Existing graph neural network (GNN) watermarking methods suffer from vulnerability to model editing and unreliable ownership verification due to dependence on fragile backdoor triggers. Method: This paper proposes a trigger-free, topology-aware watermarking scheme that implicitly embeds watermarks via graph-theoretic invariants—specifically, normalized algebraic connectivity. A lightweight prediction head estimates this invariant, while a sign-sensitive decoder with adaptive thresholding enables black-box watermark verification. Contribution/Results: We prove that exact watermark removal is NP-complete, ensuring cryptographic-level security. Experiments across diverse datasets and GNN architectures demonstrate negligible degradation in primary task performance, superior watermark detection accuracy over state-of-the-art baselines, and strong robustness against pruning, fine-tuning, quantization, and knowledge distillation.

Graph Neural Networks (GNNs) are valuable intellectual property, yet many watermarks rely on backdoor triggers that break under common model edits and create ownership ambiguity. We present InvGNN-WM, which ties ownership to a model's implicit perception of a graph invariant, enabling trigger-free, black-box verification with negligible task impact. A lightweight head predicts normalized algebraic connectivity on an owner-private carrier set; a sign-sensitive decoder outputs bits, and a calibrated threshold controls the false-positive rate. Across diverse node and graph classification datasets and backbones, InvGNN-WM matches clean accuracy while yielding higher watermark accuracy than trigger- and compression-based baselines. It remains strong under unstructured pruning, fine-tuning, and post-training quantization; plain knowledge distillation (KD) weakens the mark, while KD with a watermark loss (KD+WM) restores it. We provide guarantees for imperceptibility and robustness, and we prove that exact removal is NP-complete.