steganography   Steganography

Assemblage's anti-censorship collateral damage argument rests on the economic and social value of AI-generated image communities. Blocking DeviantArt (65M MAU), Reddit (1.21B MAU), X/Twitter (611M MAU), or Telegram (1B MAU) to suppress steganographic circumvention would cause massive collateral damage to legitimate users—and to Chinese companies' revenue in the case of platforms popular in CN. The paper observes that even in authoritarian regimes, everyday users actively post AI-generated content, making blanket platform blocking politically and economically costly.

2026-jois-assemblage §3.3 (Rendezvous), §5 (Feasibility) defense

Lossy image compression is the primary practical barrier to deploying Assemblage on major platforms. Of 8 tested platforms, WeChat and Rednote (combined 2.6 billion MAU) failed because they serve only lossy-compressed downloads, destroying embedded steganographic content. Platforms that preserve lossless originals (Reddit, X/Twitter, DeviantArt, Discord, Imgur, Telegram) succeeded end-to-end. Discord serves ~30 KB compressed thumbnails by default but provides lossless originals via its native "Download" option.

2026-jois-assemblage Table 1, §4.1 evaluation

Assemblage's diffusion-model steganography (Pulsar) encodes 300–618 bytes per image vector (mean ± SD by model). Generating one local state takes ~9.5 sec on an Apple M4 Pro; encoding takes ~4.4 sec; decoding takes ~4.2 sec. Sending a compressed 300-word message requires only K+h = 4+2 images using the church-256 model, with total send time ~90 sec and receive time ~30 sec. Perceptual-hash candidate detection runs in ~0.33 ms per image, making scanning all ~150 daily posts on /r/AIArt take under 1 second.

2026-jois-assemblage Table 2, Table 3, §4.2 evaluation

Assemblage inherits the bootstrapping limitation of all generative steganographic schemes: sender and receiver must share a symmetric key before communication begins. Public-key steganography exists in theory but does not currently support common image/text channels efficiently. The paper identifies three viable deployment scenarios: (1) travelers who carry a pre-shared secret before entering a censored region; (2) users in countries with episodic censorship who establish the key during uncensored periods; (3) a hybrid where a one-time signaling channel establishes the secret, after which Assemblage carries subsequent traffic.

2026-jois-assemblage §5 (Bootstrapping) deployment

The vanilla range-coding baseline suffers from two provable security failures that RRC corrects: (1) distortion of the token probability distribution because interval boundaries do not align with token probabilities, and (2) randomness reuse across sampling steps, which exposes detectable statistical bias. The rotation mechanism specifically addresses both by introducing fresh PRNG-seeded randomness o~U(0,1) at each step and applying a modulo rotation to the decimal state.

2026-yan-efficient-provably-secure §3.2, §4 defense

Rotation Range-Coding (RRC) steganography achieves approximately 100% entropy utilization (99.98% on GPT-2) while maintaining zero KL divergence at every generative step, outperforming all prior provably-secure baselines: SparSamp at 96.76%, Discop w/ sort at 95.17%, iMEC at 71.44%. The rotation mechanism transforms the discrete uniform random variable into a continuous uniform at each step, preserving the original LM probability distribution exactly.

2026-yan-efficient-provably-secure §5.3, Table 1 defense

RRC steganography achieves an embedding speed of up to 1554.66 bits/s on GPT-2 — the fastest among all provably-secure methods tested — and sustains approximately 1500 bits/s across message lengths from 64 to 1024 bits. Embedding a 128-bit secret message takes 0.082 seconds, and the method scales to at least 8192-bit messages (13.5 seconds, 99.99% entropy utilization) without an upper bound on message length.

2026-yan-efficient-provably-secure §6.4, Table 2 evaluation

Fine-tuned BERT and RoBERTa steganalysis discriminators achieve only 47.8–50.6% detection accuracy across GPT-2, OPT-1.3B, and Llama-2-7B stegotext — indistinguishable from random guessing. Human evaluators perform similarly poorly (46.6–50.6% accuracy, F1 ≤ 51.5%), while the paper notes statistical classifiers already outperform humans on this discrimination task.

2026-yan-efficient-provably-secure §6.5, §6.6, Table 3, Table 8 evaluation

RRC steganography is training-free, model-agnostic, and plug-and-play: it requires no modification to the underlying language model and was validated on GPT-2, OPT-1.3B, and Llama-2-7B. The symmetric-key design requires only that sender and receiver agree on a shared PRNG seed and the secret message length l before communication.

2026-yan-efficient-provably-secure §4, §7 defense

MinecruftPT encodes circumvention traffic steganographically inside the Minecraft Java Edition network protocol, making a censored connection appear to a network observer as an ordinary online Minecraft game session. The cover channel is a high-volume, varied-packet-size TCP protocol with a large and active user population, making statistical fingerprinting harder than for lower-volume cover protocols.

2025-tusing-minecraft-tunnels §1, §3 defense

MinecruftPT achieves mimicry by implementing enough of the Minecraft protocol to pass as a real client-server game session, not just in header structure but in behavioral sequence. The paper evaluates it under DPI and traffic-shape analysis, finding that faithful protocol mimicry at the behavioral level (packet sequence, message types, timing) is necessary to defeat classifiers that go beyond simple byte-pattern matching.

2025-tusing-minecraft-tunnels §3, §4 defense

MinecruftPT uses the TCP-based Minecraft protocol rather than a WebRTC/UDP approach. The paper notes this gives it an availability advantage in environments where WebRTC is filtered or where UDP is blocked — a common configuration in corporate or institutional networks and some national censorship regimes. This positions it as complementary to Snowflake in the circumvention transport portfolio.

2025-tusing-minecraft-tunnels §4, §5 defense

The paper enumerates five adversarial attack surfaces against a video-steganography UP channel: (1) wholesale blocking of the hosting platform, (2) mass-scanning and blocking encoded videos (noted as generally cost-prohibitive per the steganography literature), (3) enumerating videos via pseudorandom tags (feasible but hampered by tag-list overlap with unrelated content and time-window dynamics), (4) banning accounts posting encoded videos, and (5) tracking anticensorship users viewing encoded content. The pseudorandom tag window design specifically prevents preemptive enumeration because the top-n results for a tag at epoch t differ from those at t±1.

2025-vines-extended §2.1 detection

UP channels based on free third-party content hosting (video, audio, images, ML models) provide no-cost scalability: steganographic videos once uploaded are free to distribute to arbitrarily many users, and the channel sustains adversarial financial denial-of-service attacks without incurring operator costs. This contrasts with meek, SQS, AMPCache, and Skyhook, which face financial DoS risk because adversaries can drive up hosting costs by using those channels as intended.

2025-vines-extended §4 evaluation

The paper defines Unauthenticated Push (UP) channels as a distinct archetype from signaling/rendezvous channels, characterized by three properties: strictly unidirectional delivery, no client authentication or account association required, and higher bandwidth (kilobytes to megabytes) to support software updates rather than just minimal proxy-address exchanges. This design deliberately shifts operational-security burden onto senders to approach receiver anonymity.

2025-vines-extended §1–§3 defense

A concrete UP channel implementation uses keyed steganographic encoding embedded in videos posted to a public hosting service (e.g., flickr.com), addressed via a time-epoch pseudorandom tag generator drawn from publicly known trending-topic lists. Clients query the top-n videos matching the current epoch tag and attempt decryption; real-world video size variability supports data transmissions from a few kilobytes (configuration updates) to megabytes (software updates).

