1 Introduction
In the history of cryptography, a grille cipher was a technique for encrypting a plaintext by writing it onto a sheet of paper through a pierced sheet (of paper or cardboard or similar) [1]. The earliest known description is due to the polymath Girolamo Cardano, known in French as in 1550. His proposal was for a rectangular stencil allowing single letters, or words to be written, then later read, through its various apertures. The written fragments of the plaintext could be further disguised by filling the gaps between the fragments with anodyne words or letters, as shown in Fig. 1[2]. This variant is also an example of steganography, as are many of the grille ciphers.
The Cardan grille was invented as a method of secret writing. The word cryptography became the more familiar term for secret communications from the middle of the 17th century. Earlier, the word steganography was common. The other general term for secret writing was cipher. Sir Francis Bacon gave three fundamental conditions for ciphers. Paraphrased, these are[1]:
1. A cipher method should not be difficult to use;
2. It should not be possible for others to recover the plaintext;
3. In some cases, the presence of messages should not be suspected.
It is difficult to fulfil all three conditions simultaneously at that time. There is a modern distinction between cryptography and steganography. Condition 3 applies to steganography. Bacon meant that a cipher message should, in some cases, not appear to be a cipher at all. The original Cardan Grille met that aim. However, the original method is slow and requires literary skill. Above all, any physical cipher device is subject to loss, theft and seizure; so to lose one grille is to lose all secret correspondence constructed with that grille. Variations on the Cardano original, however, were not intended to fulfill condition 3 and generally failed to meet condition 2 as well.
Unfortunately, design a cipher scheme satisfying all these constrains is still a difficult problem so far. Cryptography try to converse a readable state to ciphertext which is apparent nonsense, and steganography try to make the ciphertext looks normal so that the presence of messages should not be suspected. The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. However, for a long time, the difficulty of constructing the ordinary letter made steganography nearly going to be information modification. These traditional steganography methods such as [3] and [4], by modifying the cover data to hide the information, did not strictly satisfy the condition 3, had to struggle against the steganalysis technique[5].
In this paper, we come back to the road of Cardan, a new generative cipher framework is proposed. We consider the new cipher as a constrained generation problem and take advantage of the recent advance in generative modeling. After a deep generative model,i.e., in our case an adversarial net work, is trained, we search for an encoding that is “closest”to the perfect ciphertext in latent ciphertext space. The encoding is then used to construct a ciphertext using generator. We define “closest” by a message loss to penalizes message extraction error, and a prior loss to penalizes unrealistic samples. A symmetric key called digital Cardan grille is used for both encryption and decryption. The realistic sample generation and key space, theoretically, guaranteed to meet the above three fundamental conditions. A practical cipher is proposed using image inpainting which is a particular application in image synthesis. Firstly, the corrupted image is taken as the cover, and the secret information is written to the area that needs to be remain unchanged with digital Cardan grille. The semantic image completion is realized by using the generative adversarial network with message loss and prior loss. The secret message is hidden in the reconstructed image after completion. The experiments on the image database confirms the promising of such simple method.
2 Related Work
Considering the respective advantages and disadvantages of steganography and cryptography, it is naturally to get an idea that combining them would simultaneously takes the advantages of steganography and cryptography while avoid the respective defects. In earlier work, there have been a lot of works applying this idea and one may refer to [6] and [7], but most of these methods do the encryption and hiding separately, they encrypt the secret information firstly and then hide them in the digital media. There has been fundmental work on provably secure steganography, Cachin [8] introduced an informationtheoretic model for steganography. Hopper etc. [9] have given a theoretical framework for steganography based on computational security. Le [10] presented ideas for improving the efficiency of scheme and Backes etc. [11] proposed a modification which makes the scheme secure against a more powerful active adversary. Ahn etc. [12] provided a formal framework for publickey steganography and to prove that publickey steganography is possible. Song etc. [13] proposed a method doing encryption and hiding at the same time, organically combining steganography and cryptography. This protocol is based on the LSB matching method in steganography and Boolean functions used in cryptography.
In Fridrich’s groundbreaking work of modern steganography [14], steganographic channel is divided into three categories, cover selection, modification and synthesis. steganography focus on the conditions 3 as show in above. Cover selection method does not modify the cover image, thereby avoiding the threat of the existing steganalysis technology. This method cannot be applied to practical applications because of its low payload. Cover modification is the most studied method so far. In terms of KL divergence as a security measure, it can only achieve security or the perfect security for a certain explicit model. Cover synthesis seems more consistent with the earlier Cardan grille. However, about ten years ago, this method is only a theoretical conception, rather than a practical steganography, because it is difficult to obtain multiple samples. With the help of texture synthesis, [15, 16] use the texture sample and a bunch of color points generated by secret messages to construct dense texture images. [17] improves the embedding capacity by proportional to the size of the stego texture image. Qian etc. [18] propose a robust steganography based on texture synthesis. Xue etc. [19] use marbling, a unique texture synthesis method that allows users to deliver personalized messages with beautiful, decorative textures for hiding message. This kind of texturebased methods are based on the premise that the cover may not represent the content in real world which is counterintuitive for steganography which objective is to maintain the nature content of the cover.
