CVPR 2026

CSF: Black-box Fingerprinting via Compositional Semantics for Text-to-Image Models

Junhoo Lee,Mijin Koo,Nojun Kwak
Seoul National UniversityCVPR 2026

CSF attributes deployed text-to-image APIs back to protected base families using only black-box query access, with no watermarking and no visibility into model internals.

Comparison between watermarking, traditional fingerprinting, and CSF in the query-only setting

CSF targets the most restrictive query-only setting, where the defender sees only the final text-to-image API and must still recover lineage evidence.

Abstract

Text-to-image models are commercially valuable assets often distributed under restrictive licenses, but such licenses are enforceable only when violations can be detected. Existing methods require pre-deployment watermarking or internal model access, which are unavailable in commercial API deployments.

We present Compositional Semantic Fingerprinting (CSF), the first black-box method for attributing fine-tuned text-to-image models to protected lineages using only query access. CSF treats models as semantic category generators and probes them with compositional underspecified prompts that remain rare under fine-tuning. Across 6 model families and 13 fine-tuned variants, the Bayesian attribution framework supports controlled-risk lineage decisions, with all variants satisfying the dominance criterion.

Why naive visual matching fails.

Fine-tuning often changes texture, palette, composition, and rendering style so aggressively that side-by-side visual inspection becomes unreliable. Two models can share the same lineage while looking very different at the pixel level, which is exactly why CSF avoids direct visual matching and instead measures how a model resolves ambiguous semantic prompts.

Style drift across related model families makes direct visual matching unreliable

This challenge figure shows why lineage attribution is hard in practice: downstream variants can move far away in style while still inheriting the same semantic prior from the protected base model. A robust black-box method therefore has to focus on the semantic distribution a model produces, not on superficial style similarity.

Method overview.

CSF estimates prompt-conditioned semantic distributions, compares them with Wasserstein distance, and converts the resulting distances into a posterior over candidate lineages.

Problem formulation

We are given a set of protected base models and a deployed suspect API that may have been fine-tuned from one of them. The defender does not see weights, activations, or training logs; only text queries and generated images are available. The goal is to assign a posterior over candidate lineages and make an attribution decision with controlled confidence. For each prompt p and model m, CSF samples multiple generations, maps each image to a semantic label c, and estimates the prompt-conditioned category distribution.

π^m(cp)=1Ni=1N1[g(xi)=c],xim(p)\hat{\pi}_m(c \mid p) = \frac{1}{N} \sum_{i=1}^{N} \mathbf{1}[g(x_i) = c], \qquad x_i \sim m(p)

CSF pipeline

CSF probes each model with compositional, underspecified prompts that force it to resolve ambiguity using learned semantic priors. The resulting category distributions are then compared against base-model references using Wasserstein distance, and a Bayesian attribution rule produces the final lineage posterior and dominance test. In other words, the suspect model is compared against every protected base over a prompt set P, and smaller transport cost becomes stronger attribution evidence.

db=pPW1 ⁣(π^s(p),π^b(p)),P(bs)exp(τdb)d_b = \sum_{p \in P} W_1\!\left(\hat{\pi}_s(\cdot \mid p), \hat{\pi}_b(\cdot \mid p)\right), \qquad P(b \mid s) \propto \exp(-\tau d_b)

Accept b=argmaxbP(bs)b^* = \arg\max_b P(b \mid s) only when the dominance margin stays above a threshold: P(bs)maxbbP(bs)>δP(b^* \mid s) - \max_{b \neq b^*} P(b \mid s) > \delta.

Quantitative Results

Table 1

Posterior attribution across all 13 fine-tuned suspects.

Each row is a deployed suspect model, each column is a candidate protected base lineage, and every cell reports the posterior mean attribution score under CSF. The correct family stays dominant for all 13 suspects even after substantial style drift.