2025-vines-extended §2 defense

Oscur0 eliminates Conjure's separate registration phase by steganographically encoding ECDH public key, phantom IP, and transport parameters into the encrypted application data of the first UDP (DTLS 1.2 with Connection ID) packet sent to the phantom IP, using Elligator encoding to make the public key indistinguishable from random bytes. This removes several round trips — registration, TCP handshake, and application handshake — compared to standard Conjure, and means censors cannot block the scheme by blocking registration alone.

2024-chen-extended §3 Design defense

Discop's core algorithm is modality-agnostic and deploys unchanged across text generation (GPT-2, DistilGPT-2, Transformer-XL), image completion (Image GPT), and text-to-speech (Tacotron + WaveRNN), requiring only that both parties share the generative model, PRNG, and seed. The same zero-KLD security proof applies across all modalities.

2023-ding-discop §IV defense

Discop with Huffman-tree recursion achieves entropy utilization of 0.92–0.94 (bits embedded ÷ entropy available) and an embedding capacity of 3.48–5.29 bits/token across nucleus-sampling parameters p=0.80–0.98 with GPT-2, matching or exceeding ADG (0.78–0.84 utilization, 3.07–4.89 bits/token) while maintaining exactly zero KL divergence. Per-bit embedding time is 2.17E-03 to 5.52E-03 seconds, comparable to ADG.

2023-ding-discop §V, Table II evaluation

Discop achieves provably perfect steganographic security (DKL(Pc‖Ps) = 0) by constructing multiple 'distribution copies' of a generative model's predicted distribution and using the copy index to encode the secret message. Because all copies share identical token probabilities, the stego distribution is exactly equal to the cover distribution and no steganalyzer can perform better than random guessing.

2023-ding-discop §III defense

All prior provably-secure steganography methods introduce measurable distribution distortion: ADG achieves Max KLD of 4.54E-02 to 6.76E-02 bits/token, and Meteor with its heuristic sorting reaches Max KLD up to 9.01E+00 bits/token (Table II, GPT-2, p=0.80). These non-zero KL divergences give any statistical steganalyzer a non-negligible distinguishing advantage, violating the security definition even when average divergence appears small.

2023-ding-discop §V, Table II evaluation

Replacement-based covert channels that substitute genuine media streams with ciphertext (Protozoa replacing WebRTC video, Balboa replacing audio) are immediately detectable when the censor controls or has plaintext access to the protocol gateway — for example, a WebRTC relay that decrypts and validates incoming media. Censors can also systematically suppress these channels by selectively degrading or blocking encrypted traffic for which they have no decryption trapdoor.

2023-ding-discop §I detection

FSK-encoded Dolphin audio is distinguishable from normal human speech via offline amplitude analysis: Dolphin's mean signal amplitude is 0.4 (std 224) versus 205 (std 1590) for natural speech — approximately an order of magnitude lower — enabling classification by a telecom operator who records calls. The paper also notes that standard CRC checksums appearing periodically every chunk provide a unique detectable signature if the adversary attempts to decode the audio.

2023-sharma-dolphin §6.5, Figs. 11–12 detection

Current randomized-payload circumvention tools (obfs4/ScrambleSuit, SkypeMorph, VoIP-tunneling) rely on censors 'defaulting open' — treating unidentified traffic as innocuous. If censors instead block all traffic not explicitly recognizable as meaningful plaintext, these tools fail entirely. The paper notes anecdotal evidence this is already occurring, including blocking of some TLS 1.3 connections.

2021-kaptchuk-meteor §1 Introduction detection

Variable-length sampling (Adaptation 2) achieves a provably secure but impractical encoding: a 16-byte plaintext encoded with GPT-2 requires 502–2994 tokens, produces 2.3–13.6 KiB of stegotext (149×–870× overhead), and takes 42–765 seconds even with GPU acceleration, depending on security parameter k=16–128.

2021-kaptchuk-meteor §4 / Table 1 evaluation

Classical public-key steganography (Algorithm 1 from [54]) has a 100% failure rate when encoding a 16-byte message using GPT-2, because GPT-2's per-token entropy drops near zero frequently and standard rejection sampling cannot find an acceptable token. Entropy bounding reduces failure to 0–10% but introduces detectable statistical bias: selected tokens come from a visibly different probability distribution than baseline samples.

2021-kaptchuk-meteor §4 Adapting Classical Steganographic Schemes / Figure 2b evaluation

Meteor encodes bits by embedding a PRG-masked random value into the token-sampling randomness of a generative model, recovering bits proportional to the shared prefix length of the sampled interval. Expected throughput per sampling event is asymptotically within 1/2 of the Shannon entropy of the channel (proven in Appendix A), so Meteor automatically adapts to high entropy variability without explicit signaling or padding.

2021-kaptchuk-meteor §5 Meteor / §5.2 defense

Meteor is proven secure against chosen-hiddentext attacks: any PPT adversary distinguishing Meteor output from honest model output can be reduced to breaking the underlying PRG. The scheme produces stegotext provably indistinguishable from the generative model's own output distribution, and requires only a shared public model — not a secret channel — making the model analogous to a common random string. On GPU the encoding overhead is ~1× model-load time; on CPU ~4.6×; on mobile ~49.5×.

2021-kaptchuk-meteor §5.2 / §6 / Table 2 defense

OUStralopithecus (OUStral), a Selenium-based OUS implementing empirically-derived human browsing distributions — Weibull dwell times (λ=30s, k=0.75), Von der Weth action probabilities (45.1% internal-link clicks, 33% new-URL navigations), and Dubroy tab-switching rates — generated 471 requests with all Cloudflare Bot Management scores above the recommended blocking threshold of 30, while Slitheen and Waterfall consistently scored 1. Because Cloudflare has full HTTP-layer visibility (unavailable to a passive network censor), the paper argues a censor observing only encrypted traffic would be even less able to flag OUStral.

2021-lorimer-oustralopithecus §3.1, §5.2.1, Figure 6 defense

Traffic replacement systems that only shape individual HTTPS flows remain vulnerable to censors monitoring inter-connection patterns over time. Waterfall's OUS (reloading the same page every second), Slitheen's OUS (naïve PhantomJS with no crawling), and Slitheen++'s OUS all produced non-human connection patterns detectable at the session level even when per-flow content is well-concealed. OUStral addresses this by shaping the distribution and sequencing of connections across an entire browsing session.

2021-lorimer-oustralopithecus §1, §2.2, §3, §6 defense

Prior overt user simulators (OUS) using PhantomJS — including Slitheen, Waterfall, and Slitheen++ — received Cloudflare Bot Management scores of 1 (certainly bot-generated) and would be blocked by any operator following Cloudflare's recommended cut-off of 30. Slitheen++ improved marginally by adding user-agent randomization and brief inter-request pauses, but all PhantomJS-based OUS implementations were trivially detectable as bots.

2021-lorimer-oustralopithecus §5.2.1, Figure 6 detection

Across tunnelling systems that apply traffic shaping against ML adversaries, a clear throughput cost emerges: Slitheen + OUStral with WebM replacement achieves up to 2.2 Mbps with 4.7x overhead; Protozoa (WebRTC, end-to-end) achieves up to 1.4 Mbps; DeltaShaper (VoIP) achieves only 7 kbps at 2x overhead. By contrast, Conjure (no traffic shaping) reaches 100 Mbps. Additionally, end-to-middle decoy-routing deployments incur a throughput penalty from packet-boundary parsing at the relay station that end-to-end systems (Protozoa, DeltaShaper) avoid.

