*Article* **KeyNet: An Asymmetric Key-Style Framework for Watermarking Deep Learning Models**

**Najeeb Moharram Jebreel \*, Josep Domingo-Ferrer, David Sánchez and Alberto Blanco-Justicia**

CYBERCAT-Center for Cybersecurity Research of Catalonia, UNESCO Chair in Data Privacy, Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili, Av. Països Catalans 26, 43007 Tarragona, Catalonia, Spain; josep.domingo@urv.cat (J.D.-F.); david.sanchez@urv.cat (D.S.); alberto.blanco@urv.cat (A.B.-J.) **\*** Correspondence: najeebmoharramsalim.jebreel@urv.cat; Tel.: +34-977558270

**Abstract:** Many organizations devote significant resources to building high-fidelity deep learning (DL) models. Therefore, they have a great interest in making sure the models they have trained are not appropriated by others. Embedding watermarks (WMs) in DL models is a useful means to protect the intellectual property (IP) of their owners. In this paper, we propose *KeyNet*, a novel watermarking framework that satisfies the main requirements for an effective and robust watermarking. In *KeyNet*, any sample in a WM carrier set can take more than one label based on where the owner signs it. The signature is the hashed value of the owner's information and her model. We leverage multitask learning (MTL) to learn the original classification task and the watermarking task together. Another model (called the private model) is added to the original one, so that it acts as a private key. The two models are trained together to embed the WM while preserving the accuracy of the original task. To extract a WM from a marked model, we pass the predictions of the marked model on a signed sample to the private model. Then, the private model can provide the position of the signature. We perform an extensive evaluation of *KeyNet*'s performance on the CIFAR10 and FMNIST5 data sets and prove its effectiveness and robustness. Empirical results show that *KeyNet* preserves the utility of the original task and embeds a robust WM.

**Keywords:** deep learning models; ownership; intellectual property; watermarking; security and privacy; private model