Fortunately, a databased sampling technique, generative adversarial networks (GANs) [20]
have become a new research hot spot in artificial intelligence. Recently, two types of designs have applied adversarial training to cryptographic and steganographic problems. Abadi
[21]used adversarial training to teach two neural networks to encrypt a short message that fools a discriminator. However, it is hard to offer an evaluation to show that the encryption scheme is computationally difficult to break. Instead of relying on manual password analysis, PassGAN
[22] uses a GAN to autonomously learn the distribution of real passwords from actual password leaks, and to generate highquality password guesses. Adversarial training has also been applied to steganography. Volkhonskiy etc.[23] first propose a new model for generating imagelike containers based on Deep Convolutional Generative Adversarial Networks (DCGAN[24]). This approach allows to generate more setganalysissecure message embedding using standard steganography algorithms,they do not measure performance against stateoftheart steganographic techniques making it difficult to estimate the robustness of their scheme.Similar to
[23], Shi etc.[25] introduce a new generative adversarial networks to improve convergence speed, the training stability the image quality. Similar to [21], Hayes [26] define a game between three parties, Alice, Bob and Eve, in order to simultaneously train both a steganographic algorithm and a steganalyzer. However Alice is still trained to learn to produce a steganographic image by LSB which is a traditional cover modification method. Tang etc.[27] propose an automatic steganographic distortion learning framework using a generative adversarial network, which is composed of a steganographic generative subnetwork and a steganalytic discriminative subnetwork. However, most of these GANbased steganographic schemes are still the cover modification techniques. These methods focus on the adversarial game between steganography and steganalysis while ignoring the core aim of the GAN is to build a powerful sampler.Since GAN’s biggest advantage is to generate samples, it is a intuitive idea to use GANs generate a semantic cipher from a message directly as the Cardan did. Some researcher made a preliminary attempt on this intuitive idea. Ke [28] proposed generative steganography method called GSK in which the secret messages are generated by a cover image using a generator rather than embedded into the cover, thus resulting in no modifications in the cover. Liu etc. [29] propose a method that using ACGANs [30]
to classify the generated samples, and they make the class output information as the secret message. In
[31], the secret message is written to the corrupted area of image that needs to be filled, then the corrupted stego image is fed into a Generative Adversarial Network (GAN) for stego generation.The proposed scheme in this paper can be considered as a steganographic scheme as well as a classical cryptographic scheme, so we call the proposed scheme a cipher scheme. Different from classical cryptography and cover modification steganography, ciphertext is sampled by a generator with constrains. In this paper, our main work is to take advantage of machine learning approach, a deep generative model by adverserial network, to implemente a classical cryptography(cardan grille). The content security of our proposed scheme is equivalent to classical Cardan grille cipher. To the best of our knowledge, we are the first to provide a formal framework for generative cipher and to prove that channel security is possible. In order to maintain consistency with modern stegonagraphy, we also use the term stego to denote the ciphertext in this paper. Our generative cipher can be also considered as a generative steganography. This paper has the following contributions:
1. We propose a practical datadriven framework call digital Cardan grille for cipher by learning a generator, ciphertext is directly sampled by a generator. This framework simplifies the design of cipher. Classical cipher design to a large extent be automated. It can also be applied to other media, such as text, video and other fields. This scheme is also a keydependent steganographic scheme adhere to Kerckhoffs’s principle.
2. A new criterion for channel security (steganography) is defined. A formal representation for cipher is proposed which figure out the connection between steganography and classical cryptography. We also give a toy example of cipher scheme to illustrate the relationship between classical cryptography and steganography.
3. Compared with texture synthesis methods, semantic image inpainting is used to ensure the logical rationality of cover contents. Compared with cover modification steganography, our method make the ciphertext distribution and real data distribution as close as possible, there is no specific original cover. Other image synthesis methods [32] based on the generative model can be easily converted into a cipher scheme using this framework.
The remainder of this letter is organized as follows: We detail the formal representation of cipher in the following section. Section IV show how to construct a cardboard grille ciphers using constrained image generation by GANs. Experiment results are demonstrated in Section V. Section VI concludes this research and details our future work.
3 Framework
The Generative Cipher (steganography) Framework (CCF) of this paper is shown in Fig. 2 as follows:
In this scenario, the sender create a stego carrier from a generator with message directly. The encryption algorithm actually turns into a cipher generation process. The secret key shared by both parties ensures the security of the message, the natural real degree of stego determines the security of the communication channel.
In this paper we consider the notion of generative steganography against adversaries that do not attempt to disrupt the communication between Alice and Bob (i.e., the goal of the adversary is only to detect whether steganography is being used and not to disrupt the communication between the participants). We show that secure cipher exists if any of several assumptions hold. Furthermore, we introduce a practical scheme that is secure under these assumptions. It is important to note that the shared key here is indispensable, in the case of active attack defined in steganography, if the adversary can easily get the key, then the communication is not safe.