2021-lorimer-oustralopithecus §5.3.2, Table 2 evaluation

Extending Slitheen to replace WebM video/audio frames reduced mean overhead from ~20x (image-only Slitheen) to 4.7x (±1.6) over 100 ten-minute sessions, while raising throughput to a mean of 581.7 kbps in video-only mode (max 2023.3 kbps, min 78.2 kbps) and 721.6 kbps in background-video mode (max 1528 kbps). This compares favorably to DeltaShaper's 2x overhead at only 7 kbps and Protozoa's up to 1.4 Mbps, while preserving Slitheen's resistance to traffic-analysis attacks.

2021-lorimer-oustralopithecus §5.2.2, §5.3, Table 2, Figures 7–9 evaluation

Protozoa's encoded media tunneling embeds covert IP packets directly into VP8-encoded frame bitstream partitions (EFBP) after lossy compression, rather than into raw pixel data. Because SRTP uses a stream cipher that preserves plaintext size, overwriting EFBP bits leaves encrypted packet sizes identical to legitimate sessions, and the covert channel achieves 98.8% utilization of available frame space at an average throughput of 1422 Kbps—a 3× improvement over Facet and roughly three orders of magnitude over DeltaShaper's 7 Kbps maximum.

2020-barradas-poking §4.4, §6.2 defense

Protozoa's encoded media tunneling achieves an AUC of 0.59 against a state-of-the-art ML traffic classifier using packet-size and inter-arrival-time features—near the 0.5 random-guessing baseline—compared to >99% detection rates for prior tools such as Facet and DeltaShaper. To block 80% of Protozoa flows (TPR=0.8), a censor would erroneously flag approximately 60% of legitimate WebRTC flows (FPR=0.6). This resistance holds across trace durations from 10–60 seconds (AUC range 0.56–0.61) and across RTT, bandwidth, and packet-loss variations.

2020-barradas-poking §6.2, Table 1, Figure 8 evaluation

Protozoa's covert channel throughput degrades gracefully under bandwidth constraints but remains usable for common applications: average throughput is 975 Kbps at 1500 Kbps cap, 460 Kbps at 750 Kbps, and 91 Kbps at 250 Kbps. Under 2% and 5% packet loss the channel sustains 1130 Kbps and 360 Kbps, respectively, while 10% loss (near WebRTC tear-down threshold) still yields 160 Kbps without breaking the connection. Traffic analysis resistance is preserved across all these conditions, with AUC peaking at 0.65.

2020-barradas-poking §6.3, Figures 9–10 evaluation

CRON's stego circuits defend against adversary-controlled WebRTC services by embedding covert data into encoded video frames at the compressed data domain using video steganography algorithms, maintaining the visual characteristics of the video feed rather than replacing it entirely. Endpoint authentication uses public-key encryption with keys exchanged out-of-band, preventing MITM key substitution through the censor-controlled signaling server.

2020-barradas-towards §4.2 defense

MoneyMorph's threat model exploits the economic cost of blocking entire cryptocurrency networks: the censor is left with a binary choice — ban the full blockchain (incurring economic harm to the censored region) or allow all transactions including covert bootstrapping traffic. This assumption is grounded in the censor's observed tolerance of Bitcoin despite known circumvention use.

2020-minaei-moneymorph §2.2, §3 defense

A prototypical Python implementation of MoneyMorph completes all cryptographic operations in under 50 milliseconds on a commodity Intel Core i7 (2.2 GHz, 16 GB RAM): fresh key-pair generation takes approximately 120ms, shared key derivation approximately 41ms, and symmetric encryption/decryption under 1ms. The dominant latency in practice is blockchain confirmation time, not computation.

2020-minaei-moneymorph §6.1 evaluation

MoneyMorph provides provable chosen-covertext attack security (SBS-CCA) for proxy bootstrapping, unlike prior email or social-media rendezvous approaches which offer only heuristic security. Under SBS-CCA, the censor's advantage in distinguishing a covertext-bearing transaction from a random transaction in the same space is negligible.

2020-minaei-moneymorph §2.3, §4.2 defense

Sibling transaction analysis across 45 million Bitcoin transactions (blocks 580,000–600,000, June–Oct 2019) shows 32% use the Pay2PKeyHash + Pay2ScriptHash combination MoneyMorph employs. In Monero, the two-input two-output structure matches 42% of all transactions. In Zcash, only 11–19% of transactions are shielded, giving it the lowest sibling rate despite the highest bandwidth.

2020-minaei-moneymorph §5.1, §5.3, §5.5, Table 1 evaluation

Zcash shielded transactions provide the highest per-transaction bandwidth of any tested cryptocurrency: 1148 bytes for the challenge covertext and 1168 bytes for the response, at a transaction fee of less than 0.01 USD. Bitcoin yields only 20/40 bytes at $0.34 fee and Ethereum only 20 bytes at $0.18 fee.

2020-minaei-moneymorph §5.5, Table 1 evaluation

Protocol Proxy uses 'protected static protocols' — UDP-based protocols whose blocking causes severe collateral damage (e.g., Synchrophasor power-grid traffic, NTP) — as cover channels. Because any detection rule that fires on Protocol Proxy traffic also fires on legitimate PMU traffic, censors face a forced trade-off between blocking circumvention and disrupting critical infrastructure.

2020-oakley-protocol §3, §5 defense

Capturing as little as 30 seconds of a multimedia-tunneling flow is sufficient for XGBoost to reach the same AUC achieved with a 60-second window (AUC=0.99 for Facet s=50%, AUC=0.95 for DeltaShaper h320×240, 8×8, 6, 1i at 30s). Classification performance degrades monotonically below 30 seconds, reaching AUC≈0.81 (Facet) and 0.75 (DeltaShaper) at 1 second.

2018-barradas-effective §4.6, Table 4 detection

CovertCast — which scrapes web content into colored-matrix frames broadcast over YouTube live streams — is fully detected by the χ² similarity classifier with TPR=100% and FPR=2%. The KL and EMD classifiers achieve TPR>96.5%, indicating the system provides essentially no unobservability in practice.

2018-barradas-effective §3, Table 1 detection

Feature importance analysis of XGBoost models reveals that Facet covert channels are identifiable primarily through packets in the 115–195 byte range (dominated by Skype audio packets), while DeltaShaper is identifiable through two distinct packet-length clusters: 85–100 bytes and 1105–1205 bytes. XGBoost assigns non-zero importance to only ~58% of the 300 quantized packet-length bins for Facet and ~42% of 600 bins for DeltaShaper, indicating that leakage is concentrated in a narrow portion of the packet-size distribution.

2018-barradas-effective §4.4, Figure 4 detection

Unsupervised and semi-supervised anomaly detection methods (OCSVM, Isolation Forest, shallow autoencoders) perform near-random when attempting to detect multimedia protocol tunneling: OCSVM achieves average AUC between 0.518–0.584 across all tested configurations, Isolation Forest between 0.519–0.557, and autoencoders reach a maximum AUC of 0.702 only under optimal hyperparameter search. The paper concludes that labeled training data is a hard requirement for effective covert-channel detection.

