Search papers, labs, and topics across Lattice.
This paper presents the first comprehensive security analysis of the Coalition for Content Provenance and Authenticity (C2PA), a system designed to provide verifiable provenance for digital content. Through formal methods analysis, the authors identify critical flaws in C2PA's core protocols that prevent it from achieving its claimed security goals and other essential requirements for trustworthy deployment. The findings suggest that premature reliance on C2PA could mislead users and stakeholders in high-stakes scenarios.
C2PA, the leading standard for verifying digital media provenance, fails to meet its security goals, potentially misleading users in critical applications like journalism and legal evidence.
The rapid rise of generative AI has made it easy to create convincing fake media at scale. In response, an industrial coalition has developed the Coalition for Content Provenance and Authenticity (C2PA), a system intended to provide verifiable provenance for digital content. Our research team conducted the first comprehensive, independent security analysis of C2PA. Our study includes the first formal-methods analysis of C2PA's core protocols. We find that the current C2PA specifications fail to achieve their claimed security goals. Furthermore, they also fail to achieve key additional goals, which all such provenance systems require for trustworthy deployment. As a result, C2PA may mislead users, platforms, and policymakers if relied upon prematurely. C2PA is a promising idea, but it should not yet be relied upon for high-stakes uses such as financial disclosures, journalism, or legal evidence.
