| 1 Functions | 2 Reference Architecture | 3 I/O Data |
| 4 Functions of AI Modules | 5 I/O Data of AI Modules | 6 AIW, AIMs, and JSON Metadata |
| 7 Reference Software | 8 Conformance Texting | 9 Performance Assessment |
1 Functions
1 Functions
The No-Inference Robustness (NNW-NIR) receives watermarked parameters, the payload and provides both the retrieved payload and the number of incorrect bits (Count error).
2 Reference Model
Figure 1 specifies the No-Inference Robustness (NNW-NIR) Reference Model including the input/output data, the AIMs, and the data exchanged between and among the AIMs.
Figure 1 – Reference Model of No-Inference Robustness (NNW-NIR))
The operation of No-Inference Robustness (NNW-NIR) develops in the following way:
- A user provides
- The Original payload
- The Watermarked parameters
- The machine provides
- The Count Error
- The Retrieved Payload
3 I/O Data
The input and output data of the No-Inference Robustness (NNW-NIR) Use Case are:
Table 1 – I/O Data of No-Inference Robustness (NNW-NIR)
| Input | Descriptions |
| Original Payload | The information inserted. |
| Watermarked parameters | The parameters of a watermarked AIM. |
| Output | Descriptions |
| Count error | The number of incorrect bits in the retrieved payload. |
| Retrieved payload | The output of the decoding procedure of the watermarking method. |
4 Functions of AI Modules
Table 2 provides the functions of the No-Inference Robustness (NNW-NIR) Use Case.
Table 2 – Functions of AI Modules of No-Inference Robustness (NNW-NIR)
| AIM | Function |
| Modification module | Modifies the parameters of the watermarked AIM. |
| NIR Watermark Decoder | Retrieves the payload using the watermarking method. |
| Comparator | Compares the retrieved payload to the original payload. |
5 I/O Data of AI Modules
The AI Modules of No-Inference Robustness (NNW-NIR) are given in Table 3.
Table 3 – AI Modules of No-Inference Robustness (NNW-NIR)
| AIM | Receives | Produces |
| Modification module | Watermarked parameters | Modified parameters |
| NIR Watermark Decoder | Modified parameters | Retrieved payload |
| Comparator | 1. Original payload
2. Retrieved payload |
Unwatermarked inference |
6 AIW, AIMs, and JSON Metadata
Table 4 provides the links to the AIW and AIM specifications and to the JSON syntaxes. AIMs/1 indicates that the column contains Composite AIMs and AIMs indicates that the column contains their Basic AIMs.
Table 4 – AIW, AIMs, and JSON Metadata
| AIW | AIM | Name | JSON |
| NNW-NIR | No-Inference Robustness | X | |
| NNW-CMP | Comparator | X | |
| NNW-MFM | Modification Module | X | |
| NNW-NWD | NIR Watermark Decoder | X |
7 Reference Software
7.1 Disclaimers
- This NNW-NIR Reference Software Implementation is released with the BSD-3-Clause licence.
- The purpose of this Reference Software is to demonstrate a working Implementation of NNW-NIR, not to provide a ready-to-use product.
- MPAI disclaims the suitability of the Software for any other purposes and does not guarantee that it is secure.
- Use of this Reference Software may require acceptance of licences from the respective repositories. Users shall verify that they have the right to use any third-party software required by this Reference Software.
7.2 Guide to the NNW-NIR code
Use of this AI Workflow is for developers who are familiar with Python and PyTorch libraries,
The robustness.py code allow a User to evaluate the robustness of a watermarking method on the image classification task:
- The watermarking method is implemented as a Python Class
- The attack is performed using mainAttack.py
The NNW-NIR Reference Software is found at the gitlab site. It contains:
- The python code implementing the AIW.
- The required libraries are: pytorch, tqdm
8 Conformance Testing
9 Performance Assessment
