Existing dataset ownership verification methods rely on trusted verification assumptions and are vulnerable to perturbations or adaptive attacks. This paper proposes CertDW, the first provably robust certified watermarking framework for dataset ownership authentication. CertDW pioneers the integration of conformal prediction into dataset watermarking, introducing two key statistics: Principal Probability (PP) and Watermark Robustness (WR). It establishes a provable lower bound on WR in terms of PP, enabling pixel-level perturbation-robust certification. The framework comprises two phases—watermark embedding and statistical verification—and jointly incorporates hypothesis testing, prediction stability analysis, and adversarial modeling. Evaluated on benchmarks including ImageNet, CertDW achieves >98% authentication accuracy and demonstrates strong robustness against pruning, fine-tuning, and adversarial distillation. Reliable certification is achieved when WR significantly exceeds the PP threshold of benign models.

Deep neural networks (DNNs) rely heavily on high-quality open-source datasets (e.g., ImageNet) for their success, making dataset ownership verification (DOV) crucial for protecting public dataset copyrights. In this paper, we find existing DOV methods (implicitly) assume that the verification process is faithful, where the suspicious model will directly verify ownership by using the verification samples as input and returning their results. However, this assumption may not necessarily hold in practice and their performance may degrade sharply when subjected to intentional or unintentional perturbations. To address this limitation, we propose the first certified dataset watermark (i.e., CertDW) and CertDW-based certified dataset ownership verification method that ensures reliable verification even under malicious attacks, under certain conditions (e.g., constrained pixel-level perturbation). Specifically, inspired by conformal prediction, we introduce two statistical measures, including principal probability (PP) and watermark robustness (WR), to assess model prediction stability on benign and watermarked samples under noise perturbations. We prove there exists a provable lower bound between PP and WR, enabling ownership verification when a suspicious model's WR value significantly exceeds the PP values of multiple benign models trained on watermark-free datasets. If the number of PP values smaller than WR exceeds a threshold, the suspicious model is regarded as having been trained on the protected dataset. Extensive experiments on benchmark datasets verify the effectiveness of our CertDW method and its resistance to potential adaptive attacks. Our codes are at href{https://github.com/NcepuQiaoTing/CertDW}{GitHub}.