3.1 Perfect Cipher Conditions
In this section, we formalize cipher algorithm. Ideally the cipher scheme should satisfy the following three fundamental conditions which in line with the idea of Sir Francis Bacon. We call these perfect cipher conditions, or PCC:
(1) 
(2) 
(3) 
where original information is known as plaintext, denotes the encrypted form as ciphertext. is the symmetric key shared by two parties. E(.) in condition (1) is a encryption algorithm of cipher, and D(.) is the decryption operation. and denotes the distribution of ciphertext and real data. PCC (1) and (2) make the framework close to classical cryptography, which was effectively synonymous with encryption, the conversion of information from a readable state to apparent nonsense. PCC (3) guarantees the security of communication channel which is aim of steganography. Therefore, our goal for perfect cipher algorithm is to find a cryptography that satisfying steganography condition .
A databased sampling technique, generative adversarial network (GAN) is to estimate the potential distribution of existing data and generate new data samples from the same distribution. If we can learn a powerful generator which satisfy the PCC (3), together with a classical cryptography, a perfect cipher solution can be achieved to protect both content and channel of the secret information. In this paper, inspired by the intuitive idea, we use generator of GAN to sample a semantic ciphertext driven by a message directly. We call this generative cipher or generative stegonoraphgy. In generative cipher, we not only require the , but also require the generator to satisfy the request for message extraction as shown in PCC (2). Therefore, we consider generative cipher as a constrained ciphertext generation problem and take advantage of the recent advances in generative modeling.
Interestingly, suppose all these conditions are satisfied, if every ciphertext sampled from generator is exactly as same as a real data sample. The generator can be seen as a way to select real samples from the world. This also means that the generator will be able to construct an infinite real sample database. You can imagine that the generator is a simulated digital camera, and each sampling is equivalent to taking a picture from the real world. What’s even more amazing is that every seemingly normal picture contains a secret message.
3.2 A Measure of Channel Security
In mathematical statistics, the KullbackLeibler divergence is a measure of how one probability distribution diverges from a second, expected probability distribution. Fridrich
[14] introduces a formal information theoretic definition of security in steganography based on the KullbackLeibler divergence between the distributions of cover and stego objects:(4) 
where and are the distributions of cover and stego, respectively. However, KL divergence doesn’t satisfy the symmetric and triangle inequality conditions, it cannot be strictly considered as a metric. The security of different steganography cannot be evaluated with this divergence. In this paper, a new measure of security for steganography is defined by the JensenShannon divergence, which is based on the KullbackLeibler divergence, with some notable (and useful) differences, including that it is symmetric and it is always a finite value. It is defined by:
(5) 
(6) 
The JensenShannon divergence is bounded by 1 for two probability distributions, given that one uses the base 2 logarithm
(7) 
when = , JensenShannon divergence is zero.
In generative steganography, we can use this metric to evaluate which generator is closer to the real data distribution. It means that we can sample a security stego from the best generator. In fact, the generator in generative adversarial network [20] is trained based on the JensenShannon divergence, the adversarial game make the divergence between generator distribution and data distribution is gradually reduced with the increasing of adversarial iteration. In generative steganography, , and have the similar meaning, is . Since in our scheme, there is no explicit cover, we use instead of .
In [20], Goodfellow etc. train discriminative model to maximize the probability of assigning the correct label to both training examples and samples from . They simultaneously train G to minimize . In other words, and play the following twoplayer minimax game with value function :
(8) 
The minimax game in Eq. 8 can be reformulated as:
(9) 
The theorem and proposition are given with their proof in [20] for theoretical proving the convergence of algorithm.
Theorem 3.1
The global minimum of the virtual training criterion C(G) is achieved if and only if . At that point, C(G) achieves the value .
(10) 
Proposition 1
If G and D have enough capacity, the discriminator D is allowed to reach its optimum given G, and is updated so as to improve the criterion :
(11) 
then converges to
In practice, adversarial nets represent a limited family of distributions via the function and we optimize rather than itself.
Similar to Fridirich’s  security steganography, we define a  security for generative cipher system based on JensenShannon divergence:
(12) 
Ideally, when the generator is optimal, i.e., , the system can be considered perfectly safe to statistical analysis in steganalysis. In generative cipher, we not only require the , but we also require the generator to satisfy the request for message extraction as shown in PPC (2).
3.3 A Generative Perspective
Before the modern era, classical cryptography focused on message confidentiality (i.e., encryption) conversion of messages from a comprehensible form into an incomprehensible one and back again at the other end, rendering it unreadable by interceptors or eavesdroppers without secret knowledge (namely the key needed for decryption of that message). This procedure can be formalized as follow:
(13) 
(14) 
(15) 
where is a encryption operation. Security of the key used should alone be sufficient for a good cipher to maintain confidentiality under an attack. This representation can be considered as a constrained cipher generation problem.
is the JensenShannon divergence between the cipher’s distribution and the uniform distribution. Note that, the only difference from perfect cipher scheme is that it is not intended to fulfill PCC(3). Ciphertexts produced by a classical cryptography (and some modern ciphers) will reveal statistical information about the plaintext, and that information can often be used to break the cipher. The aim of classical cryptography is to tend to flatten the frequency distribution to the uniform distribution.
