2025-11-14T09:49:10.731774

Targeted Pooled Latent-Space Steganalysis Applied to Generative Steganography, with a Fix

Levecque, Noirault, Pevný et al.
Steganographic schemes dedicated to generated images modify the seed vector in the latent space to embed a message, whereas most steganalysis methods attempt to detect the embedding in the image space. This paper proposes to perform steganalysis in the latent space by modeling the statistical distribution of the norm of the latent vector. Specifically, we analyze the practical security of a scheme proposed by Hu et. al. for latent diffusion models, which is both robust and practically undetectable when steganalysis is performed on generated images. We show that after embedding, the Stego (latent) vector is distributed on a hypersphere while the Cover vector is i.i.d. Gaussian. By going from the image space to the latent space, we show that it is possible to model the norm of the vector in the latent space under the Cover or Stego hypothesis as Gaussian distributions with different variances. A Likelihood Ratio Test is then derived to perform pooled steganalysis. The impact of the potential knowledge of the prompt and the number of diffusion steps, is also studied. Additionally, we also show how, by randomly sampling the norm of the latent vector before generation, the initial Stego scheme becomes undetectable in the latent space.
academic

Targeted Pooled Latent-Space Steganalysis Applied to Generative Steganography, with a Fix

Basic Information

  • Paper ID: 2510.12414
  • Title: Targeted Pooled Latent-Space Steganalysis Applied to Generative Steganography, with a Fix
  • Authors: Etienne Levecque, Aurelien Noirault, Tomas Pevny, Jan Butora, Patrick Bas, Rémi Cogranne
  • Classification: cs.CR (Cryptography and Security), eess.IV (Image and Video Processing)
  • Publication Date: October 14, 2025 (arXiv preprint)
  • Paper Link: https://arxiv.org/abs/2510.12414

Abstract

This paper proposes a novel steganalysis method targeting steganography in generative images. While traditional steganalysis performs detection in the image space, generative steganography embeds messages by modifying seed vectors in the latent space. This work conducts steganalysis in the latent space by modeling the statistical distribution of latent vector norms to detect steganography. The paper analyzes the practical security of the latent diffusion model steganography scheme proposed by Hu et al., which exhibits robustness and undetectability in image-space steganalysis. The research reveals that embedded steganographic latent vectors are distributed on a hypersphere, while cover vectors follow an independent and identically distributed Gaussian distribution. Pooled steganalysis is performed using likelihood ratio testing, and the effects of prompt knowledge and diffusion steps are investigated. Additionally, the paper demonstrates how to make the original steganography scheme undetectable in latent space by randomly sampling latent vector norms.

Research Background and Motivation

Problem Definition

Generative steganography is an emerging and active research field that enables embedding of large-capacity payloads with robustness to operations such as JPEG compression while potentially remaining undetected. Unlike traditional steganography that only modifies the noise component of images, the embedding process in generative steganography also alters the semantic content of images.

Research Motivation

  1. Limitations of Existing Methods: Most steganalysis methods attempt detection in the image space, while generative steganography modifies seed vectors in the latent space
  2. Insufficient Security Analysis: Many published schemes have blind spots in security analysis within the latent space
  3. Detection Challenges: The scheme by Hu et al. is both robust and undetectable in image-domain steganalysis, necessitating new analytical approaches

Significance

Generative steganography is particularly popular in latent diffusion models because these models provide high-quality image generation. Understanding and analyzing the security of such schemes is of significant importance to the information security field.

Core Contributions

  1. Proposes Latent-Space Steganalysis Method: First steganalysis conducted in latent space rather than image space or marginal distributions
  2. Establishes Statistical Detection Model: Models the statistical distribution of latent vector norms, representing cover and steganography hypotheses as Gaussian distributions with different variances
  3. Develops Likelihood Ratio Testing: Pooled detector based on likelihood ratio testing (LRT) that is easily extensible to batch image detection
  4. Provides Security Fix: Proposes Scaled Spread Spectrum (Scaled SS) encoding method that makes the steganography scheme undetectable in latent space by randomly sampling latent vector norms
  5. Comprehensive Experimental Analysis: Investigates the effects of prompt knowledge and diffusion steps on detection performance

Methodology Details

Task Definition

Input: Images generated by latent diffusion models and their corresponding latent vectors Output: Determination of whether an image is a cover image or steganographic image Constraints: Follows Kerckhoffs' principle; the attacker knows the L2L channel and fixed parameters α but not the secret key

Steganography Scheme Analysis

Hu et al.'s Embedding Scheme

Uses spread spectrum watermarking principles with modulation via orthonormalized key-related pseudorandom matrix Q:

X=QMQTX = Q \cdot M \cdot Q^T

where M is the ±1 secret message reshaped to latent space dimensions.

