Reviews: Rethinking Deep Neural Network Ownership Verification: Embedding Passports to Defeat Ambiguity Attacks

The paper: - shows an important weakness of the current watermarking methods, namely the fact that they are prone to ambiuity attacks, - offers an analysis of the issue investigating the requirements that have to be fullfiled by any method that should withstand such attacks, - proposes such a method based on "passport layers" which are appended after convolutions. Overall the paper is well structured and the method is explained with enough detail to probably allow reimplementation. The text is clear enough with the exception of the experiments section, which would require some additional attention from the authors. Concerning the method I would be interested in seing how much does the performance (accuracy) suffer because of including the passports (no passports vs. the V1 setting) and because of the multi-task setting (V2/3 vs V1). In general a comparison of the three proposed settings V1, V2, V3 is missing from the experiments/discussion.