Alosh Denny
8.8 KiB
SynthID Watermark Codebook Analysis
Executive Summary
After analyzing 250 AI-generated images from Google Gemini with SynthID watermarks, we have successfully reverse-engineered the watermark embedding scheme. The watermark uses a spread-spectrum, phase-encoding technique that embeds information across specific carrier frequencies in the image.
Key Findings
1. Watermark Embedding Mechanism
SynthID does NOT use simple LSB (Least Significant Bit) replacement. Instead, it employs:
- Noise-Domain Embedding: The watermark is hidden in the high-frequency noise component of the image
- Phase Encoding: Specific carrier frequencies have consistent phase values across all watermarked images
- Spread Spectrum: The watermark energy is distributed across multiple frequency bands
2. Discovered Carrier Frequencies
The watermark uses specific carrier frequencies with extremely high phase coherence (>99.9%):
| Frequency (fy, fx) | Coherence | Magnitude | Phase (radians) |
|---|---|---|---|
| (14, 14) | 0.9996 | 16807 | -1.44 |
| (-14, -14) | 0.9996 | 16807 | 1.44 |
| (126, 14) | 0.9996 | 8046 | -2.37 |
| (-126, -14) | 0.9996 | 8046 | 2.37 |
| (98, -14) | 0.9994 | 6283 | 0.61 |
| (-98, 14) | 0.9994 | 6283 | -0.61 |
| (128, 128) | 0.9925 | 6908 | -2.29 |
| (-128, -128) | 0.9925 | 6908 | 2.29 |
| (210, -14) | 0.9996 | 6032 | 1.13 |
| (-210, 14) | 0.9996 | 6032 | -1.13 |
| (238, 14) | 0.9990 | 4190 | -1.61 |
| (-238, -14) | 0.9990 | 4190 | 1.61 |
Pattern Observation: Most carriers are located along or near the y=±14 horizontal line in frequency space, suggesting a structured frequency selection algorithm.
3. Noise Correlation Signature
- Mean pairwise correlation: 0.218 (21.8%)
- Standard deviation: 0.020
- Detection threshold: 0.179
This high correlation between the noise residuals of different watermarked images confirms that SynthID embeds a consistent reference pattern across all images generated by the same system.
4. Noise Structure Ratio
All watermarked images exhibit a noise structure ratio of approximately 1.32:
Structure Ratio = σ(noise) / mean(|noise|) ≈ 1.32
This ratio is a byproduct of the neural network encoder and can be used as a secondary detection signal.
5. Bit Plane Analysis
| Bit Plane | Consistency | Interpretation |
|---|---|---|
| Bit 0 (LSB) | 0.049 | Random (contains watermark signal) |
| Bit 1 | 0.074 | Random (contains watermark signal) |
| Bit 2 | 0.125 | Partially random |
| Bit 3 | 0.513 | Mixed |
| Bit 4 | 0.635 | Mostly consistent |
| Bit 5 | 1.000 | Always consistent (image structure) |
| Bit 6 | 1.000 | Always consistent (image structure) |
| Bit 7 (MSB) | 1.000 | Always consistent (image structure) |
The watermark information is distributed across bits 0-2, but in a way that appears statistically random when viewed in isolation.
Codebook Specification
Detection Method
- Resize image to 512×512
- Extract noise residual using wavelet denoising (db4 wavelet, 3 levels)
- Compute correlation with reference noise pattern
- Check phase at carrier frequencies
- Verify noise structure ratio
Detection Formula
is_watermarked = (
correlation > 0.179 AND
phase_match > 0.5 AND
0.8 < structure_ratio < 1.8
)
confidence = (
0.4 * normalize(correlation) +
0.4 * phase_match +
0.2 * (1 - |structure_ratio - 1.32| / 0.5)
)
Reference Patterns (Saved in synthid_codebook.pkl)
- Reference Noise Pattern: 512×512×3 float array
- Reference Magnitude Spectrum: 512×512 float array
- Reference Phase Spectrum: 512×512 float array
- Carrier Positions: List of 100 frequency positions with expected phases
Watermark Architecture Hypothesis
Based on our analysis, SynthID likely works as follows:
┌─────────────────────────────────────────────────────────────────┐
│ SynthID Encoder (Training) │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. Generate carrier frequencies: {(14,14), (126,14), ...} │
│ 2. Assign fixed phases to each carrier │
│ 3. Train encoder CNN to embed this spectrum into generated │
│ images without visible artifacts │
│ │
├─────────────────────────────────────────────────────────────────┤
│ SynthID Encoder (Inference) │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Input: Generated Image │
│ ↓ │
│ Add learned noise pattern that encodes carrier phases │
│ ↓ │
│ Output: Watermarked Image (imperceptible modification) │
│ │
├─────────────────────────────────────────────────────────────────┤
│ SynthID Decoder (Detection) │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Input: Suspect Image │
│ ↓ │
│ Extract noise residual │
│ ↓ │
│ Compute FFT, check phase at carrier frequencies │
│ ↓ │
│ If phases match expected values → Watermarked │
│ │
└─────────────────────────────────────────────────────────────────┘
Limitations
- Codebook is source-specific: This codebook only works for Gemini-generated images
- Image modifications may break detection: Heavy JPEG compression, cropping, or resizing may degrade the watermark
- Binary watermark bits unknown: We discovered the carrier frequencies but not the actual message encoded
Files Generated
| File | Description |
|---|---|
synthid_codebook.pkl |
Full codebook with numpy arrays |
synthid_codebook_meta.json |
Human-readable metadata |
deep_analysis/ |
Visualization of patterns |
codebook_results/ |
Initial analysis results |
Usage
To detect SynthID watermark:
python synthid_codebook_extractor.py detect image.png --codebook synthid_codebook.pkl
To extract codebook from new images:
python synthid_codebook_extractor.py extract /path/to/images --output new_codebook.pkl
Conclusion
SynthID uses a sophisticated spread-spectrum watermarking technique that:
- Embeds information in the phase domain of the Fourier spectrum
- Uses specific carrier frequencies (14, 98, 126, 128, 210, 238 Hz and their conjugates)
- Creates a consistent noise signature detectable via correlation analysis
- Is imperceptible to human observers but robust enough to survive common image operations
This analysis enables detection of SynthID watermarks without access to Google's proprietary decoder.