Currently, the stateoftheart methods of cover modification steganography can be viewed as a constrained coding problem, which minimizing the distortion between cover and stego with Syndrome Trellis Coding (STC)[4]. The embedding and extraction mappings are realized using a binary linear code :
(16) 
(17) 
(18) 
where is cover, denotes message, is stego. is the distortion function. and denotes embedding and extraction operation which also can be considered as encryption and decryption operations. Embedding processing is an optimum problem to find a stego that satisfying the message extraction condition and minimizing the distortion, simultaneously. The embedding problem can be optimally solved by the Viterbi algorithm. This implementations of steganography that lack a shared secret are forms of security through obscurity which is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. Furthermore, although stego y is highly correlated with specific cover , a welltrained classifier that training on data set and is able to perform steganalysis.
Similarly, in this paper, we give a representation of optimization problem for generative cipher:
(19) 
(20) 
(21) 
where is a generator. denotes the decryption operation. is an extract matrix based on the secret key . This representation can be considered as a constrained cipher generation problem. is the JensenShannon divergence between the model’s distribution and the data. Note that our generative steganography is a keydependent steganographic scheme adhere to Kerckhoffs’s principle. We will give the details of the with a practical algorithm in the next section. It is important to note that an explicit cover is unnecessary. Stego does not depend on any specific cover, it is regarded as sampling from generator distribution .The emergence of the generative adversarial network makes the generative cipher scheme will be more and more attention to how to ensure the accuracy of information extraction.
More specifically, we also formulate the procedure of finding ciphertext as an optimization problem. Let be the message and be the secret key shared by two parties. Using this notation we define the closest encoding via:
(22) 
where denotes the message loss, which constrains the generated ciphertext given the message and the extract key , denotes the prior loss, which penalizes unrealistic ciphertext. We get generative cipher
. The details of the proposed loss function will be discussed with a practical generative cipher in the section IV.
In our design, in order to minimize the loss function, we first train a generator, as shown in Fig. 3(a). As section 3.1 discussed, in this paper generator is constructed by GAN, the training target of GAN is to reach the optimum state of ,In which is the global minimum of in the proposed scheme. Ideally, it indicates .
Next, we keep generator fixed to sampling cipher, as shown in Fig. 3(b). Backpropagation to the input data is introduced to optimize the coding of the input data on GAN. The backpropagation based methods require specifically designed loss function. In this task, we use distance as .
(23) 
(24) 
Similar to [33], we iteratively update using backpropagation by Eq. (23)(24). After enough training iterations, the input data on GAN would get optimized to make the loss minimum.
3.4 A Toy Example for Visual Representation
In order to make the difference between stegonography and classical cryptography more clearly. In this subsection, we proposed a simple toy cipher with a simple line on the 2D plane. Suppose that a coordinate point on the Xaxis in the plane coordinate represents a secret information . The Shared key may be any point on the plane except for points on the Xaxis, as shown in Fig. 4(a). Two points and define a unique straight line as shown in Fig. 4(b). In this case, can be considered as the simplest generator. The sender selects a random number, , then sample a point according to the line, which can be regarded as the corresponding ciphertext, as shown in Fig. 4(c). It’s easy for receiver to restore the by intersection of the and the Xaxis as shown in Fig. 4(d). If the ciphertext follow a uniform distribution, this cipher (encryption algorithm) is a classical cryptography shown in Fig. 4(e). If the ciphertext follow a real data distribution, this cipher (steganography algorithm) is a generative steganography, as shown in Fig. 4(f).
In this simple encryption scheme above, this scheme can only resist lowlevel Ciphtextonly attack. While the attacker has no channel providing access to the plaintext prior to encryption, in all practical ciphertextonly attacks, the attacker still has some knowledge of the plaintext. Cryptographers developed statistical techniques for attacking ciphertext, such as frequency analysis. Every modern cipher attempts to provide protection against ciphertextonly attacks. In the next section, we will present a practical, generated cipher solution with a powerful generator.
4 Digital Cardan Grille
A simple practical datadriven cipher method called Digital Cardan Grille is proposed using semantic image inpainting. To fill missing regions in images, our method for cipher generation utilizes the generator and the discriminator , both of which are trained with uncorrupted data. After training, the generator is able to take a point drawn from and generate an image mimicking samples from . Before constructing the practical generative cipher or steganography algorithm, we hypothesize that a generator has already met , and then we can focus on how to design a scheme to ensure that messages extracted correctly. In this paper, the message is written to the uncorrupted region that needs to be keep in the corrupted image, the stability of the message was guaranteed by the generator, the generator stop updating until the ciphertext (stego image) is natural enough.
In our framework, as illustrated in Fig. 5, the procedure of cipher is in line with the basic idea of traditional Cardan grille. The sender defines a mask, called Digital Cardan grille, to determine where the message is hidden, and the secret messages go directly to these uncorrupted locations of the input image. Then, an image inpainting method based on GANs is used to finish the image completion. A wellfilled image is transmitted to the recipient through the public channel. The receiver extracts a secret message using the Cardan grille shared by the two parties in the reconstructed image. The core of this method is to define generator that not only ensure the consistency of the secret messages but also the natural reality of the ciphertext.
