← LearnAI provenance

Content provenance for AI: C2PA, watermarking & signatures

Watermarking, C2PA Content Credentials, and cryptographic signatures each answer “where did this come from?” — with different tradeoffs.

The problem provenance solves

AI-generated text, images, and audio are now often indistinguishable from human-made, and trivially easy to alter or fabricate. Provenance is the ability to answer two questions about a piece of content: where did it come from, and has it been changed since? Note what provenance is not — it does not tell you whether the content is true. It establishes origin and integrity, which is what you need to attribute and audit content, not to validate its claims.

Watermarking

Watermarking embeds a statistical signal into generated output — a subtle, ideally imperceptible pattern a detector can later recognize. It’s useful for detection at scale (is this text likely machine-generated?), but it is probabilistic and can be weakened or stripped by editing, paraphrasing, or re-encoding. It answers “was this likely AI-made?” better than “did this exact content come from this exact source, unaltered?”

C2PA / Content Credentials

The Coalition for Content Provenance and Authenticity (C2PA) defines Content Credentials: signed metadata attached to a media file recording how it was created and edited — an origin manifest. It’s strong for creative and journalistic media pipelines. Its main limitation is that the credential travels alongside the file and can be stripped when content is screenshotted, re-uploaded, or passed through systems that don’t preserve metadata.

Cryptographic signatures over the content

The strongest integrity guarantee is to sign the content itself: any change — a single character — breaks the signature. This is what Throndar does for every answer, using post-quantum signatures, so the receipt proves the exact text’s origin and integrity and anyone can check it against published keys, offline. The tradeoff is that the verifier needs the signature and the public key, which is why the proof is bundled with the answer.

These approaches aren’t rivals so much as tools for different jobs: watermarking for broad detection, C2PA for media provenance, and direct signatures for high-stakes, attributable output you need to prove — like an AI answer you’ll put in front of an auditor.

Verification attests an answer’s origin and integrity, not its factual accuracy. Algorithm names denote the public standards the primitives are based on (ML-DSA-87 / FIPS 204, ML-KEM-1024 / FIPS 203; Falcon / FN-DSA, FIPS 206 forthcoming), not a FIPS-140 / CMVP validation.