All prior provably-secure steganography methods introduce measurable distribution distortion: ADG achieves Max KLD of 4.54E-02 to 6.76E-02 bits/token, and Meteor with its heuristic sorting reaches Max KLD up to 9.01E+00 bits/token (Table II, GPT-2, p=0.80). These non-zero KL divergences give any statistical steganalyzer a non-negligible distinguishing advantage, violating the security definition even when average divergence appears small.

Discop's core algorithm is modality-agnostic and deploys unchanged across text generation (GPT-2, DistilGPT-2, Transformer-XL), image completion (Image GPT), and text-to-speech (Tacotron + WaveRNN), requiring only that both parties share the generative model, PRNG, and seed. The same zero-KLD security proof applies across all modalities.

§IV defense

Discop with Huffman-tree recursion achieves entropy utilization of 0.92–0.94 (bits embedded ÷ entropy available) and an embedding capacity of 3.48–5.29 bits/token across nucleus-sampling parameters p=0.80–0.98 with GPT-2, matching or exceeding ADG (0.78–0.84 utilization, 3.07–4.89 bits/token) while maintaining exactly zero KL divergence. Per-bit embedding time is 2.17E-03 to 5.52E-03 seconds, comparable to ADG.

§V, Table II evaluation

Discop achieves provably perfect steganographic security (DKL(Pc‖Ps) = 0) by constructing multiple 'distribution copies' of a generative model's predicted distribution and using the copy index to encode the secret message. Because all copies share identical token probabilities, the stego distribution is exactly equal to the cover distribution and no steganalyzer can perform better than random guessing.

§III defense

Replacement-based covert channels that substitute genuine media streams with ciphertext (Protozoa replacing WebRTC video, Balboa replacing audio) are immediately detectable when the censor controls or has plaintext access to the protocol gateway — for example, a WebRTC relay that decrypts and validates incoming media. Censors can also systematically suppress these channels by selectively degrading or blocking encrypted traffic for which they have no decryption trapdoor.

§I detection

NATA (Non-invasive Active Traffic-correlation Analysis) injects low-frequency bandwidth waveforms (sinusoidal, square-wave, triangular) into Tor TCP connections at an upstream gateway without endpoint compromise, payload decryption, or Tor-browser modification. BM-Net, a selective state-space classifier trained on the exit-side observations, achieves a 99.65% binary detection F1 score distinguishing watermarked from natural traffic on a 20,000-trace real-world dataset.

2026-fan-activeflowmark-assessing-tor §IV, §VI.D, Table III flow-correlationtraffic-shapeml-classifier

BM-Net achieves a 99.65% binary detection F1 score for distinguishing bandwidth-watermarked Tor flows from natural traffic, outperforming all evaluated baselines (next best: TikTok at 75.96% F1). The accuracy gap stems from active perturbation imposing a deterministic low-frequency throughput constraint rather than relying on subtle natural metadata, making the detection task fundamentally easier than passive website fingerprinting.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III–IV flow-correlationtraffic-shapeml-classifier

BM-Net achieves a 99.65% binary detection F1 score distinguishing watermarked from natural Tor flows, and a 97.5% macro-F1 score for fine-grained modulation classification across sinusoidal, square-wave, and triangular patterns. The fine-grained test set contains 201 held-out samples collected from ten clients across five geographic regions (Europe, North America, Australia, Southeast Asia, East Asia), with training traces including traffic collected under WTF-PAD and Walkie-Talkie defenses.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III, Table V flow-correlationml-classifiertraffic-shape

BM-Net achieves a 97.5% macro-F1 score for fine-grained classification of three modulation geometries (sinusoidal, square-wave, triangular) from noisy exit-side Tor observations using only 201 labeled test samples collected across cross-continental Tor paths. Residual errors concentrate between natural traffic and square-wave modulation, as abrupt low-rate transitions are partially smoothed by Tor multiplexing and network jitter.

2026-fan-activeflowmark-assessing-tor §VI-D, Table V flow-correlationml-classifiertraffic-shape

Fine-grained modulation classification (natural vs. sinusoidal vs. square-wave vs. triangular) achieves 97.5% macro-F1 on a 201-sample held-out test set. Square-wave waveforms are the hardest class (F1 = 95.7%), while sinusoidal and triangular each reach 99.0% F1, because abrupt square-wave transitions are partially smoothed by Tor multiplexing and network dynamics.

2026-fan-activeflowmark-assessing-tor §VI.D.2, Table V flow-correlationtraffic-shapeml-classifier

The host-profiling censor (passive traffic analysis: count connections per server, block those exceeding a threshold τ within a window w) blocks essentially all circumvention user traffic within 30 time steps for all classifier qualities tested (ρ_TP ∈ {0.9, 0.95, 0.99}), while causing far less collateral damage than zig-zag (never exceeding ~30% innocent server blocking). Snowflake resists this attack well: with w=3, τ=3, over 94.48% of users receive a proxy within 2 steps even with worst-classifier rules, and final unblocked server rates are 91.24–99.04%. The host profiling approach is feasible for passive censors who cannot enumerate the distribution channel.

2026-fares-game §5.2, Table 2, Table 3 traffic-shapeml-classifier