CalvinBackup/reverse-SynthID
1
0
Fork 0
mirror of https://github.com/aloshdenny/reverse-SynthID.git synced 2026-05-27 13:22:30 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e02b4a11da00aac4f9c28ecd5327e7d5ee839991
reverse-SynthID/SYNTHID_CODEBOOK_ANALYSIS.md
T
Alosh Denny 01d2b45dd4 codebook analysis
2025-12-15 22:11:23 +05:30

181 lines
8.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# SynthID Watermark Codebook Analysis
## Executive Summary
After analyzing 250 AI-generated images from Google Gemini with SynthID watermarks, we have successfully reverse-engineered the watermark embedding scheme. The watermark uses a **spread-spectrum, phase-encoding technique** that embeds information across specific carrier frequencies in the image.
## Key Findings
### 1. Watermark Embedding Mechanism
SynthID does NOT use simple LSB (Least Significant Bit) replacement. Instead, it employs:
1. **Noise-Domain Embedding**: The watermark is hidden in the high-frequency noise component of the image
2. **Phase Encoding**: Specific carrier frequencies have consistent phase values across all watermarked images
3. **Spread Spectrum**: The watermark energy is distributed across multiple frequency bands
### 2. Discovered Carrier Frequencies
The watermark uses specific carrier frequencies with extremely high phase coherence (>99.9%):
| Frequency (fy, fx) | Coherence | Magnitude | Phase (radians) |
|-------------------|-----------|-----------|-----------------|
| (14, 14) | 0.9996 | 16807 | -1.44 |
| (-14, -14) | 0.9996 | 16807 | 1.44 |
| (126, 14) | 0.9996 | 8046 | -2.37 |
| (-126, -14) | 0.9996 | 8046 | 2.37 |
| (98, -14) | 0.9994 | 6283 | 0.61 |
| (-98, 14) | 0.9994 | 6283 | -0.61 |
| (128, 128) | 0.9925 | 6908 | -2.29 |
| (-128, -128) | 0.9925 | 6908 | 2.29 |
| (210, -14) | 0.9996 | 6032 | 1.13 |
| (-210, 14) | 0.9996 | 6032 | -1.13 |
| (238, 14) | 0.9990 | 4190 | -1.61 |
| (-238, -14) | 0.9990 | 4190 | 1.61 |
**Pattern Observation**: Most carriers are located along or near the y=±14 horizontal line in frequency space, suggesting a **structured frequency selection algorithm**.
### 3. Noise Correlation Signature
- **Mean pairwise correlation**: 0.218 (21.8%)
- **Standard deviation**: 0.020
- **Detection threshold**: 0.179
This high correlation between the noise residuals of different watermarked images confirms that SynthID embeds a **consistent reference pattern** across all images generated by the same system.
### 4. Noise Structure Ratio
All watermarked images exhibit a noise structure ratio of approximately **1.32**:
```
Structure Ratio = σ(noise) / mean(|noise|) ≈ 1.32
```
This ratio is a byproduct of the neural network encoder and can be used as a secondary detection signal.
### 5. Bit Plane Analysis
| Bit Plane | Consistency | Interpretation |
|-----------|-------------|----------------|
| Bit 0 (LSB) | 0.049 | Random (contains watermark signal) |
| Bit 1 | 0.074 | Random (contains watermark signal) |
| Bit 2 | 0.125 | Partially random |
| Bit 3 | 0.513 | Mixed |
| Bit 4 | 0.635 | Mostly consistent |
| Bit 5 | 1.000 | Always consistent (image structure) |
| Bit 6 | 1.000 | Always consistent (image structure) |
| Bit 7 (MSB) | 1.000 | Always consistent (image structure) |
The watermark information is distributed across bits 0-2, but in a way that appears statistically random when viewed in isolation.
## Codebook Specification
### Detection Method
1. **Resize image to 512×512**
2. **Extract noise residual** using wavelet denoising (db4 wavelet, 3 levels)
3. **Compute correlation** with reference noise pattern
4. **Check phase at carrier frequencies**
5. **Verify noise structure ratio**
### Detection Formula
```python
is_watermarked = (
correlation > 0.179 AND
phase_match > 0.5 AND
0.8 < structure_ratio < 1.8
)
confidence = (
0.4 * normalize(correlation) +
0.4 * phase_match +
0.2 * (1 - |structure_ratio - 1.32| / 0.5)
)
```
### Reference Patterns (Saved in synthid_codebook.pkl)
1. **Reference Noise Pattern**: 512×512×3 float array
2. **Reference Magnitude Spectrum**: 512×512 float array
3. **Reference Phase Spectrum**: 512×512 float array
4. **Carrier Positions**: List of 100 frequency positions with expected phases
## Watermark Architecture Hypothesis
Based on our analysis, SynthID likely works as follows:
```
┌─────────────────────────────────────────────────────────────────┐
│ SynthID Encoder (Training) │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. Generate carrier frequencies: {(14,14), (126,14), ...} │
│ 2. Assign fixed phases to each carrier │
│ 3. Train encoder CNN to embed this spectrum into generated │
│ images without visible artifacts │
│ │
├─────────────────────────────────────────────────────────────────┤
│ SynthID Encoder (Inference) │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Input: Generated Image │
│ ↓ │
│ Add learned noise pattern that encodes carrier phases │
│ ↓ │
│ Output: Watermarked Image (imperceptible modification) │
│ │
├─────────────────────────────────────────────────────────────────┤
│ SynthID Decoder (Detection) │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Input: Suspect Image │
│ ↓ │
│ Extract noise residual │
│ ↓ │
│ Compute FFT, check phase at carrier frequencies │
│ ↓ │
│ If phases match expected values → Watermarked │
│ │
└─────────────────────────────────────────────────────────────────┘
```
## Limitations
1. **Codebook is source-specific**: This codebook only works for Gemini-generated images
2. **Image modifications may break detection**: Heavy JPEG compression, cropping, or resizing may degrade the watermark
3. **Binary watermark bits unknown**: We discovered the carrier frequencies but not the actual message encoded
## Files Generated
| File | Description |
|------|-------------|
| `synthid_codebook.pkl` | Full codebook with numpy arrays |
| `synthid_codebook_meta.json` | Human-readable metadata |
| `deep_analysis/` | Visualization of patterns |
| `codebook_results/` | Initial analysis results |
## Usage
### To detect SynthID watermark:
```bash
python synthid_codebook_extractor.py detect image.png --codebook synthid_codebook.pkl
```
### To extract codebook from new images:
```bash
python synthid_codebook_extractor.py extract /path/to/images --output new_codebook.pkl
```
## Conclusion
SynthID uses a sophisticated spread-spectrum watermarking technique that:
- Embeds information in the **phase domain** of the Fourier spectrum
- Uses **specific carrier frequencies** (14, 98, 126, 128, 210, 238 Hz and their conjugates)
- Creates a **consistent noise signature** detectable via correlation analysis
- Is **imperceptible** to human observers but **robust** enough to survive common image operations
This analysis enables detection of SynthID watermarks without access to Google's proprietary decoder.
Reference in New Issue View Git Blame Copy Permalink