What it does This repo reverse-engineers Google’s SynthID — the imperceptible watermark embedded in every Gemini-generated image — using only spectral analysis and signal processing, with no access to Google’s proprietary encoder. It discovers the watermark’s resolution-dependent carrier frequency, builds a detector, then strips the mark through iterative adversarial pipelines.

The interesting bit The breakthrough came from reading Gemini’s own help text. The authors treated Google’s published list of SynthID failure modes — complex collages, layered elements, fragmented textures — as an attack specification. Round 06’s “elastic deformation” stage simulates this at the pixel level: a smooth random warp field gives every ~50-pixel neighborhood its own sub-pixel offset, fragmenting the watermark’s spatial phase consensus while remaining visually invisible. Six failed rounds of increasingly aggressive spectral subtraction preceded this insight.

Key highlights

• V4 codebook uses cross-color phase consensus across six solid backgrounds (black, white, blue, green, red, gray) to isolate watermark carriers from image content; 99%+ of content bins drop below the cutoff
• 7-stage attack pipeline: VAE round-trip → elastic warp → geometric combo → resize-squeeze → color nudge → residual-phase FFT subtraction → JPEG chain with bilateral filtering
• Per-stage PSNR gating automatically rolls back any stage that would breach a quality floor (14 dB for final, 11 dB for nuke)
• Human-in-the-loop calibration: manual Gemini-app detection feedback updates live carrier_weights in the codebook
• Confirmed bypass against gemini-3.1-flash-image-preview and nano-banana-pro-preview detectors

Caveats

• Requires building a per-model, per-resolution codebook from a dataset of solid-color generated images; the 14-profile codebook is ~220 MB
• “Visually lossless” claim for Round 06 is based on human perception; pixel-level PSNR drops to 18–24 dB due to warp displacement
• Calibration loop depends on manual uploads to the Gemini app for detection feedback — not fully automated

Verdict Security researchers and adversarial-ML engineers should grab this. If you’re looking for a one-click tool to launder AI-generated images, the setup friction (dataset collection, codebook building, manual calibration) will disappoint.