Discovering, detecting, and surgically removing Google's AI watermark

Discovering, detecting, and surgically removing Google's AI watermark through spectral analysis This project reverse-engineers Google's SynthID watermarking system - the invisible watermark embedded into every image generated by Google Gemini. Using only signal processing and spectral analysis (no access to the proprietary encoder/decoder), we: - Discovered the watermark's resolution-dependent carrier frequency structure - Built a detector that identifies SynthID watermarks with 90% accuracy - Developed a multi-resolution spectral bypass (V3) that achieves 75% carrier energy drop, 91% phase coherence drop, and 43+ dB PSNR on any image resolution We're actively collecting pure black and pure white images generated by Nano Banana Pro to improve multi-resolution watermark extraction. If you can generate these: - Resolution: any (higher variety = better) - Content: fully black (#000000) or fully white (#FFFFFF) - Source: Nano Banana Pro outputs only - Generate a batch of black/white images by attaching a pure black/white image into Gemini and prompting it to "recreate this as it is" - Place them in new folders: gemini_black_nb_pro/ (for black)gemini_white_nb_pro/ (for white) - Open a Pull Request 🚀 These reference images are critical for: - Carrier frequency discovery - Phase validation - Improving cross-resolution robustness Even 150–200 images at a new resolution can significantly improve detection and removal. Unlike brute-force approaches (JPEG compression, noise injection), our V3 bypass uses a multi-resolution SpectralCodebook - a collection of per-resolution watermark fingerprints stored in a single file. At bypass time, the codebook auto-selects the matching resolution profile, enabling surgical frequency-bin-level removal on any image size. SynthID embeds carrier frequencies at different absolute positions depending on image resolution. A codebook built at 1024x1024 cannot directly remove the watermark from a 1536x2816 image - the carriers are at completely different bins. | Resolution | Top Carrier (fy, fx) | Coherence | Source | |---|---|---|---| | 1024x1024 | (9, 9) | 100.0% | 100 black + 100 white refs | | 1536x2816 | (768, 704) | 99.6% | 88 watermarked content images | This is why the V3 codebook stores separate profiles per resolution and auto-selects at bypass time. The watermark's phase template is identical across all images from the same Gemini model: - Green channel carries the strongest watermark signal - Cross-image phase coherence at carriers: >99.5% - Black/white cross-validation confirms true carriers via |cos(phase_diff)| > 0.90 At 1024x1024 (from black/white refs), top carriers lie on a low-frequency grid: | Carrier (fy, fx) | Phase Coherence | B/W Agreement | |---|---|---| | (9, 9) | 100.00% | 1.000 | | (5, 5) | 100.00% | 0.993 | | (10, 11) | 100.00% | 0.997 | | (13, 6) | 100.00% | 0.821 | At 1536x2816 (from random watermarked content), carriers are at much higher frequencies: | Carrier (fy, fx) | Phase Coherence | |---|---| | (768, 704) | 99.55% | | (672, 1056) | 97.46% | | (480, 1408) | 96.55% | | (384, 1408) | 95.86% | | Version | Approach | PSNR | Watermark Impact | Status | |---|---|---|---|---| | V1 | JPEG compression (Q50) | 37 dB | ~11% phase drop | Baseline | | V2 | Multi-stage transforms (noise, color, frequency) | 27-37 dB | ~0% confidence drop | Quality trade-off | | V3 | Multi-resolution spectral codebook subtraction | 43+ dB | 91% phase coherence drop | Best | Input Image (any resolution) │ ▼ codebook.get_profile(H, W) ──► exact match? ──► FFT-domain subtraction │ (fast path) └─ no exact match ──────► spatial-domain resize + subtraction (fallback path) │ ▼ Multi-pass iterative subtraction (aggressive → moderate → gentle) │ ▼ Anti-alias → Output - SpectralCodebook stores resolution-specific profiles (carrier positions, magnitudes, phases) - Auto resolution selection picks the exact profile or the closest match - Direct known-signal subtraction weighted by phase consistency and cross-validation confidence - Multi-pass schedule catches residual watermark energy missed by previous passes - Per-channel weighting (G=1.0, R=0.85, B=0.70) matches SynthID's embedding strength | Metric | Value | |---|---| | PSNR | 43.5 dB | | SSIM | 0.997 | | Carrier energy drop | 75.8% | | Phase coherence drop (top-5 carriers) | 91.4% | | Resolution | Match | PSNR | SSIM | |---|---|---|---| | 1536x2816 | exact | 44.9 dB | 0.996 | | 1024x1024 | exact | 39.8 dB | 0.977 | | 768x1024 | fallback | 40.6 dB | 0.994 | git clone https://github.com/aloshdenny/reverse-SynthID.git cd reverse-SynthID python -m venv venv source venv/bin/activate # Windows: venv\Scripts\activate pip install -r requirements.txt From the CLI: python src/extraction/synthid_bypass.py build-codebook \ --black gemini_black \ --white gemini_white \ --watermarked gemini_random \ --output artifacts/spectral_codebook_v3.npz Or from Python: from src.extraction.synthid_bypass import SpectralCodebook codebook = SpectralCodebook() # Profile