L2L Channel Model

The latent-to-latent (L2L) channel comprises three components:

  1. Generation process: mapping seed to image
  2. Distortion operations: such as compression
  3. Inverse generation: mapping image back to latent space vector Y

Expressed as: Y=f(X,α)Y = f(X, α)

Statistical Detection Model

Norm Modeling Before Embedding

  • Null Hypothesis (Cover): XN(0,In)X \sim N(0, I_n), norm RXχnR_X \sim χ_n
  • Alternative Hypothesis (Steganography): X=QMQTX = Q \cdot M \cdot Q^T, norm RX=nR_X = \sqrt{n} (constant)

For large n, under the cover hypothesis: RXdN(n,12)R_X \xrightarrow{d} N(\sqrt{n}, \frac{1}{2})

Norm Modeling After Embedding

Assumes the L2L channel introduces Gaussian noise ε(α)N(0,σ2(α))\varepsilon(α) \sim N(0, σ^2(α)) on the norm:

H0:RYN(n,12+σ2(α))H_0: R_Y \sim N(\sqrt{n}, \frac{1}{2} + σ^2(α))H1:RYN(n,σ2(α))H_1: R_Y \sim N(\sqrt{n}, σ^2(α))

The two hypotheses differ only in variance, which is the key to detection.

Likelihood Ratio Testing

Single Image Test

Λ(rY)=N(rY;μ^1,σ^12)N(rY;μ^0,σ^02)Λ(r_Y) = \frac{N(r_Y; \hat{μ}_1, \hat{σ}^2_1)}{N(r_Y; \hat{μ}_0, \hat{σ}^2_0)}

When Λ(rY)>τΛ(r_Y) > τ, reject the null hypothesis and classify as steganographic image.

Batch Testing

For a batch B of images, assuming all images belong to the same class: Λ(B)=iN(rYi;μ^1,σ^12)N(rYi;μ^0,σ^02)Λ(B) = \prod_i \frac{N(r_{Y_i}; \hat{μ}_1, \hat{σ}^2_1)}{N(r_{Y_i}; \hat{μ}_0, \hat{σ}^2_0)}

Security Fix Proposal

Scaled Spread Spectrum Encoding

To fix the distribution discrepancy, the norm is sampled according to χ_n distribution, then scaled:

X=snQMQTX = \frac{s}{\sqrt{n}} Q \cdot M \cdot Q^T

This causes steganographic vector norms to also follow χ_n distribution, eliminating the statistical difference.

Experimental Setup

Dataset

  • Model: Stable Diffusion 1.5
  • Parameters: guidance=5.0, diffusion steps=20
  • Prompts: Randomly selected from DiffusionDB database
  • Scale: 20k prompts per experiment, generating 20k cover and 20k steganographic images
  • Latent Space Dimension: (4, 64, 64), message length n=16384 bits

Evaluation Metrics

  • Error Probability (PE): PE=minPFAPFA+PMD(PFA)2PE = \min_{P_{FA}} \frac{P_{FA} + P_{MD}(P_{FA})}{2}
  • Bit Error Rate (BER): Proportion of correctly decoded bits
  • Cross-Validation: 20-fold cross-validation

Implementation Details

  • Use 1k cover and 1k steganographic images to estimate mean and variance
  • Remaining 19k images used to calculate PE
  • Likelihood ratio threshold τ=1

Experimental Results

Main Results

Detection Performance

  • Single Image Detection: PE approximately 48%
  • Batch Detection: PE decreases significantly with increasing batch size
    • Batch size 10: PE=45.3%
    • Batch size 100: PE=33.4%

Effect of Diffusion Steps

Batch Size20 Steps50 Steps
148.5%47.2%
1045.3%41.6%
10033.4%30.0%

More diffusion steps reduce L2L channel distortion, improving attack effectiveness.

