance invisibility vs. robustness (epsilon 0.005-0.05)
Video protection: Per-frame poisoning with temporal signatures using cyclic sine waves
Web UI: Drag-and-drop interface for non-technical users
CLI tools: Automate signing in your workflow

The Epsilon Balance

The epsilon parameter controls perturbation magnitude:

0.005: Maximum stealth, may not survive aggressive compression
0.01: Recommended balance of invisibility and robustness
0.02: Detectable artifacts in solid colors
0.05: Visible noise in most images

Use Cases

Artists: Sign your portfolio before uploading. If an AI generator mimics your style, test it for your signature — cryptographic proof for legal action.
Photographers: Batch sign your entire library. Monitor new AI models for unauthorized training.
Researchers: Controlled experiments with signed datasets. Measure data memorization and audit training data sources.

What I Learned

Building Sigil taught me about adversarial machine learning, signal processing for frequency-domain perturbations, cryptographic signature design, video encoding and temporal coherence, and PyTorch internals for custom optimization loops.

The hardest part was making it practical. Academic papers often ignore real-world constraints like processing time for batch jobs, memory usage for high-resolution images, and deployment complexity for non-technical users.

Sigil is open source — if you're a creator concerned about AI training on your work, or a researcher studying model behavior and data provenance, check it out on GitHub.