2018-barradas-effective §5, Table 5 detection

Decision tree classifiers (XGBoost) can flag 90% of Facet multimedia-tunneling traffic while erroneously flagging only 2% of legitimate Skype connections (FPR=2%). Against DeltaShaper at its most conservative configuration (h160×120, 4×4, 6, 1i), XGBoost achieves AUC=0.85, demonstrating that existing unobservability claims for all three systems (Facet, CovertCast, DeltaShaper) were flawed.

2018-barradas-effective §4, Table 3 detection

DeltaShaper embeds covert TCP/IP data into Skype's encrypted video stream using a virtual camera interface, treating Skype as a black box rather than mimicking its protocol. This approach provides active-attack resistance by design: any in-path perturbation affects covert and legitimate streams identically, because real Skype software processes both. The system achieves a goodput of 2.56 Kbps (with Reed-Solomon ECC) or 3.12 Kbps (without ECC) at optimal encoding parameters (320x240 area, 8x8 cell size, 6 bits/cell, 1 fps), with RTT of approximately 3 seconds.

2017-barradas-deltashaper §4, §5, Table 2 defense

Encoding parameters must be jointly tuned to remain unobservable: only specific combinations stay below the intermediate blocking threshold ∆I. Valid configurations at 1 fps include (160x120, 4x4) and (320x240, 8x8) areas/cell sizes; increasing frame rate above 1 fps pushes EMD above ∆ for all multi-bit encodings. As bits per cell increase, video compression introduces more decoding errors — error rates become unacceptable above 6 bits/cell for the (320x240, 8x8) configuration, yielding the candidate encoding: 320x240 area, 8x8 cells, 6 bits/cell, 1 fps.

2017-barradas-deltashaper §6.2, §6.3, Figures 9–12 evaluation

FreeWave, the VoIP-based predecessor, was vulnerable to passive traffic analysis because its covert Skype streams exhibited packet-size distributions different from legitimate calls, enabling detection with high probability. DeltaShaper's video-based approach with EMD-constrained encoding addresses this specific failure mode, but at a severe throughput cost: FreeWave achieves 18.75 Kbps vs DeltaShaper's 2.56–3.12 Kbps goodput. Competing systems benchmark: CovertCast ~168 Kbps (no unobservability constraints), Castle 3.48 Kbps, SkypeLine 0.064 Kbps, Rook 0.024–0.04 Kbps.

2017-barradas-deltashaper §6.3, §2 evaluation

Evaluation of the top 10,000 Alexa websites finds that 3,916 (39%) support HTTPS, of which 1,976 (50%) perform HTTP 3XX redirects that echo the requested path in the Location header and 812 (20%) replay the URL in HTTP 404 error responses — both usable as upstream covert channels readable by downstream-only decoy routers without intercepting upstream traffic.

2017-nasr-waterfall §7.1.1 defense

DNS-sly encodes downstream data by selecting A records from the IP address pool of CDN-hosted domains. For the top 25% of Alexa Top 500 domains, approximately one third of DNS responses contain more than 8 A records and ~15% contain 15 A records; the global IP pool has a median of ~2,000 IPs per domain (maximum ~16,000), enabling b = floor(log2(s!/(s-c)!)) bits per response.

2016-akbar-dns-sly §2.2 defense

DNS-sly achieves downstream throughput of up to 600 bytes of hidden data per web page click, with a median of ~100 bytes/click using a global IP map and ~75 bytes/click using a local IP map (a 25% difference despite vastly different IP set sizes). A 4 KB file transfer completes in 30 clicks with the global profile map and 64 clicks with the local map.

2016-akbar-dns-sly §4.2 evaluation

A censor tracking which deleted posts are resurrected can apply Bayesian inference to identify content-preservation system users: for each resurrected post r observed by set O(r), each observer's suspicion score updates by factor (|O(r)|−1)/|O(r)|, while observers of non-resurrected deletions can be ruled out with certainty. The attack requires only that the censor join the preservation system with a few sock-puppet accounts spread across multiple followed-user lists.

2016-douglas-ghostpost §5 detection

Password-protected Castle game sessions (passwords distributed via a BridgeDB-like mechanism) prevent censors from joining instances to observe in-game state or identify participants; when a client fails to supply the correct password within a timeout, the Castle proxy falls back to an AI player, making Castle instances indistinguishable from legitimate games even to an adversary who enters the lobby.

2016-hahn-games §6.2 defense

Castle structurally avoids all three covert-channel pitfalls identified by Geddes et al.: architecture mismatch is avoided by supporting both client-server and P2P modes; channel mismatch is avoided because RTS games implement application-layer reliability over UDP (matching proxied TCP requirements, unlike VoIP), blocking selective-drop denial-of-service attacks; content mismatch is avoided because legitimate RTS traffic has high natural variance driven by map, strategy, and player count.

2016-hahn-games §6.3 defense

A single undergraduate ported Castle to two closed-source commercial RTS games (each with >8.5 million copies sold, from different studios) in under 6 hours per game using a ~500-LOC Python/AutoHotkey codebase; 17 of the Top 20 best-selling RTS games share the unit-command structure Castle requires, and 11 have community-decoded replay formats, enabling rapid adaptation to new titles.

2016-hahn-games §7, Table 1 defense

Castle's packet-size and inter-packet-time distributions (measured via Kolmogorov-Smirnov statistic) fall within the variance observed between legitimate human-game sessions when using ≤50 units/command at ~1 command/second; the best-performing classifier (Herrmann) achieved only ~60% accuracy—roughly 10% above random guessing—against multiple Castle configurations, while two other classifiers (Liberatore, Shmatikov timing) performed near chance.

2016-hahn-games §6.1, Figures 3–5 defense

Vanilla Castle achieves 42–190 bytes/second (average) and transfers a 10 KB file in 52–238 seconds depending on the game (0-A.D. / Aeons / Conquerors); game-specific exploitation of per-unit click logging in Aeons raised throughput to ~3 KB/s. These rates are sufficient for asynchronous text-based communication (tweets, email, news articles) and bootstrapping Tor bridge IP distribution.

2016-hahn-games §8, Table 2, §8.3 evaluation

χ² homogeneity tests on 70 audio signal pairs show that at SNR ≥ 25 dB the probability that a statistical test distinguishes modulated from original signals falls to 77.13% (i.e., the rate of successful discrimination is below 23%). Crucially, this analysis requires access to the original unmodulated signal; for live voice transmissions no such pairing is feasible for the censor, rendering statistical detection unrealizable in practice.

2016-kohls-skypeline §6.3.2, Table 6 defense

The paper's threat model explicitly assumes censors can enforce client-side VoIP software (e.g., TOM-Skype in China) giving the adversary access to the pre-encoding audio signal at both endpoints. Despite this, SkypeLine forces the censor into an all-or-nothing position: intercepting hidden data requires blocking the entire VoIP service, since no network-layer observable (packet headers, timing, encrypted payload) distinguishes steganographic from legitimate calls.

2016-kohls-skypeline §3.1, §6.1 detection

SkypeLine's m-ary modulation (Mode B using 128-bit Hadamard sequences) achieves a peak data rate of 2,407 bps, representing a 12,035% improvement over FHSS-based DSSS (Takahashi et al., 20.5 bps) and 19,256% over phase-coding techniques (Nutzinger et al., 12.5 bps). Four-layer parallel binary modulation (Mode A, Quattro) achieves a peak of 224 bps and mean of 106.61 bps at ≥99% reconstruction accuracy.

