Paper: “Intellectual Property Protection for 3D Gaussian Splatting Assets: A Survey” — Zhao et al., 2025.
Imagine you want to recreate a real place in 3D — a room, a street, a face — from a set of photos. For years the approach was Neural Radiance Fields (NeRF), which trained a neural network to predict what any point in space looks like from any angle. It produced great results but was painfully slow to render.
3D Gaussian Splatting (3DGS) is the newer, faster alternative. Instead of a neural network, it represents the scene as a cloud of thousands of tiny blobs (Gaussians), each described by a position, a shape (stretched or squished in different directions), a transparency level, and a colour that changes depending on viewing angle. When you want to render a view, you project all those blobs onto your screen, sort them and composite them. The result is photorealistic, real-time rendering on consumer hardware. 3DGS has taken over the field and is now showing up in VR, robotics, digital twins, and content creation tools.
IP protection for ordinary images and video is a solved — or at least well-studied — problem. Digital watermarking has existed for decades. 3DGS assets are fundamentally different from a flat image and those old tools don’t transfer cleanly.
The paper identifies 24 existing methods and organises them into a first proper taxonomy of the field. The core tension they surface is this:
Imperceptibility vs. Robustness. A watermark that hides itself perfectly tends to be fragile. A watermark that survives aggressive attack tends to leave visible traces. Balancing these is the central engineering challenge.
The survey splits protection strategies into two categories.
Watermarking embeds an invisible ownership tag into the Gaussian parameters. When you suspect infringement, you extract the tag and compare it to your record. Key methods:
Steganography goes further than ownership tags - it hides arbitrary secret data inside the asset (think: licensing terms, provenance metadata, or even a hidden message). GS-Hider does this by tweaking the spherical harmonic colour coefficients, which control view-dependent shading but are otherwise perceptually invisible. ConcealGS optimises for high capacity (more hidden bits) without degrading visual quality.
Tampering localisation: not just “was this stolen?” but “which parts were altered?” GS-Checker attaches a hidden 3D attribute to each Gaussian, then uses a contrastive mechanism to flag which blobs were tampered with after distribution.
Editing safeguards prevent the asset from being modified by AI tools even if someone has the file. AdLift generates adversarial perturbations in 2D (image space) and then lifts them into 3D Gaussian space — the end result is a model that looks normal but causes diffusion-based editors to produce garbage output instead of a clean edit.
The survey is honest about the limits of current techniques. Three threat types are particularly hard to defend against.
Standard distortions: compression, noise, blurring, geometric transformation were already known problems in 2D watermarking and most methods handle them adequately.
Generative purification is nastier. Tools like DiffPure run a diffusion model over the rendered images specifically to strip out adversarial perturbations while keeping the visual content intact. They act as a kind of “denoiser” and since most watermarks and safeguards rely on subtle, high-frequency signal changes, those get smoothed away cleanly.
Cross-representation attacks are an emerging worry. A 3DGS asset can be converted to a mesh or a NeRF. If the watermark is stored in Gaussian-specific attributes, the conversion destroys it entirely. There’s no current method that survives this reliably.
The authors also note that most existing techniques require per-asset optimisation - you train a protection into each individual file, which takes time and doesn’t scale to the workflows where 3DGS generation is increasingly automatic.
Rather than conclusions from specific experiments, this is a survey paper, so the main contribution is the taxonomy plus a clear-eyed list of what needs to be built. The six directions they identify:
Robustness track:
Efficiency track: 4. (E1) Universal perturbation generators. Instead of optimising a watermark fresh for every asset, learn a general encoder that works in a single forward pass. 5. (E2) In-generation protection. Build IP protection directly into the 3DGS training pipeline so assets emerge already protected, rather than watermarking as a post-processing step.
Paradigm track: 6. (P1) Lifecycle protection. Most current work focuses on one moment: embed → detect. A fuller model covers the entire asset lifecycle: prevention of unauthorised training data use, non-transferability of licences, and mechanisms for revoking access or “forgetting” a model on request.
The practical stakes are high. 3DGS is cheap enough to run that individuals and small studios are building commercial assets at scale. Platforms are starting to trade and license 3D scenes the way stock photo sites trade images. Without IP infrastructure, the same piracy dynamics that plagued the music and image industries in the early 2000s will replay in spatial computing, except the assets are more expensive to create and harder to detect when stolen.
At the same time, the threat model is genuinely harder than for 2D media. A stolen JPEG is still a JPEG. A 3DGS file can be re-rendered, edited, converted, and re-exported in ways that make the link to the original essentially undetectable by current methods. The survey makes clear that this is an unsolved problem, and the tools to solve it are at most a few years old.
3D Gaussian Splatting has matured from a research curiosity into a production technology faster than the legal and technical infrastructure to protect it. This survey is the first attempt to map the landscape; what tools exist, how they work at a technical level, what attacks they fail against, and where the field needs to go. The picture it paints is one of real progress on relatively simple attacks and genuine vulnerability against the newer, AI-powered ones.