Skip to content

kartikeywastaken/Hemlock

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 
camera.c
camera.c
 
 
stb_image.h
stb_image.h
 
 
stb_image_write.h
stb_image_write.h
 
 
verify.c
verify.c
 
 

Repository files navigation

Hemlock

Adversarial image defense and provenance system written in C.

Overview

Hemlock protects images through a dual-layer approach:

  1. Perceptual Hash (aHash) - Creates a structural fingerprint by downsampling the image to 8x8 grayscale and comparing each pixel to the average brightness. This detects visual modifications.

  2. Data Poisoning + RSA Signing - Adds subtle adversarial noise to the image pixels, then cryptographically signs the result. Any modification (AI training, compression, editing) breaks the signature.

Files

  • camera.c - Protection tool: generates hash, poisons image, signs it
  • verify.c - Verification tool: checks RSA signature + perceptual hash
  • stb_image.h, stb_image_write.h - Image loading (from stb libraries)
  • private.pem, public.pem - RSA key pair
  • ahash.bin - Stored perceptual hash
  • signature.sig - RSA signature

Build

gcc -o camera camera.c -lssl -lcrypto -lm
gcc -o verify verify.c -lssl -lcrypto -lm

Usage

Protect an Image

# Place your input image as input.jpg
./camera
# Outputs: protected.jpg, ahash.bin, signature.sig

Verify an Image

./verify

Output report shows:

  • IDENTITY: Whether RSA signature is valid (bit-perfect match)
  • CONTENT: Hamming distance between stored and computed perceptual hashes
    • 0 bits: Identical
    • <5 bits: Authentic (minor compression/noise)

    • 5 bits: Tampered (AI or manual edit detected)

How It Works

Perceptual Hash: Downsample to 8x8, grayscale, compute average, set bits for pixels above average.

Poisoning: Add uniform random noise (5% intensity) to all pixels, making the image useless for AI training while appearing unchanged to humans.

Verification: RSA signature detects bit-level changes; aHash detects visual/content changes.

Use Cases

  • Protect artwork from AI scraping and unauthorized training
  • Prove image provenance and ownership
  • Detect if images have been tampered with or recompressed
  • Adversarial defense for photographers and content creators

Security Model

Two independent checks:

  1. RSA Signature (IDENTITY) - Uses SHA-256 with RSA. Any byte-level change to the image pixels breaks the signature. This verifies the file is exactly as you produced it (bit-perfect).

  2. Perceptual Hash (CONTENT) - Uses aHash to detect visual changes. Compression artifacts, AI upscaling, or manual edits will change the perceptual structure. The hamming distance indicates how much the visual content differs.

Together they provide:

  • Cryptographic proof of authorship (RSA)
  • Visual integrity verification (aHash)
  • Detection of adversarial modifications (combined)

Limitations

  • Requires original input.jpg to run protection
  • Keys are placeholder - generate your own for production
  • Perceptual hash is not cryptographic (can be brute-forced)
  • Does not prevent metadata stripping

Generating Keys

openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

Requirements

  • OpenSSL
  • stb_image (included)

About

Adversarial image defense and provenance system written in C.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages