To address the challenges of customization, immutability, and zero-retraining requirements for watermarking in large-model distribution, this paper proposes a black-box verifiable multi-branch LoRA watermarking framework. The method introduces independent, swappable LoRA branches—each embedding a user-specific binary watermark—and employs a branch-switching mechanism enabling millisecond-level dynamic watermark replacement. Parameter obfuscation is further integrated to enhance resistance against watermark removal. Crucially, the approach requires no modification to the base model or any retraining, ensuring compatibility across diverse architectures and downstream tasks. Extensive experiments across three task categories and six mainstream foundation models demonstrate 100% watermark verification accuracy, strong robustness against common attacks, and minimal computational overhead for both embedding and verification—significantly outperforming existing fixed-watermark and fine-tuning-based watermarking methods.

Recently, Deep Learning (DL) models have been increasingly deployed on end-user devices as On-Device AI, offering improved efficiency and privacy. However, this deployment trend poses more serious Intellectual Property (IP) risks, as models are distributed on numerous local devices, making them vulnerable to theft and redistribution. Most existing ownership protection solutions (e.g., backdoor-based watermarking) are designed for cloud-based AI-as-a-Service (AIaaS) and are not directly applicable to large-scale distribution scenarios, where each user-specific model instance must carry a unique watermark. These methods typically embed a fixed watermark, and modifying the embedded watermark requires retraining the model. To address these challenges, we propose Hot-Swap MarkBoard, an efficient watermarking method. It encodes user-specific $n$-bit binary signatures by independently embedding multiple watermarks into a multi-branch Low-Rank Adaptation (LoRA) module, enabling efficient watermark customization without retraining through branch swapping. A parameter obfuscation mechanism further entangles the watermark weights with those of the base model, preventing removal without degrading model performance. The method supports black-box verification and is compatible with various model architectures and DL tasks, including classification, image generation, and text generation. Extensive experiments across three types of tasks and six backbone models demonstrate our method's superior efficiency and adaptability compared to existing approaches, achieving 100% verification accuracy.