Contest Rules

Complete rules and requirements for the PrivateBond Watermark Challenge.

Overview

The PrivateBond Watermark Challenge is an open competition to build the most robust invisible watermarking system for images and video. Contestants submit Docker images that can embed and detect invisible watermarks. The community then tries to remove or destroy those watermarks. The systems that survive earn prizes from the USDT pool secured on Polygon.

Background: The Watermarking Problem

Digital watermarking is the art of creating detectable variations in media—subtle modifications that are invisible to the human eye but machine-recoverable. The core challenge is navigating a three-way tradeoff between embedding strength, visual quality, and wash survivability.

The Fundamental Tradeoffs

Too heavy ↔ too light: Stronger watermarks (larger perturbations) are easier to detect after transformations but degrade visual quality. Weaker watermarks preserve appearance but are washed away by JPEG compression or a simple screenshot. Every system must find the sweet spot.

Wash survivability: The real test is whether the watermark survives the gauntlet of real-world image processing—social media recompression, messaging app resizing, format conversion, cropping, screenshots, color grading, and intentional adversarial attacks. A watermark that only works on pristine copies is useless in practice.

Approaches in the Field

Competitors may draw on any technique. The landscape includes:

LSB (Least Significant Bit)

Classic approach: flip low-order pixel bits. Fast and invisible, but trivially destroyed by any lossy compression.

DWT (Discrete Wavelet Transform)

Embed in wavelet coefficients. Better robustness than spatial-domain methods. The basis of many production systems.

QIM (Quantization Index Modulation)

Quantize transform coefficients to encode bits. Offers a clean theoretical framework for balancing capacity and robustness.

Latent Space Embedding

Use neural encoder/decoder to embed in the learned latent representation. Can achieve high robustness but requires model inference.

AI Naturalistic Perturbations

Generate watermarks that mimic natural image variation—lens effects, film grain, subtle color shifts—making them indistinguishable from camera artifacts.

Dot/Pattern-Based

Embed information in micro-dot patterns or periodic structures. Used in industrial/print watermarking. Adapting to digital requires care.

Hybrid approaches are common and often perform best. There is no single “right” technique—the competition is designed to discover what works in practice against real adversaries.

The Video Problem

This competition accepts both images and video. Video watermarking introduces challenges that cannot be solved by frame-by-frame image watermarking. Temporal compression (H.264/H.265) discards inter-frame redundancy, I-frame/P-frame/B-frame encoding treats frames differently, and real-world video sharing involves aggressive re-encoding. Naturalistic perturbations in video (slight motion jitter, temporal color drift, micro-texture changes) create novel embedding opportunities that don't exist in still images, but also novel failure modes. Systems that handle both modalities will be evaluated on both.

Timeline

Submission Period
30 days
Apr 10 – May 10, 2026
Register on-chain and submit your Docker image. Your system will be evaluated automatically against the test image set.
Attack Period
7 days
May 10 – May 17, 2026
Watermarked output images are published. Anyone can download them and attempt to remove the watermarks (knockoff attacks).
Judging
Up to 7 days
May 17 – May 24, 2026
Final verification of knockoff claims, manual appearance review for top 10, and prize distribution.

Submission Requirements

Your submission is a Docker image that exposes an HTTP server on port 8080 with the following endpoints:

POST /encode

Embed an invisible watermark into an image.

Request:
{
  "image": "<base64 encoded image>",
  "payload": "<string, max 64 characters>"
}
Response:
{
  "watermarked_image": "<base64 encoded image>"
}

POST /decode

Detect and extract a watermark from an image.

Request:
{
  "image": "<base64 encoded image>",
  "expected_payload": "<string, the payload to check for>"
}
Response:
{
  "detected": true,
  "confidence": 0.95,
  "payload": "<extracted payload string>"
}

POST /encode_video

Embed an invisible watermark into a video. Optional—only required if your system supports video.

Request:
{
  "video": "<base64 encoded video (MP4/WebM, max 30s, max 100MB)>",
  "payload": "<string, max 64 characters>"
}
Response:
{
  "watermarked_video": "<base64 encoded video>"
}

POST /decode_video

Detect and extract a watermark from a video. Optional—only required if your system supports video.

