Research-grade JPEG steganography with authenticated encryption, in Rust. v2 ships the AETHER macroblock channel adapter alongside the v1 J-UNIWARD STC pipeline — opt-in L1 stealth against phantasm-aware CNN steganalyzers. Argon2id + XChaCha20-Poly1305 + HMAC envelope shared by both modes.

v2.0.0 · JPEG-only · MIT or Apache-2.0
218 tests passing aether-mb-8 / aether-mb-16 100 % byte-perfect on 176 trials no external review yet
v1 — J-UNIWARD STC
cover image
live: real phantasm output

What you're actually seeing.

The hero cycles each cover through three real embeds: the v1 J-UNIWARD pipeline and v2's two AETHER macroblock modes. Every overlay is diff data from the actual stego output, not a render — what you see is what extract sees.

v1 — sparse, content-adaptiveEach lit 8×8 block is where J-UNIWARD spent ±1 DCT modifications. Smooth blocks (sky, walls) get few; textured blocks (foliage, edges, grain) get many. Passphrase-keyed ChaCha12 permutes which positions are visited.
v2 aether-mb-8 — high capacity, smaller blocksEvery K=8 block carries one bit via a ±64 spatial-domain quadrant pattern, no repetition. Smaller blocks pack 4× more raw bits per cover than K=16, so it fits higher ciphertext tiers earlier as resolution scales. The cyan/violet split inside each block is the 2×2-quadrant template; the sign across blocks is passphrase-keyed.
v2 aether-mb-16 — strong survival, larger blocksK=16 macro-blocks at ±64 spatial, also rep=1. Each bit's signal is spread across 4× more pixels than K=8, so per-bit channel-noise tolerance is higher (more averaging cushion against harsher channels). Trade-off is 1/4 the raw bit count, so capacity is lower at the same resolution.

What phantasm is — and what it isn't.

phantasm ships two stealth postures in v2. The default v1 J-UNIWARD STC pipeline keeps a visually-pristine cover but loses to phantasm-aware CNNs. The opt-in --channel-adapter aether-mb-{8,16} modes route through a spatial channel that defeats those CNNs at the cost of a visibly channel-processed cover. Pick the trade-off your threat model needs.

What it is

An authenticated-encryption-into-a-JPEG tool with two modes: v1 J-UNIWARD STC (default) for visual stealth, and v2 AETHER macroblock for L1 stealth against phantasm-aware CNN steganalyzers.

The cryptographic envelope (Argon2id KDF, XChaCha20-Poly1305 AEAD, HMAC-SHA256-16 permutation MAC, independent-extract HKDF key separation) is shared by both modes and is the load-bearing security layer.

What it isn't

v1 J-UNIWARD is not a plausible-deniability tool against an ML adversary — phantasm-aware CNNs detect it at >96 % AUC cross-corpus. v2 aether-mb addresses this at L1 but the stego is visibly Lanczos-resampled — a viewer sees a channel-processed photo, not a pristine cover.

Neither mode is a magical hidden-channel-against-state-actors primitive. Read the threat-model section in the README before deploying.

Three layers. Two are intact. One is partial.

L2 and L3 are intact across both modes. L1 has two postures: v1 weak by design, v2 partial via opt-in channel.

L1 Detection — can an adversary tell the JPEG contains hidden data? partial — opt-in defense in v2

v1 J-UNIWARD (default): off-the-shelf CNNs miss it (~16 % detect), phantasm-aware CNNs catch it (96.8 %+ AUC cross-corpus). v2 aether-mb (opt-in): AETHER channel drops phantasm-aware AUC to ≤ 0.55 off-the-shelf / 0.69 ± 0.05 corpus-aware adapted — partial-tier defeat at the cost of a visibly Lanczos-resampled cover. Per-attacker-tier numbers in the mode comparison below; macroblock-specific L1 not yet validated at scale (deferred to v2.1).

L2 Position recovery — can an adversary find the bits without the passphrase? intact

Position derivation is passphrase-keyed (ChaCha12 over an Argon2id-stretched master in v1; HKDF-keyed quadrant signs in v2 macroblock). The realistic attack is passphrase brute force; verifying any guess requires the AEAD HMAC check, which gates on the Argon2id-stretched key (256 MiB / t=3 / p=4 per attempt) regardless of which mode produced the stego.

L3 AEAD decryption — can an adversary decrypt without the passphrase? intact

XChaCha20-Poly1305 + HMAC-SHA256-16 MAC over version || salt || nonce || ciphertext. HMAC is verified before any payload parsing — wrong passphrase always returns AuthFailed cleanly, no oracle, no length-confusion. AEAD and HMAC keys come from two independent HKDF-extract calls so cross-key attacks are impossible by construction.

Pick your trade-off.