4.1 Message Preprocessing
In this paper, the process of generating ciphertext is decomposed into two steps to simplify the designing, as shown in Fig. 6. First of all, we define a operation for message expansion:
(25) 
The secret message by Cardan grille which is shared by both parties to a new expanded message subject to follow constrain:
(26) 
Then, we can get the ciphertext by:
(27) 
We will show that this simple separation trick makes it easier to build a generator.
Firstly, we select the secret input corrupted image , message , and Cardan grille . It’s important to note the structure and location of this Cardan grille in the corrupted image are shared by both parties. Assume that the size of the corrupt region is , where . Then a Cardan grille with same size is defined as:
(28) 
where , is the symmetrickey that shared by both parties. Ideally, the Cardan grill is designed to have a bit key, key length would coincide with the lowerbound on an algorithm’s security. A value of 1 represents the parts of the region we want to hide message and a value of 0 represents the parts of the image we cannot write message. Then the message can be written into the uncorrupted regions of the input image. We get a corrupted image contains secrete message shown as . Note that , denotes the elementwise product operation. The preprocessing is so important that it will transform the image completion into generative cipher (steganography). In the next subsection, we will give the details for the image completion based on the GANs, which complete the generative cipher procedure.
4.2 Semantic Inpainting for Cipher Generation
As mentioned above, the image completion used for cipher should satisfy two objectives, one is the rationality of the complete image content, the other is the stability of the message. In this paper we use the a image inpainting method which proposed by Yeh [33] based on a Deep Convolutional Generative Adversarial Network (DCGAN).
A binary mask is used for completion that has values 0 or 1. A value of 1 represents the parts of the image we want to keep and a value of 0 represents the parts of the image we want to complete. Suppose we’ve found an image from the generator for some that gives a reasonable reconstruction of the missing portions. The completed pixels can be added to the original pixels to create the reconstructed image :
(29) 
It is important to note that cipher generation (semantic inpainting in this case) is not trying to reconstruct the groundtruth image. The goal is to fill the hole with realistic content while hiding information. Even the groundtruth image is one of many possibilities.
In our cipher generation method, three loss functions are defined for searching .
Contextual Loss: To keep the same context as the input image, make sure the known pixel locations in the input image are similar to the pixels in . We need to penalize for not creating a similar image for the pixels that we know about. Formally, we do this by elementwise subtracting the pixels in from and looking at how much they differ:
(30) 
where is the L1norm. In the ideal case, all of the pixels at known locations are the same between and . Then = 0 for the known pixels and thus .
Perceptual Loss: To recover an image that looks real, let’s make sure the discriminator is properly convinced that the image looks real. We’ll do this with the same criterion used in training the DCGAN:
(31) 
Contextual Loss and Perceptual Loss successfully predict semantic information in the missing region and achieve pixellevel photorealism.
Message Loss: The key of using image completion for generative cipher (steganography) is that the messages extracted by the Cardan mask should be as stable as possible. The pixel value of the corresponding position of the generated image is equal to the value of the secret message.
(32) 
Similar to contextual Loss, all of the pixels at hiding locations are the same between and . Then for the known pixels and thus . We’re finally ready to find with a combination of the all these losses:
(33) 
(34) 
where that controls how import the perceptual loss are relative to the message loss. In a particular case, when . is the same as . It is important to note that, and play a different role in cipher generation, the size and value of can be different from . is used for message encryption while for image completion.
In practice, for each 8bit pixel on each layer of color image, we cannot guarantee that the generator will converge to the model that can successfully satisfying . Intuitively, we believe that the lower bits are affected by the pixel generation, while the high bit has a higher stability. We define a bit plane index (BPI = 1,..8.) to indicate the location of the layer where the message is located. Where, represents the lowest significant bit (LSB), and BPI=8 represents the most significant bit(MSB). The elementwise product is operated on the bit plane level.
4.3 Message Extraction
Message extraction for the receiver’s is simple as shown in Fig. 7, The receiver will cover the grille directly on the image after reconstruction, and the secret message of the corresponding position can be obtained. The basic operation is as follows:
(35) 
5 Experiments
5.1 Datasets and Settings
We implemented our adversarial training scheme on the LFW datasets [34]
: a database of face photographs designed for studying the problem of unconstrained face recognition,some samples shown in Fig.
8. The data set contains more than 13,000 images of faces collected from the web. We use alignment tool to preprocess the images to be , as shown in Fig.5. We used the DCGAN model architecture from Yeh et al. [33] in this work. I emphasize that we modify Brandon Amos’s implementation [35]. 12000 samples are used for training DCGAN. Our setting of training parameters for image completion is same as the Brandon Amos’s. The generative model, G, takes a random 100 dimensional vector drawn from a uniform distribution between [1; 1] and generates a
image. The discriminator model, , is structured essentially in reverse order. The input layer is an image of dimension , followed by a series of convolution layers where the image dimension is half, and the number of channels is double the size of the previous layer, and the output layer is a two class softmax. For training the DCGAN model, we follow the training procedure in [35] and [33] for optimization. We choose in all our experiments. In the cipher generation stage, we need to find using backpropagation. We use Adam for optimization and restrict to [1; 1] in each iteration, which we observe to produce more stable results. We terminate the backpropagation after 1000 of iterations. We use the identical setting for all testing datasets. The size of grille is fixed as which is same as the size of corrupted image. We intentionally randomize the secret message on all uncorrupted regions so that the stability of embedded messages can be given in a quantitative manner.We test four random pattern masks different shapes of masks: 1) random pattern masks approximately 20 missing; 2) 50 missing masks (randomly horizontal or vertical); 3) 90 missing complete random masks.