Suspect ModelFlux-BaseKandinsky-BaseSD1.5-BaseSD2.1-BaseSD3-Medium-BaseSDXL-Base
Flux Family
Flux-LoRA0.932*0.0230.0230.0230.0230.068
Flux-Turbo-Alpha0.977*0.0230.0230.0230.0230.023
Kandinsky Family
Kandinsky-Naruto0.0230.977*0.0230.0230.0230.023
Kandinsky-Pokemon-LoRA0.0490.829*0.0490.0980.0240.049
SD1.5 Family
SD1.5-1.2-Base0.0230.0230.841*0.1140.0230.068
SD1.5-1.4-Base0.0230.0230.977*0.0230.0230.023
SD1.5-DreamShaper0.0910.0680.659*0.0450.0680.159
SD2.1 Family
SD2.1-DPO0.0230.0230.0230.977*0.0230.023
SD2.1-LAION-Art0.0230.0230.0230.977*0.0230.023
SD3 Family
SD3-Reality-Mix0.1360.0910.0230.0450.705*0.091
SD3-VAE-Anime0.0230.0230.0230.0230.977*0.023
SDXL Family
SDXL-DPO0.0230.0230.0230.0230.0230.977*
SDXL-Lightning-4Step0.0230.0910.0230.0680.0230.864*

Posterior mean attribution scores under CSF. Asterisks mark the dominant lineage after applying the dominance test.

Secondary analyses support the same fingerprint.

Table 2 tests the metric choice, Table 3 tests adversarial erasure, the ring figure shows prompt-conditioned semantic drift, and Figure 4 confirms that humans can perceive the same lineage cue when asked the right question.

Metric Comparison

Wasserstein produces a clearer attribution margin than JSD.

Across hard variants such as Kandinsky-Naruto, SD3-Reality-Mix, and SDXL-DPO, Wasserstein preserves a wider separation between the correct lineage and competing bases.

VariantWassersteinJSDGap
Flux-LoRA93.2%77.3%+15.9%
Kandinsky-Naruto97.7%43.2%+54.5%
SD3-Reality-Mix70.5%56.8%+13.7%
SDXL-DPO97.7%70.5%+27.2%

Prompt Figure

Ring figure showing prompt-conditioned semantic mixtures

Context rotates the semantic mixture.

Holding the core subject fixed while changing only the scene context changes the semantic mixture a model resolves, which is the exact signal CSF measures.

Figure 4

Human study showing stronger lineage identification under CSF prompts

Human study aligns with the fingerprint.

The original paper's human study shows that observers identify the protected base model much more accurately under CSF prompts than under naive prompts.

Table 3

Attribution survives adversarial concept removal.

Even after UCE removes animal-related concepts, the correct lineage remains dominant. This suggests the fingerprint is distributed across semantics rather than tied to one brittle trigger.

Suspect ModelFlux-BaseKandinsky-BaseSD1.5-BaseSD2.1-BaseSD3-Medium-BaseSDXL-Base
Adversarial Concept Removal (9 animal probes)
Flux-LoRA0.7140.1430.1430.1430.1430.286
Flux-Turbo-Alpha0.8570.1430.1430.1430.1430.143
Kandinsky-Naruto0.1430.8570.1430.1430.1430.143
Kandinsky-Pokemon-LoRA0.1430.8570.1430.1430.1430.143
SD1.5-1.2-Base0.1430.1430.8570.1430.1430.143
SD1.5-1.4-Base0.1430.1430.8570.1430.1430.143
SD1.5-Animal-Erase0.1430.1430.8570.1430.1430.143
SD1.5-DreamShaper0.1430.1430.7140.1430.2860.143
SD2.1-DPO0.1430.1430.1430.8570.1430.143
SD2.1-LAION-Art0.1430.1430.1430.8570.1430.143
SD3-Reality-Mix0.2860.1430.1430.1430.7140.143
SD3-VAE-Anime0.1430.1430.1430.1430.8570.143
SDXL-DPO0.1430.1430.1430.1430.1430.857
SDXL-Lightning-4Step0.1430.1430.1430.2860.1430.714

Adversarial concept removal uses 9 animal probes. The correct source family remains dominant across all evaluated suspects.

Paper PDF

BibTeX

@inproceedings{lee2026csf,
  title={CSF: Black-box Fingerprinting via Compositional Semantics for Text-to-Image Models},
  author={Lee, Junhoo and Koo, Mijin and Kwak, Nojun},
  booktitle={Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)},
  year={2026}
}