Request:
{
  "video": "<base64 encoded video>",
  "expected_payload": "<string, the payload to check for>"
}
Response:
{
  "detected": true,
  "confidence": 0.95,
  "payload": "<extracted payload string>"
}

GET /health

Health check endpoint. Must return 200 when the system is ready.

Response:
{ "status": "ok" }
Capabilities (optional):
{ "status": "ok", "capabilities": ["image", "video"] }

If your system supports video, include "video" in the capabilities array. Systems that only support images can omit the capabilities field.

Constraints

  • Container must be ready (health check passing) within 30 seconds of start.
  • Each image encode/decode request must complete within 10 seconds. Video: 60 seconds.
  • Maximum memory: 8 GB RAM.
  • No GPU access. CPU-only evaluation environment.
  • No outbound network access during evaluation.
  • Payload string is up to 64 characters (UTF-8).

Scoring

Accuracy — 40%

Out of 1,000 test images (and 100 test videos), each is encoded with a unique random payload and then decoded. The accuracy score is the percentage of media where the decoded payload is an exact character-by-character match with the original payload.

Zero false positives required: Your decoder must never report a watermark in an unwatermarked image. During evaluation, a set of clean (never-watermarked) images are also tested. Any false positive detection is a disqualifying event. A system that “finds” watermarks in images it never marked is not a watermarking system—it's a noise detector.

Robustness — 40%

Watermarked images are subjected to a battery of transformations: JPEG compression (quality 50–90), cropping (10–30%), resize (50–200%), rotation, screenshot simulation, and simulated social media upload pipelines (Instagram, Twitter, etc.). For video, transforms include H.264/H.265 re-encoding, resolution downscaling, frame rate conversion, and social media video pipelines. The robustness score is the percentage of transformations where the watermark is still correctly detected.

Appearance — 20%

Visual quality is measured by automated metrics (SSIM and PSNR between original and watermarked media). For the top 10 entries by total score, a manual review panel also evaluates visual quality. The final appearance score is a weighted blend: 70% automated, 30% manual (for top 10; 100% automated for others).

What we look for: The key distinction is between substantively meaningful visible variations and non-substantively meaningful visible variations. A substantively meaningful variation changes what the viewer perceives the content to be about—adding objects, altering text, shifting meaning. These are never acceptable in a watermark. A non-substantively meaningful variation is a change that is technically visible under close inspection but does not alter the content's meaning—slight color temperature shifts, imperceptible grain patterns, micro-texture differences. The best watermarks live entirely in the non-substantive space: detectable by machines, invisible in meaning to humans.

Total Score = (Accuracy × 0.4) + (Robustness × 0.4) + (Appearance × 0.2)

Knockoff Attacks

During the attack period, all watermarked output images are published. Anyone can download them and attempt to remove or destroy the watermark while keeping the image visually intact.

Submitting a knockoff: Upload a cleaned version of a specific watermarked variation. The image is run through the original contestant's decoder and two independent third-party decoders.

Verification: A knockoff is verified (successful) if all 3 independent decode checks return a confidence score below 0.1. If any check returns confidence ≥ 0.1, the knockoff fails.

Consequences: If a verified knockoff is recorded against a submission, that submission is marked as “knocked off” and becomes ineligible for prizes.

GitHub Repository Disclosure

At registration, each contestant submits a keccak256 hash of their GitHub repository URL. This hash is stored on-chain.

The actual repository URL is disclosed under any of these conditions:

  • The submission is knocked off (watermark removal verified).
  • The contestant wins a prize (top 3).
  • The contest ends (all repos disclosed after judging completes).

Prize Distribution

1st Place
60%
2nd Place
25%
3rd Place
15%
  • A 5% platform fee is deducted from the total pool before distribution.
  • Only non-knocked-off entries are eligible for prizes.
  • Prizes are distributed in USDT on Polygon to the registered wallet address.
  • If fewer than 3 eligible entries remain, the unclaimed portion rolls into future contests.

Disqualification

A submission may be disqualified for any of the following:

  • Docker image fails to start or pass health check within 30 seconds.
  • Encode or decode endpoints return errors on more than 10% of test images.
  • Container exceeds 8 GB memory limit or 10-second per-request timeout.
  • Malicious behavior detected (attempts to access host system, mine crypto, etc.).
  • Visible watermarks or significant visual degradation of images.
  • Use of a trivially broken or no-op watermarking scheme.
  • Multiple submissions from the same individual or team (one entry per person/team).
Terms of Service