2016-kohls-skypeline Table 1, Table 2 evaluation

A Skype prototype operating under real-world conditions achieves 64 bps (WGN noise, no ECC) at ≥99% reconstruction accuracy and ≥23 dB SNR. With OPUS/Silk encoding (vector quantization), throughput is constrained to approximately 72 bps at two modulation layers; additional layers fail to satisfy the 99% accuracy bound because VQ codec noise reduction filters the embedded pseudo-noise sequences.

2016-kohls-skypeline §5.2, §7.2, Table 3 evaluation

Wireshark captures of Skype traffic with and without hidden information at inaudible SNR show no statistically significant differences in inter-arrival times (mean IAT 0.019 s in all conditions) and only a 2.6% difference in mean packet length (130.34 bytes unmodulated vs. 126.98 bytes at inaudible SNR), well within one standard deviation (SD ≈ 12–14 bytes) and insufficient for reliable content-mismatch detection.

2016-kohls-skypeline §6.1, Table 4 evaluation

By transmitting application-level social media content over genuine SMTP/IMAP connections rather than imitating email protocols, Mailet achieves channel and content consistency, making it immune to the differential channel attacks — channel mismatch and content mismatch — that defeated earlier hide-within systems such as StegoTorus and Freewave.

2016-li-mailet §6.1 defense

Mailet resists proxy enumeration because clients communicate exclusively through widely-used email hosting providers over standard POP3/SMTP/IMAP ports; no direct client-to-Mailet-server connection ever exists, so even if a censor learns a Mailet server's IP address, blocking it requires blocking all email to major providers — collateral damage that is politically infeasible.

2016-li-mailet §1, §2.1 defense

Mailet's GCM-based Credential Recovery (GCM-CR) achieves a 120x speedup over traditional garbled-circuit 2PC for privately reconstructing split credentials inside a live TLS record, enabling a single Mailet server to support up to 200 simultaneous sessions with each service request completing in approximately 1 second.

2016-li-mailet §4.3 defense

Mailet clients' daily email traffic patterns remained within the normal range of genuine email users, validated against the Enron dataset (517,425 emails, 151 users) combined with simulated Twitter usage patterns from 100 randomly sampled accounts, demonstrating that per-user daily email frequency is a poor Mailet detector with high false-positive and false-negative rates.

2016-li-mailet §6.3 evaluation

Mailet's (2,2)-threshold credential scheme distributes a user's social media credential as Cred1 ⊕ Cred2 across two randomly chosen servers; an adversary corrupting fraction ρ of the server pool has at most probability ρ² of compromising both servers for a given user, and under standard AES assumptions a single compromised server leaks no information about the credential beyond its length.

2016-li-mailet §4.2, §6.2 defense

Matryoshka achieves an average covert rate of ~3 bits/word after human enhancement; for a 5-word hidden message averaging 5.5 characters per word, the final enhanced stegotext is approximately 73 words. This is roughly 10× the covert rate of Spammimic (~0.3 bits/word), the prior leading approach.

2016-safaka-matryoshka §5 evaluation

After crowdsourced (MTurk) enhancement, 88% of stegotexts on average pass a One-Class SVM trained on 150K sentences from Wikipedia, Brown, and Reuters corpora as natural language; pre-enhancement, only 25–58% pass. For calibration, the same classifier correctly rejects 97% of randomly generated sentences as non-natural-language.

2016-safaka-matryoshka §5 evaluation

A mixed Huffman codebook combining character-level coding with explicit entries for the 300 most frequent English words (covering ~65% of written material) achieves a 52% compression ratio on average across 4,825 sentences of 4–15 words—7 percentage points better than a character-only alphabet—directly increasing the covert bits available per output word.

2016-safaka-matryoshka §3.1 defense

Users required 4.0–5.8 minutes on average to enhance a stegotext into natural language across three experiments, inserting 4–8 extra words per sentence; this is comparable to the time required to write a short email. The random-word-selection baseline consistently required more time and inserted more words, confirming that n-gram-guided word choice meaningfully reduces human editing burden.

2016-safaka-matryoshka §5 evaluation

The Viterbi-based probabilistic decoder achieves zero character error rate on 96%, 93%, and 95% of decoded messages across the three corpora experiments (dreams, animals, facebook). For the small fraction of failures, only 15% of characters on average were corrupted rather than total message loss.

2016-safaka-matryoshka §5 evaluation

Measured data overhead when loading web pages across four circumvention channels over DSL: instant messaging (Skype text) added 39% overhead, email added 107%, file sharing (Dropbox) added 272%, and VoIP audio modulation added an 84× overhead. Latency was lowest for instant messaging; VoIP latency was dominated by its limited 1200-baud audio encoding bandwidth.

2016-zarras-leveraging §5.1, Figure 2 evaluation

Blocking all homophones of 422 censored keywords would generate approximately 47,000 false-positive weibos per day per keyword, totaling roughly 20 million false positives daily — approximately 20% of Sina Weibo's daily message volume — making blanket homophone blocklisting operationally infeasible without massive collateral censorship of innocent traffic.

2015-hiruncharoenvate-algorithmically Analysis: Cost to adversaries (RQ3) evaluation

Homophone-transformed weibos lasted on Sina Weibo an average of 3.94 hours (σ=5.51) before removal, versus 1.3 hours (σ=1.25) for unaltered originally-censored posts — a threefold difference (W=1830, p<0.01) — while ultimate censorship rates were not significantly different between conditions.

2015-hiruncharoenvate-algorithmically Experiment 1 / Results evaluation

Falling back to human review to defeat the homophone technique would cost the Sina Weibo censorship apparatus more than 15 additional human-hours per day per censored keyword — derived from an efficient censorship worker reading approximately 50 weibos per minute (Zhu et al. 2013) applied to ~47,000 daily false-positive matches per keyword — a burden that scales with the number of simultaneously banned keywords, which may number in the thousands.

2015-hiruncharoenvate-algorithmically Analysis: Cost to adversaries (RQ3) evaluation

Replacing censored keywords with algorithmically-generated homophones increased the initial publication rate on Sina Weibo from 90.79% for unaltered posts to 94.74% for transformed posts (χ²=6.219, p=0.01), demonstrating that the technique successfully bypasses automatic keyword matching at the publication gate even when posts are ultimately censored at similar rates.

2015-hiruncharoenvate-algorithmically Experiment 1 / Results — Table 1 evaluation

Native Chinese-speaking Amazon Mechanical Turk workers understood the content of 605 out of 608 homophone-transformed posts (99.51%), with only 2.85% of all impressions (52/1,824) reporting difficulty; workers unable to identify transformed keywords were significantly more likely to report confusion (p<0.001 for original keywords, p=0.03 for transformed keywords).

2015-hiruncharoenvate-algorithmically Experiment 2 / Results — Table 2 evaluation

Rook constructs per-field symbol tables by observing 600 packets (~60 seconds) of real gameplay at session start, then restricts substituted values to only those previously observed with frequency within two orders of magnitude of the median. This ensures altered packets never contain field values that are absent or anomalously rare in legitimate traffic, defeating value-anomaly and out-of-range DPI filters.

2015-vines-rook §2.6 defense

Rook achieves 34 bits/second client-to-server and 26 bits/second server-to-client within Team Fortress 2, sufficient for OTR-encrypted real-time chat. Rook use did not trigger Valve Anti-Cheat warnings and did not noticeably degrade gameplay for co-located legitimate players.