5.2 Visual Comparison
Our results are shown in Fig. 9, which demonstrate that our method can successfully predict the missing content with different random mask. It’s important to emphasize that, in our experiment, Cardan grille was randomly generated, and, in all the places that we could write, we wrote the message which is also randomly generated. It is important to note again that cipher generation is not trying to reconstruct the groundtruth image. The goal is to finding a realistic image while encrypt information. Even the groundtruth image is one of many possibilities.
We also show the completion image generation process in Fig. 10, and the number of iterations is from 20 to 2000. We sample 8 generative images form the generator. Note that the we chose some groundtruth images in Fig. 10 fall out of LFW database. As can be seen from the Fig. 10, the meaningless serious corrupted image (90 missing) will be transformed into a sample from pg. In the first few rounds of steps, the visual quality of generator output is low. It can be seen that the complemented image becomes more real as the number of iterations increases.
Fig. 11(a) and Fig. 11(b) shows the message loss and perceptual loss of an image. All images are sampled at 500 iterations from corrupted images with 90 region missing. In Fig. 11(a), in the first few rounds of sampling, the visual quality of output is low, perceptual loss is high. After approximately 250 steps, perceptual loss makes the generated sample more realistic and natural. In Fig. 11b, message loss is relatively smooth and stable after 150 steps. This is mainly due to the fact that we keep message loss have more influence on the total loss.
We also present the results of the completion of the same image with different values. It can be seen from Fig. 12, although the gap between the generative stego images are large at the beginning, the completion ciphertext images tend to be similar as the number of iterations increases.
5.3 Quantitative Analysis
5.3.1 Efficiency
All experiments are performed in TensorFlow
[41], on a workstation with a Titan Xp GPU. We take 13.5 hours for training generator with 12000 images. For cipher generation, 1000 iterations for one image take 26s on average. We also denote the encryption blowup factor of our scheme as , 1 bit plaintext will be encrypted into bit ciphertext. Take the experiment in Fig. 12 as an example, region missing means , the secret message has a size of equal to bits, after cipher generation, the corresponding uncompressed ciphertext has a size of bits, the encryption blowup factor is .5.3.2 Decryptionerror rate
Due to the nonconvexity of the models in the training scheme, we cannot guarantee that the generator will converge to the model that can successfully recover the secret message from the steganographic image perfectly. Fig. 13 shows the relationship between the error rate of the message extraction and the number of iterations with different BPI (18). As shown in Fig. 13. We do the message embedding and extraction at different BPI for 1000 images which not belonging to the training set. All ciphertext (stego images in this case) are sampled at 3000 iterations from corrupted images with 90 region missing. As expected, the accuracy of message extraction increased with the increase of BPI. The receiver was able to recover more than 95 of messages sent by sender when . Our scheme can perfectly decode the secret encrypted message from the steganographic image at BPI =8. In the Fig. 14, the relationship between the average error rate and BPI is given, compare with our work in [31], the stability of the message extraction is greatly improved.
5.3.3 Security for Channel
We steganalyze our digital Cardan grille method using blind steganalyzer for spatial domain and the ensemble classifier. 686dimensional SPAM features [36] and 504dimensionnal SCRMQ1 features [37] with ensemble classifiers [38]
implemented as random forests are used for this experiment. The decision threshold of each base learner is adjusted to minimize the total detection error under equal priors on the training set:
(36) 
where , are the probabilities of false alarms and missed detection, respectively.we adjust the threshold to as is nowadays considered standard for evaluating the accuracy of steganalyzers in practice.
Different from the traditional steganalyzer for cover modification method, all 1000 stego images and 1000 normal images are generated at 1000 iterations from corrupted images by the image inpainting. The database was divided randomly into two halves, one used for training and the other for testing. The performance is averaged over ten random splits. In Fig. 15, we plot the progress of the testing error as a function of the payloads from 0.1bpp to 0.5bpp (bits per pixel) with BPI = 1 compared with HUGO [39] and HILL [40] which are considered as advanced steganographic method by minimizing distortion using SyndromeTrellis Codes.
From the above experiments, it can be seen that the steganography based on sampling can resist the statistical analysis of the steganography, this is mainly due to the fact that, completed stego and normal images can be regarded as samples from the same distribution . The normal cover and stego does not have a pairwise relationship between the extracted features. As can be seen from the figure, our method has competitive performance with in the case of low embedding rate.
Fig.16 shows the average classification error achieved with five different BPI at 0.1bpp with 1000 iterations. As the bit plane index increases, the security of our method decreases on SCRMQ1 feature. SPAM feature does not work. This is mainly because SCRMQ1 is designed for color images, and SPAM is designed for grayscale images.
