This work addresses the challenge of simultaneously achieving black-box ownership verification, robustness against adversarial attacks, and preservation of model utility in self-supervised learning (SSL) watermarking—a balance unattained by existing methods. The authors propose ArmSSL, a novel framework that uniquely fulfills all three objectives: it enables black-box verification through paired difference amplification, enhances adversarial robustness via latent representation entanglement and distribution alignment, and minimizes utility loss using a reference-guided fine-tuning strategy. ArmSSL generates reliable verification signals by enforcing feature orthogonality and camouflages watermark samples as in-distribution data to evade out-of-distribution detection. Extensive experiments across five mainstream SSL frameworks and nine benchmark datasets demonstrate that ArmSSL significantly outperforms current approaches in verification accuracy, incurs negligible utility degradation, and maintains robustness under diverse adversarial attacks.

Self-supervised learning (SSL) encoders are invaluable intellectual property (IP). However, no existing SSL watermarking for IP protection can concurrently satisfy the following two practical requirements: (1) provide ownership verification capability under black-box suspect model access once the stolen encoders are used in downstream tasks; (2) be robust under adversarial watermark detection or removal, because the watermark samples form a distinguishable out-of-distribution (OOD) cluster. We propose ArmSSL, an SSL watermarking framework that assures black-box verifiability and adversarial robustness while preserving utility. For verification, we introduce paired discrepancy enlargement, enforcing feature-space orthogonality between the clean and its watermark counterpart to produce a reliable verification signal in black-box against the suspect model. For adversarial robustness, ArmSSL integrates latent representation entanglement and distribution alignment to suppress the OOD clustering. The former entangles watermark representations with clean representations (i.e., from non-source-class) to avoid forming a dense cluster of watermark samples, while the latter minimizes the distributional discrepancy between watermark and clean representations, thereby disguising watermark samples as natural in-distribution data. For utility, a reference-guided watermark tuning strategy is designed to allow the watermark to be learned as a small side task without affecting the main task by aligning the watermarked encoder's outputs with those of the original clean encoder on normal data. Extensive experiments across five mainstream SSL frameworks and nine benchmark datasets, along with end-to-end comparisons with SOTAs, demonstrate that ArmSSL achieves superior ownership verification, negligible utility degradation, and strong robustness against various adversarial detection and removal.