Four Lousy Ghosts is out

Date: 2026-05-02 · Tag: phantasm, steganalysis, adversarial ML

Four ghosts holding their AUC scores against an attacker-aware CNN: HYDRA 0.78, CHAMELEON 0.93, DOPPELGÄNGER 1.00, PALIMPSEST 0.99.

The first phantasm paper is up:

Four Lousy Ghosts: Novel and Established Counter-Steganalysis Techniques vs ML-Capable Adversaries — To No Avail

Short version: I tried four content-adaptive defenses against attacker-aware CNN steganalysis on JPEG covers (three I designed, one adapted from the academic literature), and every single one was refuted. AUC ranged from 0.76 to 1.00 against an EfficientNet-B0 trained on phantasm output. The strongest defense (DOPPELGÄNGER) made stegos more detectable, not less.

This is not a successful-defense paper. It’s a falsification challenge. The post-mortem identifies an “operator-fingerprint” ceiling — CNNs learn the statistical artifact of modifying-then-re-encoding a JPEG, regardless of where or how the modifications are placed. As long as the embedding operator is unchanged, randomizing position or rounding direction does not help.

I’m publishing this work explicitly as a precedent to break. Any future defense in this family must measurably clear the ceiling I documented. The in-distribution attacker checkpoints, per-experiment branches, and full eval JSONs are all public. Reproduce the failures, and then reproduce a defense that doesn’t fail.

This also explains why phantasm v1 explicitly scopes down its L1 detection claim and stakes its security argument on the L2/L3 cryptographic envelope (Argon2id + XChaCha20-Poly1305 + HMAC + HKDF independent-extract). The phantasm README makes that posture honest from the start; this paper is the receipt.

What’s in the paper

The four defenses (HYDRA, CHAMELEON, DOPPELGÄNGER, PALIMPSEST), what each hypothesized, and how each failed.
The attacker recipe (multi-passphrase EfficientNet-B0, ImageNet-pretrained, N=2000 pairs, 15 epochs).
The operator-fingerprint hypothesis, and why PALIMPSEST (the literature baseline) confirms the ceiling.
The five-defense roadmap, including the three I didn’t run (OUROBOROS, GHOSTWRITER, PRISM) and what each would have to demonstrate to count as breaking the precedent.
All citations verified against canonical sources — see the project’s CITATIONS.md.

Read it

→ Four Lousy Ghosts (HTML)

The PDF version is built from the same source via paged.js.