reverse-SynthID/SYNTHID_CODEBOOK_ANALYSIS.md

SynthID Watermark Codebook Analysis

Executive Summary

After analyzing 250 AI-generated images from Google Gemini with SynthID watermarks, we have successfully reverse-engineered the watermark embedding scheme. The watermark uses a spread-spectrum, phase-encoding technique that embeds information across specific carrier frequencies in the image.

Key Findings

1. Watermark Embedding Mechanism

SynthID does NOT use simple LSB (Least Significant Bit) replacement. Instead, it employs:

1. Noise-Domain Embedding: The watermark is hidden in the high-frequency noise component of the image
2. Phase Encoding: Specific carrier frequencies have consistent phase values across all watermarked images
3. Spread Spectrum: The watermark energy is distributed across multiple frequency bands

2. Discovered Carrier Frequencies

The watermark uses specific carrier frequencies with extremely high phase coherence (>99.9%):

Frequency (fy, fx)	Coherence	Magnitude	Phase (radians)
(14, 14)	0.9996	16807	-1.44
(-14, -14)	0.9996	16807	1.44
(126, 14)	0.9996	8046	-2.37
(-126, -14)	0.9996	8046	2.37
(98, -14)	0.9994	6283	0.61
(-98, 14)	0.9994	6283	-0.61
(128, 128)	0.9925	6908	-2.29
(-128, -128)	0.9925	6908	2.29
(210, -14)	0.9996	6032	1.13
(-210, 14)	0.9996	6032	-1.13
(238, 14)	0.9990	4190	-1.61
(-238, -14)	0.9990	4190	1.61

Pattern Observation: Most carriers are located along or near the y=±14 horizontal line in frequency space, suggesting a structured frequency selection algorithm.

3. Noise Correlation Signature

• Mean pairwise correlation: 0.218 (21.8%)
• Standard deviation: 0.020
• Detection threshold: 0.179

This high correlation between the noise residuals of different watermarked images confirms that SynthID embeds a consistent reference pattern across all images generated by the same system.

4. Noise Structure Ratio

All watermarked images exhibit a noise structure ratio of approximately 1.32:

Structure Ratio = σ(noise) / mean(|noise|) ≈ 1.32

This ratio is a byproduct of the neural network encoder and can be used as a secondary detection signal.

5. Bit Plane Analysis

Bit Plane	Consistency	Interpretation
Bit 0 (LSB)	0.049	Random (contains watermark signal)
Bit 1	0.074	Random (contains watermark signal)
Bit 2	0.125	Partially random
Bit 3	0.513	Mixed
Bit 4	0.635	Mostly consistent
Bit 5	1.000	Always consistent (image structure)
Bit 6	1.000	Always consistent (image structure)
Bit 7 (MSB)	1.000	Always consistent (image structure)

The watermark information is distributed across bits 0-2, but in a way that appears statistically random when viewed in isolation.

Codebook Specification

Detection Method

1. Resize image to 512×512
2. Extract noise residual using wavelet denoising (db4 wavelet, 3 levels)
3. Compute correlation with reference noise pattern
4. Check phase at carrier frequencies
5. Verify noise structure ratio

Detection Formula

is_watermarked = (
    correlation > 0.179 AND
    phase_match > 0.5 AND
    0.8 < structure_ratio < 1.8
)

confidence = (
    0.4 * normalize(correlation) +
    0.4 * phase_match +
    0.2 * (1 - |structure_ratio - 1.32| / 0.5)
)

Reference Patterns (Saved in synthid_codebook.pkl)

1. Reference Noise Pattern: 512×512×3 float array
2. Reference Magnitude Spectrum: 512×512 float array
3. Reference Phase Spectrum: 512×512 float array
4. Carrier Positions: List of 100 frequency positions with expected phases

Watermark Architecture Hypothesis

Based on our analysis, SynthID likely works as follows:

┌─────────────────────────────────────────────────────────────────┐
│                    SynthID Encoder (Training)                    │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  1. Generate carrier frequencies: {(14,14), (126,14), ...}      │
│  2. Assign fixed phases to each carrier                          │
│  3. Train encoder CNN to embed this spectrum into generated     │
│     images without visible artifacts                             │
│                                                                  │
├─────────────────────────────────────────────────────────────────┤
│                    SynthID Encoder (Inference)                   │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  Input: Generated Image                                          │
│  ↓                                                               │
│  Add learned noise pattern that encodes carrier phases           │
│  ↓                                                               │
│  Output: Watermarked Image (imperceptible modification)          │
│                                                                  │
├─────────────────────────────────────────────────────────────────┤
│                    SynthID Decoder (Detection)                   │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  Input: Suspect Image                                            │
│  ↓                                                               │
│  Extract noise residual                                          │
│  ↓                                                               │
│  Compute FFT, check phase at carrier frequencies                 │
│  ↓                                                               │
│  If phases match expected values → Watermarked                   │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Limitations

1. Codebook is source-specific: This codebook only works for Gemini-generated images
2. Image modifications may break detection: Heavy JPEG compression, cropping, or resizing may degrade the watermark
3. Binary watermark bits unknown: We discovered the carrier frequencies but not the actual message encoded

V3 Spectral Bypass — Building on These Findings

The carrier frequencies and phase consistency discovered here became the foundation for the V3 Spectral Bypass (synthid_bypass.py). Using a SpectralCodebook extracted from 50 reference images (25 black + 25 white), V3 can surgically subtract the watermark in the frequency domain:

• 40+ dB PSNR — visually indistinguishable from original
• 1-7% detection confidence reduction per pass
• Selective notch filter — targets only confirmed watermark bins (P97+ magnitude, ≥95% phase consistency)

See the main README for full V3 documentation and results.

Files Generated

File	Description
artifacts/codebook/synthid_codebook.pkl	Detection codebook with numpy arrays
artifacts/codebook/synthid_codebook_meta.json	Human-readable metadata
artifacts/spectral_codebook.npz	V3 spectral fingerprint (119 MB)
artifacts/visualizations/	FFT, phase, carrier visualizations

Usage

To detect SynthID watermark:

python src/extraction/robust_extractor.py detect image.png \
    --codebook artifacts/codebook/robust_codebook.pkl

To run V3 spectral bypass:

from synthid_bypass import SynthIDBypass, SpectralCodebook

codebook = SpectralCodebook()
codebook.load('artifacts/spectral_codebook.npz')

bypass = SynthIDBypass()
result = bypass.bypass_v3(image_rgb, codebook, strength='aggressive')
print(f"PSNR: {result.psnr:.1f} dB")

Conclusion

SynthID uses a sophisticated spread-spectrum watermarking technique that:

• Embeds information in the phase domain of the Fourier spectrum
• Uses specific carrier frequencies (14, 98, 126, 128, 210, 238 Hz and their conjugates)
• Creates a consistent noise signature detectable via correlation analysis
• Is imperceptible to human observers but robust enough to survive common image operations
• Uses a fixed model-level key (identical phase template across all images)

These findings enabled both detection (90% accuracy) and spectral bypass (40+ dB PSNR) without access to Google's proprietary encoder/decoder.