All three modes share the same AEAD envelope (L2 + L3 layers, both intact). The columns differ on capacity, visible cover impact, and L1 detection posture. v1 J-UNIWARD remains the default — omit --channel-adapter and you get it.

j-uniward
(default v1)
aether-mb-8
(v2 high-capacity)
aether-mb-16
(v2 strong-survival)
CLI (no flag) --channel-adapter aether-mb-8 --channel-adapter aether-mb-16
Modulation DCT ±1 / J-UNIWARD + STC spatial ±64, K=8 quadrant, rep 1 spatial ±64, K=16 quadrant, rep 1
Min cover any JPEG (~256×256+) 1080p square+ 1080p square+
Net payload @ 1080p ~10 KB ~1 KB ~245 B
Net payload @ 4K ~40 KB ~4 KB ~1 KB
Cover→stego PSNR ~37 dB (visually pristine) ~12 dB (visibly noisy) ~12 dB (visibly noisy)
Off-the-shelf CNN ~16% detect rate (≈0.55 AUC) ≤ 0.55 AUC ≤ 0.55 AUC
Un-adapted phantasm-aware 96.8% AUC ~0.50 – 0.55 AUC ~0.50 – 0.55 AUC
Corpus-aware adapted 96.8% AUC 0.69 ± 0.05 AUC* 0.69 ± 0.05 AUC*
Recovery (validated) 100 % byte-perfect (standard) 100 % @ 22×8 trials 100 % @ 22×8 trials
Best for large payloads, visual stealth, casual ML adversaries only L1 stealth against ML adversaries, ~KB payloads on 1080p+ covers L1 stealth + larger spatial averaging per bit (more channel-noise headroom)

* AUCs measured on plain v1 J-UNIWARD payloads through the AETHER channel on Path B (BOSSbase 200 covers × 25 passphrases, 100/100 split, 5 seeds). Macroblock-modulated stegos haven't been L1-validated at the same scale yet; v2.1 will close that.

Measured, not estimated.

198-cover Picsum research corpus. QF=85, ~720px short-side, ~0.2 bpnzac payload, --cost-function j-uniward, h=10 trellis with the published DDE Lab H̃ tables.

Detector Cover false-positive phantasm J-UNIWARD detection
JIN-SRNet (Butora/Yousfi/Fridrich 2021, ImageNet+J-UNIWARD pretrained) 7.1% 16.2%
EffNet-B0 (Aletheia, ALASKA2 pretrained) 88.9% (cover-source mismatch) paired-evade

49.5% of phantasm J-UNIWARD stegos score lower P(stego) than their own cover. JIN-SRNet thinks the stego is more cover-like than the original, in half the samples.

Caveats applicable to every number above:
  1. Specific to the Picsum research corpus, ~720px JPEGs, QF=85, payload ~0.2 bpnzac. Other cover-source distributions, payload ratios, and detector training sets will produce different numbers.
  2. JIN-SRNet was trained at 0.4-0.6 bpnzac; phantasm at typical payload sits below the training distribution. Detection rises as payload approaches training distribution.
  3. These are off-the-shelf-detector numbers. Against a phantasm-aware adversary that has fine-tuned a CNN on phantasm output (5 passphrases per cover, ~2k pairs, EfficientNet-B0 on a 500-cover corpus), measured detection is 96.8%. The L1 layer does not defend against phantasm-aware ML.

What v2 actually composes.

The five v1 pillars carry over unchanged. v2 adds a sixth: the AETHER macroblock channel adapter — the first phantasm release with a working L1 defense.

01

Content-adaptive cost

J-UNIWARD (Holub & Fridrich 2014). Wavelet-domain relative-distortion cost computed from the spatial-domain decoding of the cover. Prefers modifications in textured regions over smooth regions.

02

Syndrome-trellis coding

Published DDE Lab H̃ tables (Filler 2011) for h ∈ [7, 12], w ∈ [2, 20]. Conditional-probability double-layer decomposition at 0.995× bits/L1. Property-tested across 200 seeds + asymmetric cost regimes.

03

Modern AEAD envelope

Argon2id (256 MiB, t=3, p=4) + XChaCha20-Poly1305 + HMAC-SHA256-16 + independent-extract HKDF key separation. Envelope FORMAT_VERSION 4. Fast-fail wrong-passphrase returns AuthFailed before any length parsing.

04

Channel adapter (Twitter) experimental

MINICER (Minimum-Iterative Coefficient Error Robust per-coefficient stabilization) + ROAST (Robust Overflow Alleviation for STego) + Reed-Solomon ECC for share-and-recompress survival on the Twitter profile. End-to-end recovery under image-crate QF=85 round-trip is not yet reliable at default RS parameters.

05

Hash-guard

Marks coefficients whose modification would flip the selected perceptual-hash bits as wet-paper, preserving the cover's pHash or dHash through embed. Three sensitivity tiers + wet-paper STC constraint.

