Current digital watermarking methods for copyright protection in the EaaS (Everything-as-a-Service) paradigm suffer from two critical limitations: high semantic detectability and poor robustness against geometric transformations—particularly rotation, scaling, and translation (RST). To address this, we propose the first black-box RST-resilient fingerprinting framework that neither relies on backdoor triggers nor requires modification of training data. Instead, we model the model’s embedding space as a geometrically invariant point cloud and perform ownership verification via point cloud registration and topological alignment. This approach uniquely exploits the intrinsic spatial-geometric properties of embedding representations, enabling high-accuracy fingerprint extraction and robust verification across both vision and language models. Extensive experiments demonstrate that our method significantly outperforms state-of-the-art watermarking schemes under diverse RST attacks, while maintaining strong imperceptibility and practical deployability.

Feature embedding has become a cornerstone technology for processing high-dimensional and complex data, which results in that Embedding as a Service (EaaS) models have been widely deployed in the cloud. To protect the intellectual property of EaaS models, existing methods apply digital watermarking to inject specific backdoor triggers into EaaS models by modifying training samples or network parameters. However, these methods inevitably produce detectable patterns through semantic analysis and exhibit susceptibility to geometric transformations including rotation, scaling, and translation (RST). To address this problem, we propose a fingerprinting framework for EaaS models, rather than merely refining existing watermarking techniques. Different from watermarking techniques, the proposed method establishes EaaS model ownership through geometric analysis of embedding space's topological structure, rather than relying on the modified training samples or triggers. The key innovation lies in modeling the victim and suspicious embeddings as point clouds, allowing us to perform robust spatial alignment and similarity measurement, which inherently resists RST attacks. Experimental results evaluated on visual and textual embedding tasks verify the superiority and applicability. This research reveals inherent characteristics of EaaS models and provides a promising solution for ownership verification of EaaS models under the black-box scenario.