The binding is the joint between a C2PA manifest and the asset it describes. Without a binding, the manifest is a free-floating claim about nothing in particular. The binding is what lets a validator say: this manifest covers this specific image, and no other. C2PA defines two binding types — hard and soft — and the choice between them, or rather the combination, is one of the most consequential design decisions in the specification.
A hard binding is a cryptographic hash of the asset bytes. It is binary, precise, and fragile: it identifies the asset down to the last bit. A soft binding is a perceptual fingerprint or watermark identifier: a short signature derived from the asset's content that survives moderate transformations. Each handles cases the other cannot. A complete C2PA pipeline uses both, in the way that a structural engineer uses both bolts and welds: each is a different mechanism for joining things together, with different failure modes.
Hard bindings: how they work
A hard binding is constructed by computing a hash (SHA-256, SHA-384, or SHA-512) over the asset's pixel data, with the manifest store excluded from the hash so the manifest can be embedded without affecting its own validation. The hash appears in a c2pa.hash.data assertion, signed by the claim signature. A validator recomputes the hash on the received bytes and compares.
The exclusion of the manifest store is subtle. The C2PA spec defines exclusion ranges — byte offsets in the file that the hash function skips — so that the JUMBF box containing the manifest does not contribute to the hash. Without this, a manifest could not embed itself: every embedding would change its own hash. The exclusion ranges are themselves recorded in the binding assertion so a validator can reproduce them exactly.
For box-structured formats like HEIF, MP4, and JPEG with multiple JUMBF boxes, the spec defines an alternative c2pa.hash.boxes binding that hashes each box separately and then hashes the list of box hashes. This is more robust to box-reordering by intermediate tools that may rearrange container structure without altering pixel data.
What hard bindings catch and miss
Hard bindings catch any modification of pixel data, full stop. A single-pixel change invalidates the binding. So does a re-encode at a different quality, a re-scale, a re-color, a re-crop, or an OCR-then-rasterize round trip. This is the strength of the hard binding — adversarial pixel-level modifications cannot escape it — and also its limit. The vast majority of pixel-level modifications in practice are not adversarial; they are mundane consequences of distribution.
A photograph uploaded to a social-media platform almost always gets re-encoded at a different JPEG quality, resized to a platform-specific maximum dimension, and sometimes color-converted. None of these are attacks. All of them break the hard binding. A consumer-facing validator running on the downloaded version sees a binding failure and reports the chain as broken, even though no one tampered with anything. This is the well-known social-media stripping problem, and it was the dominant complaint about C2PA in 2022 and 2023.
Soft bindings: how they work
A soft binding is a signature derived from the asset's perceptual content rather than its byte representation. The dominant types are:
- Perceptual fingerprints — pHash, dHash, PDQ, or proprietary equivalents that produce a short hash insensitive to small content changes. Covered on the perceptual hashing page.
- Watermarks — bit patterns embedded in the image's pixel data or frequency representation, designed to be invisible and to survive transformations. Covered on the invisible watermarking page.
A soft binding assertion records what algorithm was used and the signature itself. A validator receives the asset, computes the same signature (or extracts the watermark), and compares against what was recorded. The match is fuzzy: a similarity score above a threshold counts as a match.
The C2PA spec does not standardize a single soft-binding algorithm. The c2pa.soft_binding assertion is a generic slot; the algorithm is named in the assertion data, and the validator must know how to compute it. This is intentional — the watermarking and fingerprinting fields are evolving — but it means soft-binding interoperability depends on validator support for the specific algorithm in use.
Soft binding strengths and limits
Soft bindings survive the transformations that break hard bindings. A re-encoded, resized, or recolored asset still produces approximately the same fingerprint. A watermarked image still carries the watermark after platform re-encoding (within the limits of the watermark's specific robustness). This is the great virtue of soft bindings and the reason they exist in the spec.
The limits are equally important. A determined adversary can attack a fingerprint or watermark in ways that a hash does not allow. A regeneration attack — running the image through an autoencoder — produces a perceptually similar image that may not match the fingerprint and may not carry the watermark. Geometric transformations beyond the watermark's design tolerance defeat it. Heavy cropping defeats most perceptual hashes. The attacks page covers the academic record.
The other limit is precision. A soft-binding match is a probability, not a yes-or-no. Two unrelated images can produce similar fingerprints by chance; the false-positive rate scales with the size of the registry being queried. PDQ and similar production-scale fingerprinting schemes operate at false-positive rates in the 10⁻⁶ range, which is acceptable for most uses but is not zero. Hard bindings have a false-positive rate that is, for practical purposes, zero.
How C2PA uses the combination
| Scenario | Hard binding | Soft binding | Outcome |
|---|---|---|---|
| Original file, byte-identical | Match | Match | Full validation |
| Re-encoded JPEG, same content | Fail | Match | Soft-validated, hard-binding failure reported |
| Cropped 10%, same content | Fail | Match (typically) | Soft-validated |
| Heavily edited, different content | Fail | Fail | No match; chain broken |
| Adversarial regeneration attack | Fail | Fail | Chain broken; durable lookup may still succeed via registry |
The durable Content Credentials mechanism builds on soft bindings by registering the manifest with a central registry indexed by fingerprint. A consumer receives a file with no embedded manifest, computes its fingerprint, queries the registry, and retrieves the original manifest. This works even after platform stripping has removed all metadata, provided the registry has been populated.
The choice of algorithm
For hard bindings, the algorithm choice is largely settled: SHA-256 is the default, with SHA-384 and SHA-512 available for higher-assurance contexts. The cryptographic community has not flagged practical concerns with SHA-2 at these sizes. Post-quantum considerations are emerging but have not yet driven C2PA changes; the spec will need updating when quantum-resistant alternatives mature.
For soft bindings, the algorithm landscape is messier. Adobe's CAI has experimented with several perceptual hashing approaches. Truepic and others have proposed their own. Meta's PDQ is widely used outside C2PA but has not been adopted as a C2PA soft-binding default. Watermarking schemes are even more fragmented: SynthID, Stable Signature, and various proprietary schemes all exist, none has emerged as a soft-binding consensus, and the C2PA spec deliberately stays algorithm-agnostic to avoid picking a winner.
The practical consequence is that soft-binding interop is currently weaker than hard-binding interop. A validator implementing C2PA must support hard bindings to be conformant; it may support various soft bindings or none. Producer choice of algorithm therefore constrains who can validate the soft binding, which is one of the reasons durable registries — which can normalize across algorithms — are emerging as a layer above the spec.
Where the field is moving
The 2.x spec line has steadily expanded the soft-binding plumbing without committing to specific algorithms. The 2.4 release added structural support for multiple concurrent soft bindings — an image can carry both a perceptual hash and a watermark, validated independently. This redundancy improves robustness, since different transformations defeat different signals. The cost is manifest bloat: each binding is additional bytes, and editorial photographers shooting hundreds of frames per day notice.
The harder question is whether the soft-binding ecosystem converges on a small number of standard algorithms or remains fragmented. Convergence would simplify validator implementation and registry interop; fragmentation preserves the algorithmic flexibility that lets the watermarking field continue to innovate. The C2PA coalition's working position through 2025 has been to encourage layered support rather than mandate a single choice, which is probably correct for the current state of the field but defers the consolidation question.