Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Provably Secure Covert Messaging Using Image-based Diffusion Processes

Luke A. Bauer, Wenxuan Bao, Vincent Bindschaedler

TL;DR

This work tackles covert messaging through diffusion-model outputs by embedding ciphertext in the initial latent space without distorting latent distributions, achieving provable latent-space indistinguishability. It introduces a four-part construction (setup, cryptographic record, embedding, retrieval) that uses a shared key and a thresholded, redundant latent-sign flip scheme, augmented by EDICT dual latents for improved inversion accuracy and error correction. The authors formalize latent-space security via an indistinguishability game and prove distribution preservation under symmetric latent priors, while empirically showing strong security against latent-space detectors and robust covertness under common image transformations. They also analyze performance through capacity-reliability tradeoffs, demonstrate practical processing times, and illustrate robustness improvements over alternative embedding strategies. The approach enables a secure, transformation-resistant covert channel compatible with off-the-shelf latent diffusion models, with potential applications in deniable storage and secure low-capacity communication.

Abstract

We consider the problem of securely and robustly embedding covert messages into an image-based diffusion model's output. The sender and receiver want to exchange the maximum amount of information possible per diffusion sampled image while remaining undetected. The adversary wants to detect that such communication is taking place by identifying those diffusion samples that contain covert messages. To maximize robustness to transformations of the diffusion sample, a strategy is for the sender and the receiver to embed the message in the initial latents. We first show that prior work that attempted this is easily broken because their embedding technique alters the latents' distribution. We then propose a straightforward method to embed covert messages in the initial latent {\em without} altering the distribution. We prove that our construction achieves indistinguishability to any probabilistic polynomial time adversary. Finally, we discuss and analyze empirically the tradeoffs between embedding capacity, message recovery rates, and robustness. We find that optimizing the inversion method for error correction is crucial for reliability.

Provably Secure Covert Messaging Using Image-based Diffusion Processes

TL;DR

This work tackles covert messaging through diffusion-model outputs by embedding ciphertext in the initial latent space without distorting latent distributions, achieving provable latent-space indistinguishability. It introduces a four-part construction (setup, cryptographic record, embedding, retrieval) that uses a shared key and a thresholded, redundant latent-sign flip scheme, augmented by EDICT dual latents for improved inversion accuracy and error correction. The authors formalize latent-space security via an indistinguishability game and prove distribution preservation under symmetric latent priors, while empirically showing strong security against latent-space detectors and robust covertness under common image transformations. They also analyze performance through capacity-reliability tradeoffs, demonstrate practical processing times, and illustrate robustness improvements over alternative embedding strategies. The approach enables a secure, transformation-resistant covert channel compatible with off-the-shelf latent diffusion models, with potential applications in deniable storage and secure low-capacity communication.

Abstract

We consider the problem of securely and robustly embedding covert messages into an image-based diffusion model's output. The sender and receiver want to exchange the maximum amount of information possible per diffusion sampled image while remaining undetected. The adversary wants to detect that such communication is taking place by identifying those diffusion samples that contain covert messages. To maximize robustness to transformations of the diffusion sample, a strategy is for the sender and the receiver to embed the message in the initial latents. We first show that prior work that attempted this is easily broken because their embedding technique alters the latents' distribution. We then propose a straightforward method to embed covert messages in the initial latent {\em without} altering the distribution. We prove that our construction achieves indistinguishability to any probabilistic polynomial time adversary. Finally, we discuss and analyze empirically the tradeoffs between embedding capacity, message recovery rates, and robustness. We find that optimizing the inversion method for error correction is crucial for reliability.

Paper Structure

This paper contains 30 sections, 1 theorem, 3 equations, 8 figures, 6 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background & Related works
  3. Diffusion models
  4. Generative Steganography
  5. Watermarking
  6. Problem Statement & Threat Model
  7. Threat Model
  8. Security Desiderata & Other Goals
  9. Proposed Construction
  10. Initial Setup
  11. Cryptographic Record
  12. Ciphertext Embedding
  13. Latent Space Inversion
  14. Ciphertext Recovery
  15. Formalizing and Analyzing Security
  16. ...and 15 more sections

Key Result

Theorem 1

Let ${{\bm{x}}_{T}}$ be a vector of $k$ random variables each distributed according to a symmetric distribution $\mathcal{D}$, i.e., ${{x}_{T,{i}}} \sim \mathcal{D}$ for $i = 1,2,\ldots, k$ i.i.d. Also, let ${\rm Emb}$ denote the transformation of ${{\bm{x}}_{T}}$ into ${{\bm{x}}_{T}}'$ in alg:embed

Figures (8)

  • Figure 1: Sample images generated using our embedding method and the EDICT scheduler. The top of each column is the prompt. The first row of images contain an embedded message, and the second row contain the same original latent space, without an embedded message.
  • Figure 2: Proposed construction sender-side and receiver-side operations. Shared information must be agreed upon by both the sender and receiver, but much of it can be stored in the parameter table. Alice encrypts then embeds the message into the latent space which is used to generate the cover image. The cover is then received by Bob, the ciphertext is recovered and then decrypted giving Bob the original message.
  • Figure 3: ROC curves and AUCROC for Random Forest classifiers to distinguish latent space with and without embedding. Our method does not alter the latent space and so classifier performance is random guessing. Kim et al. kim2023diffusion (message projection) do alter the distribution, which leads to (almost) perfect classification.
  • Figure 4: QQ plots of the two embedding methods against the natural recovered latent space distribution. Although the graph on the left follows the natural mean and scale well, the clustering around the values inserted into the feature values is easy to detect.
  • Figure 5: Cover Image Classification, showing the CLIP and Xu-net models, both unable to distinguish between generated images with a message embedded using our method vs. without. Not shown, these models are also unable to detect images generated by Kim et al.
  • ...and 3 more figures

Theorems & Definitions (2)

  • Theorem 1
  • proof : Proof of \ref{['thm:embeddist']}