We also give the error rate for different iterations. This is shown in the Fig. 17 below. After dozens of iterations, SPAM and SCRMQ1 features maintain consistent performance. Experiments show that the resistance to statistical analysis, does not mean that the image generation quality is good enough, in fact, with the increase of the number of iterations, image visual distortion to reduce gradually, as shown in Fig. 12.
5.3.4 Security for Content
The original Cardan Grille was a literary device for gentlemen’s private correspondence. Any suspicion of its use can lead to discoveries of hidden messages where no hidden messages exist at all, thus confusing the cryptanalyst. As in the case of letters/numbers in a random grid, obtaining the grille itself is a chief goal of the attacker. In our method, the size of digital Cardan grille is , where and is the size of image. The upper bound key space is , in this our particular case, key space here is which means that the message only written on the uncorrupted pixels. But all is not lost if a grille copy can’t be obtained. Frequency analysis will show a distribution of cipher. The problem, easily stated though less easily accomplished, is to identify the transposition pattern and so decrypt the ciphertext. Possession of several messages written using the same grille should be avoided. In each communication, the two parties should jointly consume a certain length of the key.
6 Conclusion and Future Work
In this paper, a generative cipher is proposed. The relationship between classical cryptography and steganography is given. Ciphertext are sampling from a welltrained generator. Inspired by the idea of Cardan grille, a practical method of generative cipher is proposed by image completion technology. The results of the experiment and the experimental results verify the promising of such simple method. It reduces the sophistication of the steganography design, which allows researchers in other fields can quickly build a cipher system by this framework.
However, the generator in adversarial network is actually in its infancy. In this paper, we use a simple DCGAN to synthesis natural images. We will focus on more powerful generator which automatic synthesis of realistic images to generate more realistic images. The quality of the generated images does not have a quantitative evaluation standard. It is necessary to continually refine the performance of the generator to ensure that the security of generative cipher.
References
 [1] Wikipedia:Grille, https://en.wikipedia.org/wiki/Grille_(cryptography). Last accessed 4 May 2018
 [2] Wikipedia:Cardan grille, http://en.wikipedia.org/wiki/Cardan_grille. Last accessed 4 May 2018
 [3] Sallee, P.: ModelBased Steganography. Digital Watermarking. Springer Berlin Heidelberg
 [4] Filler, T., Judas, J., Fridrich, J.: Minimizing additive distortion in steganography using syndrometrellis codes. IEEE Transactions on Information Forensics Security, 6(3), pp.920–935. (2012)
 [5] Fridrich, J., Kodovsky, J.: Rich models for steganalysis of digital images. IEEE Transactions on Information Forensics and Security, 7(3), pp.868–882. (2012)
 [6] Sharp, T. : An Implementation of KeyBased Digital Signal Steganography. In: International Workshop on Information Hiding ,vol.2137, pp.13–26. Springer, Berlin, Heidelberg.(2001)
 [7] Li, X., Yang, B., Cheng, D., Zeng, T. .: A Generalization of LSB Matching. Signal Processing Letters, 16. pp.69–72. (2009)
 [8] C. Cachin. :An InformationTheoretic Model for Steganography. Proceedings of Second International Information Hiding Workshop, Springer LNCS 1525, pp.306318. (1998)
 [9] Hopper, N. J., Langford, J., Ahn, L. V. (2002). :Provably Secure Steganography. Advances in Cryptology CRYPTO 2002. Springer Berlin Heidelberg.
 [10] Le, Tri. Efficient Proven Secure Public Key Steganography. Cryptology ePrint Archive, Report 2003/156, . Available electronically: http://eprint.iacr.org/2003/156. (2003)
 [11] Backes, M., Cachin, C. : Publickey steganography with active attacks. In : International Conference on Theory of Cryptography, Lecture Notes in Computer Science, vol. 3378, pp.210–226 SpringerVerlag.(2005)
 [12] Von Ahn L., Hopper N.J. : PublicKey Steganography. In: Cachin C., Camenisch J.L. (eds) Advances in Cryptology  EUROCRYPT 2004. EUROCRYPT 2004. Lecture Notes in Computer Science, vol 3027. Springer, Berlin, Heidelberg. (2004)
 [13] Song, S., Zhang, J., Liao, X., Du, J., Wen, Q..: A novel secure communication protocol combining steganography and cryptography. Procedia Engineering, 15, pp.2767–2772. (2011)
 [14] Fridrich J. : Steganography in digital media: principles, algorithms, and applications. UK: Cambridge University Press, Cambridge. (2010)