2015-vines-rook §4.1 defense

Kolmogorov-Smirnov two-sample tests on packet-size distributions and inter-packet timing show that standard Rook (altering ~1-in-10 packets) is statistically indistinguishable from normal TF2 gameplay across 20 samples each. High-bandwidth Rook (1-in-2 packets) shows a slightly higher average bandwidth but remains difficult to distinguish on traffic-shape metrics.

2015-vines-rook §4.3 Traffic Shape Analysis evaluation

Because Rook runs the actual game client and server rather than mimicking them, active anti-mimicry probes receive identical responses to a normal game instance. Systems based on protocol mimicry are vulnerable to probes that expose non-conforming behavior, but Rook eliminates this attack surface entirely.

2015-vines-rook §4.2 Anti-Mimicry defense

Game-specific trigram analysis of mutable fields distinguishes high-bandwidth Rook (1-in-2 substitution rate) in server-side packet counts, showing clearly reduced distinct-trigram counts versus baseline. Standard Rook (1-in-10) produces only a few outliers and is not reliably distinguishable; any detector would face a high false-negative or false-positive rate against normal-rate Rook.

2015-vines-rook §4.3 Game-Specific n-gram Analysis evaluation

The paper acknowledges that modern blind steganalysis tools combining first- and second-order statistical classifiers (e.g., SVM-based universal steganalysis) are likely capable of detecting TRIST-embedded images, though this was not experimentally verified. The authors note these attacks rely on large feature vectors and are computationally more expensive than histogram or blockiness attacks, but do not claim invulnerability.

2014-connolly-trist §7 detection

TRIST evades the self-calibrated blockiness detector — proven effective against OutGuess — by embedding at JPEG quality 30 and then transcoding the steg image up to quality 90 before transmission. This renders the blockiness-based message length estimator unreliable across the full range of message lengths from 0 to approximately 39 KB, as shown over 20 cover images from the BOSS dataset.

2014-connolly-trist §7 defense

By embedding messages in heavily quantized DCT frequency components at base JPEG quality 30, TRIST achieves near-zero bit error rates when images are transcoded to higher quality levels and back. The quantization mapping is many-to-one, so noise introduced by re-encoding tends to be stabilized on output, making the message robust against commodity transcoding proxies that re-encode images in-flight.

2014-connolly-trist §4–§5 defense

Using low DCT frequency components (indices 10, 9, 8, 3) at JPEG quality 30 achieves near-zero message error rates for image rescaling in the 75–95% range across a wide range of sharpening sigma values. Higher-frequency component sets (indices 18, 17, 16, 10) only survive rescaling above 100%, making them unsuitable for scenarios where censors reduce image dimensions.

2014-connolly-trist §5 defense

TRIST integrated with StegoTorus as a one-hop SOCKS proxy introduces minimal additional bandwidth overhead: JPEG steganography throughput falls between StegoTorus's PDF and JSON schemes across link delays of 20–400 ms and 1–4 parallel circuits. The steganographic expansion factor is 1:6 to 1:12 (message bytes to cover JPEG file length), adequate for basic web surfing.

2014-connolly-trist §6 evaluation

Facade encodes 78.04 bits per HTTP GET request using search-query terms, compared to Infranet's 3 bits per URL — a ~26× improvement — while maintaining comparable statistical deniability. StegoTorus encodes 12,000 bits per URL but offers no statistical deniability against traffic-pattern analysis.

2014-jones-facade §5.2, Table 1 evaluation

Facade faces an inverse tradeoff between upstream throughput and deniability: pure search encoding maximizes bits per request (78.04 bits) but does not reflect real user click behavior, while mixing in click-range mapping (lg(k) bits per URL, k=8 → 3 bits) reduces throughput but better models normal browsing. Neither pure strategy is optimal; the design requires tuning the search-to-click ratio.

2014-jones-facade §5.2 evaluation

Analysis of the AOL search corpus shows an average search query length of 17.42 bytes with an entropy of 4.48 bits/byte, yielding 78.04 bits of deniable information per HTTP GET request. This entropy matches real user search behavior, making entropy-based traffic analysis unable to distinguish Facade traffic from genuine search sessions.

2014-jones-facade §5.2 defense

A single Facet server with 15 Mbit/s bandwidth and 4 virtual CPU cores supports up to 20 simultaneous video-streaming sessions. Server-side downstream bandwidth consumption is approximately 150 kbit/s lower than a Squid HTTP proxy for equivalent video quality (240p), because Facet fetches only the video stream without page overhead such as advertisements and images.

2014-li-facet §9.5, Table 3, Table 4 evaluation

Without traffic morphing, a χ² packet-length classifier can identify 90% of Facet (video-over-Skype) sessions with only a 10% false positive rate on genuine videoconferencing. To block 80% of Facet connections, the censor need only disrupt 4% of genuine Skype calls; blocking 70% requires disrupting only 2%.

2014-li-facet §6, Figure 4 detection

Facet's video morphing — embedding the requested video in a fraction s of H.264 macroblocks within a randomly chosen chat video — raises the censor's required false positive rate dramatically. At steganography level s=0.125, blocking 90% of Facet connections requires disrupting over 40% of genuine videoconferencing traffic; blocking 80% requires disrupting at least 20% of legitimate calls.

2014-li-facet §7.2, §9.3–9.4, Figure 9 defense

Known attacks on existing circumvention tools include steganographic detection, enumeration of decoy-router locations, and machine-learning traffic classifiers. The paper acknowledges these defeat current approaches (Infranet, Collage, Telex, SkypeMorph, Freewave) and argues that no iterative patch can neutralize the censor's long-term structural advantage.

2014-tan-censorship §1 defense

Asymmetric IP routing is a fundamental constraint on prior E2M designs: tier-2 ISPs typically see around 25% of packets on asymmetric paths, while tier-1 ISPs can have up to 90% of packets on asymmetric flows. Because Telex requires observing both directions of a connection to derive the client-server TLS master secret, this asymmetry severely constrains where it can be deployed. TapDance resolves this by using chosen-ciphertext steganography to leak the master secret from client to station in a single upstream packet, making it functional under fully asymmetric routing.

2014-wustrow-tapdance §1, §6 evaluation

TapDance introduces chosen-ciphertext steganography, which allows the client to embed an arbitrary-length hidden message inside a valid TLS ciphertext without invalidating the TLS MAC or session. By exploiting ciphertext malleability in both stream-cipher (counter) mode and CBC mode, the client can choose specific byte values to appear in the ciphertext while constraining plaintext to a safe ASCII range (0x40–0x7F), encoding 6 bits of tag data per ciphertext byte. This provides unbounded covert-channel bandwidth, compared to the fixed 224-bit TLS nonce used by Telex and Decoy Routing or the 24-bit TCP ISN used by Cirripede.

2014-wustrow-tapdance §3, §6 defense

FreeWave over Skype reliably achieves 16 kbps for clients in Berlin, Frankfurt, Paris, and the UK (0% packet drop) and 19.2 kbps for Chicago, IL (0.01% drop), using 4-QAM with 8–9.6 kHz symbol rate and rate-0.5 Turbo channel coding. The maximum achievable bit rate is hard-bounded by the VoIP codec's sampling rate: 40 kbps for Skype SILK, 64 kbps for G.711, and 128 kbps for the L16 codec.