Effect of Prompt Knowledge

BER remains essentially unchanged regardless of prompt knowledge:

  • SS encoding: 97.53% vs 97.56%
  • Scaled SS encoding: 97.53% vs 97.52%

Fix Scheme Effectiveness

Scaled SS encoding effectively eliminates detection differences, making likelihood ratios for all norms approach 1, randomizing detection performance.

Experimental Findings

  1. Latent-Space Detection is Feasible: Even steganography schemes undetectable in image space can be detected in latent space
  2. Batch Detection is More Effective: Pooling multiple images significantly improves detection performance
  3. Fix Scheme is Effective: Eliminating statistical differences through norm sampling is achievable
  4. Limited Prompt Impact: Not knowing exact prompts does not affect detection effectiveness

Related Work

Traditional Steganalysis

Primarily divided into two categories:

  1. Deep Learning-Based: Training classification networks to distinguish cover and steganographic images
  2. Statistical Analysis-Based: Computing KL divergence of marginal distributions in latent space

Generative Steganography

  • Diffusion Model Steganography: Leveraging high-quality image generation capabilities of latent diffusion models
  • Spread Spectrum Watermarking: Spreading each embedded bit across secret carriers
  • Robustness Considerations: Must account for noise from generation, compression, and inverse processes

Novel Contribution of This Work

Compared to existing work, this paper is the first to analyze joint distributions rather than marginal distributions in latent space, providing more in-depth security assessment.

Conclusions and Discussion

Main Conclusions

  1. Latent-Space Steganalysis is Feasible: Statistical differences may exist in latent space even when undetectable in image space
  2. Norm Distribution is Key: The difference in norm distributions between steganographic and cover vectors is fundamental to detection
  3. Fix Scheme is Effective: True undetectability can be achieved through appropriate distribution matching
  4. Practical Parameter Impact: Parameters such as diffusion steps affect detection performance, but prompt impact is limited

Limitations

  1. Model Assumptions: The Gaussian noise assumption for L2L channels may be oversimplified
  2. Computational Complexity: Requires image inverse process to obtain latent vectors
  3. Scope of Applicability: Primarily targets specific spread spectrum steganography schemes
  4. Parameter Sensitivity: Detection performance depends on specific diffusion model parameter settings

Future Directions

  1. More Complex L2L Modeling: Consider more realistic channel models
  2. Other Statistical Features: Explore other statistical features in latent space for detection
  3. Adaptive Attacks: Study adversarial strategies against this detection method
  4. Real-Time Detection: Develop more efficient detection algorithms

In-Depth Evaluation

Strengths

  1. Strong Novelty: First to propose steganalysis in latent space with a novel perspective
  2. Solid Theoretical Foundation: Based on rigorous statistical models and likelihood ratio testing theory
  3. Comprehensive Experiments: Thorough experimental validation including various parameter settings and ablation studies
  4. High Practical Value: Provides a complete solution that both detects and fixes vulnerabilities
  5. In-Depth Analysis: Clear theoretical explanations of detection principles and failure mechanisms

Weaknesses

  1. Model Simplification: L2L channel modeling is relatively simple; actual scenarios may be more complex
  2. Computational Overhead: Requires image inverse process, incurring significant computational cost
  3. Generalization: Primarily targets specific steganography schemes; applicability to other schemes remains to be verified
  4. Practical Deployment: Operability and efficiency in real-world applications require further assessment

Impact

  1. Academic Contribution: Provides new perspectives for security analysis of generative steganography
  2. Practical Value: Significant for security assessment of existing steganography schemes
  3. Inspirational: May inspire more latent-space-based security analysis research
  4. Reproducibility: Clear experimental setup facilitates reproduction and extension

Applicable Scenarios

  1. Security Assessment: Evaluating practical security of generative steganography schemes
  2. Scheme Improvement: Guiding security improvements of steganography schemes
  3. Detection Systems: Building detection systems against generative steganography
  4. Research Tool: Serving as a research tool for latent-space security analysis

References

The paper cites multiple important related works, including:

  • Hu et al. (2024): The original steganography scheme analyzed
  • Rombach et al. (2022): Foundational work on latent diffusion models
  • Cox et al. (2008): Classical textbook on digital watermarking
  • Fridrich (2009): Classical textbook on steganography
  • Multiple related works on deep learning-based steganalysis

This paper makes important contributions to security analysis of generative steganography, proposing novel analytical perspectives and effective detection methods, while also providing corresponding security improvement schemes. It has significant implications for advancing the field.