 [15] Otori, H., Kuriyama, S. : DataEmbeddable Texture Synthesis. In: International Symposium on Smart Graphics, pp.146157. DBLP, Kyoto, Japan, (2007)
 [16] Otori, H., Kuriyama, S. : Texture synthesis for mobile data communications. 29(6), pp.7481. (2009)
 [17] Wu, K. C., Wang, C. M.: Steganography using reversible texture synthesis. IEEE Transactions on Image Processing, 24(1). (2015)
 [18] Qian, Z., Zhou, H., Zhang, W., Zhang, X. : Robust Steganography Using Texture Synthesis. Advances in Intelligent Information Hiding and Multimedia Signal Processing. Springer International Publishing. (2017)
 [19] Xu, J., Mao, X., Jaffer, A., Jaffer, A., Lu, S., Li, L., et al.: Hidden message in a deformationbased texture. Visual Computer, 31(12), pp.1653–1669. (2015)
 [20] Goodfellow, I. J., PougetAbadie, J., Mirza, M., Xu, B., WardeFarley, D., Ozair, S., Courville, A., and Bengio, Y. : Generative adversarial networks. In Conference and Workshop on Neural Information Processing Systems 2014. https://arxiv.org/abs/1406.2661 (2014)
 [21] Abadi, M., Andersen, D. G. : Learning to protect communications with adversarial neural cryptography. https://arxiv.org/abs/1610.06918. (2016)
 [22] Hitaj, B., Gasti, P., Ateniese, G., Perezcruz, F.: Passgan: a deep learning approach for password guessing. Volkhonskiy, D., Nazarov, I., Borisenko, B., Burnaev, E. Steganographic generative adversarial networks. https://arxiv.org/abs/1709.00440 (2017)
 [23] Volkhonskiy, D., Nazarov, I., Borisenko, B., Burnaev, E. : Steganographic generative adversarial networks. https://arxiv.org/abs/1703.05502 (2017)
 [24] Radford, A., Metz, L., Chintala, S. : Unsupervised representation learning with deep convolutional generative adversarial networks. Computer Science. (2015).
 [25] Shi, H., Dong, J., Wang, W., Qian, Y., Zhang, X. : Ssgan: secure steganography based on generative adversarial networks. https://arxiv.org/abs/1707.01613v3 (2017)
 [26] Hayes, J., Danezis, G. : Generating steganographic images via adversarial training. https://arxiv.org/abs/1703.00371 (2017)
 [27] Tang, W., Tan, S., Li, B., Huang, J. : Automatic steganographic distortion learning using a generative adversarial network. IEEE Signal Processing Letters, 24(10), pp.1547–1551. (2017)
 [28] Ke, Y., Zhang, M., Liu, J., Su, T., Yang, X. : Generative steganography with kerckhoffs’ principle based on generative adversarial networks. https://arxiv.org/abs/1711.04916 (2017)
 [29] Liu, M. Liu, J. Zhang, M, Li, T. Tian. : Generative Information Hiding Method Based on Generative Adversarial Networks. Journal of Applied Sciences, 36(2), pp.27–36. (2018)
 [30] Odena, A., Olah, C., Shlens, J. :Conditional image synthesis with auxiliary classifier gans. https://arxiv.org/abs/1610.09585 (2016)
 [31] Liu, J., Zhou, T., Zhang, Z., Ke, Y., Lei, Y., Zhang, M., et al.:Digital cardan grille: a modern approach for information hiding. https://arxiv.org/abs/1803.09219.(2018)
 [32] Huang, H., Yu, P. S., Wang, C. :An introduction to image synthesis with generative adversarial nets. In: arXiv:1803.04469, https://arxiv.org/abs/1803.04469 .(2018)
 [33] Yeh, R. A., Chen, C., Lim, T. Y., Schwing, A. G., Hasegawajohnson, M., Do, M. N.: Semantic image inpainting with deep generative models. (2016).
 [34] LearnedMiller, E., Huang, G. B., Roychowdhury, A., Li, H., Hua, G. : Labeled Faces in the Wild: A Survey. Advances in Face Detection and Facial Image Analysis. Springer International Publishing. (2016)

[35]
Amos,B. Image Completion with Deep Learning in TensorFlow.
http://bamos.github.io/2016/08/09/deepcompletion (2016).  [36] Pevny, T., Bas, P., Fridrich, J.: Steganalysis by subtractive pixel adjacency matrix. IEEE Transactions on Information Forensics and Security, 5(2), pp.215–224. (2010)
 [37] Denemark, T., Fridrich, J.: Further study on the security of SUNIWARD. In :SPIE on Electronic Imaging, Media Watermarking, Security, and Forensics pp.902805–902813). (2014)
 [38] Kodovsky, J., Fridrich, J., Holub, V.: Ensemble classifiers for steganalysis of digital media. IEEE Transactions on Information Forensics and Security, 7(2), pp.432–444. (2012)
 [39] Pevny, T., Filler, T., Bas, P.: Using highdimensional image models to perform highly undetectable steganography. In: Editor, F., Editor, S. (eds.) CONFERENCE 2010, Lecture Notes in Computer Science, vol. 6387, pp. 161177. Springer, Heidelberg (2010).
 [40] Li, B., Wang, M., Huang, J., Li, X.:A new cost function for spatial image steganography. In : IEEE International Conference on Image Processing, pp.4206–4210. (2015)
 [41] Abadi, M., Agarwal, A., Barham, P., Brevdo, E., Chen, Z., Citro, C., et al.: Tensorflow: largescale machine learning on heterogeneous distributed systems. arXiv:1603.04467,2016a. (2016)