2013-houmansadr-i §VIII-B / Table I evaluation

The authors enumerate 12 requirements a parrot system must satisfy simultaneously (Correct, SideProtocols, IntraDepend, InterDepend, Err, Network, Content, Patterns, Users, Geo, Soft, OS) while a censor need detect only one failure. They conclude 'unobservability by imitation is a fundamentally flawed approach' and recommend embedding covert traffic in genuine encrypted payloads of a real running protocol (e.g., FreeWave in Skype voice, SWEET in email), which constrains detection to OM adversaries performing large-scale multi-flow analysis.

2013-houmansadr-parrot §XI defense

Over 72 days, the authors observed 814,667,299 blog posts (average 11,314,823/day; peak 13,083,878/day). To blacklist all potential MIAB drop points, a censor would need to block 33,361,754 FQDNs (5% of all web servers per Netcraft) or 1,803,345 second-level domains (1.4% of global domain registrations); even a fully-maintained static blacklist retains an 11–12% daily miss ratio as new blogs appear.

2013-invernizzi-message §5.1, Figure 4 evaluation

MIAB reduces the bootstrap requirement to only the operator's public key — no pre-shared rendezvous point is needed — by using blog pings as a real-time broadcast discovery channel. Since every blog post on the Internet is a potential drop point, the censor cannot enumerate entry points by posing as a legitimate user, unlike Collage (requires an up-to-date task database) or Telex (requires ISP collaboration).

2013-invernizzi-message §3 defense

A single modern machine with a fast domestic Internet connection can process the full blog-ping stream within the 5-minute ping-server release interval: steganographic extraction takes 2m:51s, RSA decryption 2m:35s, and image fetching 4m:17s (parallelizable with extraction), completing under 5 minutes at under 90% CPU. A single machine accommodates 15–20 million posts per day; serving Iran's entire population blogging daily would require only five machines.

2013-invernizzi-message §5.1 evaluation

All trained ML classifiers (K-NN, Naive Bayes, ANN, SVM, vote ensemble) performed at near-chance levels when distinguishing RSA-encrypted stego messages from clean photos — best precision 52.05%, best meaningful recall 61.52% (K-NN on clean class). The authors attribute this to embedding only a few hundred bytes into cover photos hundreds of KB in size, with natural image entropy in noisy pixel regions being empirically indistinguishable from RSA-ciphertext statistics.

2013-invernizzi-message §5.1, Table 1 defense

For a Collage-style system with T forward-security time intervals and k rendezvous-point identities (e.g., k popular Flickr hashtags), standard public-key steganography requires distributing kT public keys, whereas an IBST-based solution requires distributing only 1 master public key. This reduction is exact — the paper states it verbatim as an efficiency argument.

2013-ruffing-identity-based §4.1 Application to Collage defense

Key distribution is the primary bootstrapping weakness of steganography-based censorship-resistance systems: a censor can simply block stego-key distribution. Identity-based steganographic tagging (IBST) eliminates this attack surface by requiring only a single master public key, which can be bundled with the client software — no key distribution inside the censored area is necessary.

2013-ruffing-identity-based §1 Introduction / §4 defense

The IBST construction is provably secure under the bilinear decisional Diffie-Hellman (BDDH) assumption in the random oracle model. Any adversary with advantage ε(λ) against IBST indistinguishability implies an adversary against BDDH with advantage at least ε(λ)/e(1+qE), where qE is the number of private-key extraction queries. Tags produced by the scheme are computationally indistinguishable from uniform random bitstrings for any party lacking the recipient's private key.

2013-ruffing-identity-based §3.2 Construction / Theorem 1 defense

Replacing Telex's original stego-tagging with the IBST scheme and using time periods as identities achieves eventual forward security with arbitrarily short rotation intervals. The key material a client needs after a master-key rotation is only the new master public key — 'a few hundred bytes' — small enough to fit in covert channels such as steganographic images, avoiding the original Telex design's problem of large bundled key sets expiring before a client updates its software.

2013-ruffing-identity-based §4.2 Application to Telex defense

When using a domestic email provider that collaborates with the censor (DomesticMail), SWEET clients must embed tunneled data via steganography (image or text) and coordinate a secondary secret email account with the SWEET server out-of-band. This prevents the censor from discovering the SWEET server association via recipient-field inspection, but adds operational complexity and requires an out-of-band bootstrapping channel.

2013-zhou-sweet §3 defense

Traffic analysis poses a concrete throughput ceiling: a conservative SWEET user can perform only 35–70 web downloads per day or 10–20 interactive web sessions while staying within the bounds of normal email volume (2012 averages: 35 sent, 75 received daily). Most websites require fewer than 3 SWEET emails in each direction, with Yahoo as an outlier due to its many hosted objects.

2013-zhou-sweet §5.2 evaluation

Keyword blocking has limited effect because users evade it through homophones (e.g., 'river crab' substituting for 'harmonious society'), homographs, analogies, metaphors, and satire; the Chinese character-based writing system provides particular affordances for this evasion. Chinese social media is distributed across approximately 1,382 sites following a power-law distribution, with blog.sina alone accounting for 59% of posts, creating highly variable enforcement across the long tail of local sites.

2012-king-censorship Data / Types of Censorship policy

NET payloads are wrapped in three nested layers — (1) steganographic encoding plus transport encryption with a factory digital signature, (2) proof-of-life (CAPTCHA), and (3) proof-of-work (computational puzzle) — so that even an adversary who harvests many payloads cannot decode them faster than gateway addresses can be rotated. The payload format is explicitly extensible to add harder challenges as adversaries improve.

2012-lincoln-bootstrapping §3.3 defense

The mod_freedom Apache module hooks into the HTTP 404 ErrorDocument handler and steganographically embeds encrypted NET payloads in image responses to valid RP requests, while returning normal content to all other clients. Using Identity-Based Encryption (IBE, Boneh-Franklin) keyed on the server's hostname eliminates any need for out-of-band public-key distribution and allows deployment on thousands of volunteer webservers without mutual trust.

2012-lincoln-bootstrapping §3.1 defense

CensorSpoofer decouples the upstream channel (URLs hidden via steganography in IM/Email) from the downstream channel (web content injected into spoofed UDP/VoIP flows), so the proxy's real IP is never revealed to any user. This asymmetric architecture provides perfect insider-attack resistance: even if all users are compromised, they can only learn cover dummy-host IPs, not the spoofer's address.

2012-wang-censorspoofer §4 defense

The StegoTorus HTTP module degrades severely with network latency: it can sustain only a 50 kB/s stream at latencies below 200 ms and fails entirely at higher rates or latencies, because the HTTP request-response pattern transfers only one or two 512-byte Tor cells per round-trip. Plain Tor and chopper-only StegoTorus show no measurable throughput degradation at latencies up to 450 ms. Increasing parallel HTTP connections improves low-latency throughput but does not recover high-latency performance.

2012-weinberg-stegotorus §6, Figure 6 evaluation

HTTP steganography in StegoTorus expands upstream traffic by a factor of 41× and downstream by 12× compared to a direct connection (uploading 966,964 bytes vs. 23,643 bytes to transfer a 1 MB file). Chopper-only operation adds only ~2.7× upstream overhead, comparable to plain Tor. Maximum achievable goodput with the HTTP module is ~27 kB/s (~4× a 56 kbps modem), which the authors attribute to a minimum expansion factor of 8× inherent in contemporary steganographic schemes.

2012-weinberg-stegotorus §6, Table 3, Figure 7 evaluation

A naive-Bayes website-fingerprinting classifier achieves AUC > 0.94 against vanilla Tor for 8 of 9 Alexa top-ten sites (e.g., Wikipedia 0.9991, YouTube 0.9947). Against StegoTorus-HTTP, AUC drops to ≤ 0.75 for 7 of 9 sites (YouTube 0.4125, Facebook 0.5413, Google 0.6928), which the authors argue is too low for practical perimeter-scale deployment where near-perfect precision is required to avoid error floods.

2012-weinberg-stegotorus §5.2, Table 2 evaluation

StegoTorus distributes a fixed set of packet traces and HTTP covertext databases with the software, but allows users to record their own; classifiers trained on the distributed covertext will not generalize to user-generated databases. The paper further notes that reusing a small number of traces repeatedly creates a statistical fingerprint because censors can learn conversation patterns from packet sizes and timings alone, implying that trace diversity must be maintained over time.

2012-weinberg-stegotorus §4.1.1, §5.2 defense

On a 2011 MacBook Air (1.86 GHz Core 2 Duo), #h00t achieves 3,610 encryptions/second and 15,590 decryptions/second (Table 2). Twitter's peak load at the time was 6,939 tweets/second, meaning full-service encryption at peak would require at most two commodity machines. The authors conclude that computational overhead is negligible and bandwidth is the binding constraint.

2011-bachrach-h00t §5.3, Table 2 evaluation

#h00t achieves censorship resistance by truncating a key-derivation-function output to k bits to produce a 'short tag', deliberately inducing collisions across unrelated groups. A censor cannot block a targeted group's short tag without simultaneously blocking all colliding groups — including innocuous, high-traffic ones — forcing heavy-handed censorship that creates domestic blowback. The design provides plausible deniability: subscribers can claim they follow a foreign pop star rather than a dissident group.

2011-bachrach-h00t §2.2, §3.1 defense

Against an attacker with 2^10 CPU cores running ~2^17–18 decryptions/second per core, plain tags require at least 47 bits of entropy to survive one week of brute force. A single dictionary word plus 7 decimal digits yields only 38.5 bits and can be cracked in ~20 minutes; two dictionary words plus 7 digits yields ~53.8 bits, requiring over two years. The authors note that SHA-1 was used in the prototype for performance reasons and recommend scrypt for production deployments.

2011-bachrach-h00t §3.2 defense

Even with end-to-end encrypted messages, a censor observing subscription queries can detect anomalous interest in a short tag (e.g., a sudden domestic surge in followers of a foreign pop star's hashtag) and use timing/size traffic analysis to distinguish #h00t subscriptions from ordinary hashtag follows. The paper flags this as an open threat and proposes two mitigations: (1) push cover traffic for randomly selected short tags to all clients regardless of their actual subscriptions, or (2) silently redirect normal clients' hashtag follows to the corresponding #h00t short tags.

2011-bachrach-h00t §6.1 detection

Telex embeds steganographic tags in TLS ClientHello nonces using elliptic-curve Diffie-Hellman, placing proxy stations at ISP level on paths between the censor's network and popular uncensored destinations. Because the cover destinations are ordinary popular HTTPS websites, the censor cannot block Telex without simultaneously blocking a large class of legitimate TLS traffic — converting the censor's own reluctance to over-block into an unblockability guarantee.

2011-wustrow-telex §2, §4 defense

Collage's threat model identifies the censor's two most dangerous capabilities as: (1) aggregate traffic-flow analysis (e.g., NetFlow statistics) to detect anomalous access patterns to specific content hosts, and (2) joining the system as a sender or receiver to discover content locations and mount denial-of-service or deniability attacks. The censor is assumed to monitor all egress traffic but is modeled as computationally limited against joint statistical distributions across arbitrary user pairs.

2010-burnett-chipping §3.1 detection

Rateless erasure coding with ε=0.01 adds only a 0.5% storage and traffic overhead. Consistent hashing of message identifiers to task-database entries ensures that when 50% of tasks are replaced, sender and receiver still share at least one task if three or more tasks are mapped per identifier. At a 10× send rate, message recovery succeeds even if 90% of published vectors are blocked.

2010-burnett-chipping §4.2, §4.3, Figure 4, Figure 5a defense

The paper demonstrates that no single steganographic algorithm can provide both availability and deniability, since almost all production algorithms have been broken and steganography alone does not hide the identities of communicating parties. Collage addresses this by treating the embedding algorithm as a swappable component in a layered architecture—vector layer, message layer, application layer—so that compromise of the embedding scheme does not compromise the system, and stronger algorithms (e.g., digital watermarking) can be substituted as they mature.

2010-burnett-chipping §4.1, §2 defense

Production steganography tools achieve encoding rates of 0.01–0.05 (fraction of cover-medium bytes available for hidden data), yielding 20–100× increases in storage, traffic, and transfer time relative to the raw message. A 23 KB one-day news summary requires approximately 9 JPEG photos (~3 KB data per photo plus encoding overhead) and takes under 1 minute to retrieve over a fast connection; over an unreliable broadband wireless link the same message was received in under 5 minutes with sender time under 1 minute.

2010-burnett-chipping §5, Figure 5 evaluation

Collage leverages platform-scale user-generated content—Flickr's 3.6 billion images with 6 million new per day and Twitter's ~500K tweets/day as of 2009—as a covert channel substrate. Because the censor cannot block all UGC platforms simultaneously without removing massive amounts of legitimate content, the system achieves availability and user deniability that fixed-infrastructure proxies (e.g., Tor relays) cannot: accessing Flickr or Twitter does not implicate the user as a circumvention tool operator.

2010-burnett-chipping §1, §4.1 defense

Undetectability of a message requires that it be indistinguishable from 'random noise' — an attacker cannot sufficiently distinguish whether the message exists or not. This is distinct from anonymity, which protects only the relationship between an IOI and a subject, not the IOI's existence itself. Undetectability is possible only for subjects not involved in the IOI; senders and recipients cannot achieve it against each other.

2010-pfitzmann-terminology §6 defense

The paper establishes a strict property hierarchy: unobservability ⇒ anonymity, and sender/recipient anonymity ⇒ relationship anonymity. Unobservability is strictly stronger than anonymity because it additionally requires undetectability against all uninvolved subjects — the IOI's very existence must be hidden — while anonymity only hides the subject's relationship to the IOI.

2010-pfitzmann-terminology §7 defense

SkyF2F tunnels censored traffic through Skype's encrypted overlay network, forcing the censor into an all-or-nothing dilemma: blocking SkyF2F requires blocking Skype entirely, which causes actual economic damage to businesses and users who depend on it. Because Skype users are identified by pseudonym and all messages are routed to overlay addresses rather than Internet addresses, IP-based blocking, DNS filtering, port blocking, and keyword filtering are all rendered ineffective.

2009-cao-skyf2f §V.A defense

For a secure steganographic system the embedding ratio is at least 1:10, meaning 1 MB of web content requires 10 MB of transmitted cover data; for a system robust against active attacks (e.g., StirMark bilinear distortions) the ratio is probably 1:100. A censor need not break the steganographic algorithm with high accuracy — suspicion alone is sufficient, since the censor can probe suspected nodes directly by acting as a blockee.

2004-k-psell-achieve §5.1 evaluation

The protocol between blockee and volunteer forwarder is designed to be transport-layer independent from the outset, allowing substitution of plain TCP with SSL tunnels, SMTP, or steganographic channels as the censor escalates detection. The system is intentionally deployed in a weak initial form to observe how quickly and in what manner the censor adapts, then hardened iteratively based on measured censor behavior.

2004-k-psell-achieve §6.2 defense