06

AETHER macroblock v2 — opt-in

--channel-adapter aether-mb-{8,16}. Routes the embed through Lanczos 1/3×↓↑ + UnsharpMask + JPEG QF=85 4:2:0 (the channel that drops phantasm-aware CNN AUC 96.8 % → 0.69) with spread-spectrum modulation at one cycle per K×K block. 176 / 176 byte-perfect recovery across 22 covers × 8 passphrases. Macroblock-specific L1 numbers deferred to v2.1.

Install phantasm.

Pre-built binaries for Linux (x86_64 / aarch64, glibc + musl) and macOS (Apple Silicon + Intel). Apt repository and Cargo source build also supported.

Debian / Ubuntu (apt)

Install the signed apt repo, then install phantasm.

curl -fsSL https://repo.x86-64.com/exec.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/exec.gpg
echo "deb [signed-by=/etc/apt/keyrings/exec.gpg] https://repo.x86-64.com stable main" | sudo tee /etc/apt/sources.list.d/exec.list
sudo apt update && sudo apt install phantasm

Cargo (from source)

Build the latest tagged release via Rust's package manager.

cargo install --git https://github.com/exec/phantasm phantasm-cli

Direct download

Pre-built binaries for Linux and macOS, all major archs.

github.com/exec/phantasm/releases →

From source

Clone and build yourself.

git clone https://github.com/exec/phantasm
cd phantasm && cargo build --release

Quickstart

Embed and extract using --passphrase-env to keep secrets out of argv:

# Embed
PASS="correct horse battery staple" \
  phantasm embed \
    --input cover.jpg \
    --payload secret.txt \
    --passphrase-env PASS \
    --output stego.jpg

# Extract
PASS="correct horse battery staple" \
  phantasm extract \
    --input stego.jpg \
    --passphrase-env PASS \
    --output recovered.txt

--passphrase <literal> exists for ergonomic testing, but exposes the passphrase via /proc/<pid>/cmdline. Use --passphrase-env or --passphrase-fd in production.

Five experiments. Five refutations. One lesson.

v1's L1-scope-down isn't a default — it's a result. We ran five modify-and-re-encode defenses against attacker-aware CNN steganalyzers and they all closed negatively. The arc lives across GitHub branches with full per-experiment evaluation logs; the load-bearing finding is the operator-fingerprint hypothesis, hardened from the DOPPELGÄNGER post-mortem and confirmed against a faithful Rust port of Butora-Bas 2023's covariance-preserving side-informed embedding.

The integrated writeup — Four Lousy Ghosts: an autopsy of five refuted L1 defenses for JPEG steganography — lives at research.byexec.com with the full PDF on the papers page. Subsequent work continues there as the L1 frontier evolves.

Codename Hypothesis Measured AUC Verdict
HYDRA ensemble-saliency-source assignment defeats cost-fingerprint 0.76 - 0.78 refuted (partial)
CHAMELEON stochastic per-stego wet-fraction breaks keep-invariant features 0.82 - 0.93 refuted
DOPPELGÄNGER variance-shaped costs from natural-cover sigma estimates 0.99 - 1.00 refuted (catastrophic)
PALIMPSEST side-informed embedding aligned with natural rounding (Holub-Fridrich-Denemark 2014) 0.99 refuted
EIDOLON covariance-preserving asymmetric ternary side-info (Butora-Bas 2023, faithful Rust port) 0.99 - 1.00 refuted (catastrophic)

The post-mortem lesson

DOPPELGÄNGER's AUC ~1.00 was the most informative result in the arc. Read the post-mortem for the full extraction; the load-bearing claim:

"The detectable signature is not where phantasm modifies but the fact of modification — specifically, the statistical artifact of decode JPEG → modify integer DCT coefficient → re-encode JPEG. All three randomization defenses left this artifact intact and merely varied which positions carried it. CNNs learn the operator-level fingerprint and ignore the cost map."

PALIMPSEST then tested "what if we change how the modification relates to the natural rounding direction?" and confirmed the ceiling. EIDOLON, the most rigorous mathematical defense in the modify-and-re-encode paradigm — Butora-Bas's covariance-preserving asymmetric ternary side-informed embedding, ported bit-exact from the reference JEEP.py — also hit AUC ~1.00. The operator fingerprint dominates every cost-map and embedding-direction variation we have tested: WHERE-randomization (HYDRA / CHAMELEON / DOPPELGÄNGER), HOW-with-rounding (PALIMPSEST), and covariance-preservation (EIDOLON). What remains is to attack the modify-and-re-encode paradigm itself — research direction continues at research.byexec.com.

The post-arc spec list After the original DOPPELGÄNGER post-mortem, five candidate operator-changing defenses were spec'd; PALIMPSEST and EIDOLON have shipped to verdicts (both refuted). Three remain as written-out specs that haven't been run. OUROBOROS · GHOSTWRITER · PRISM · PALIMPSEST · EIDOLON
Ongoing research direction Post-EIDOLON work explores whether the operator fingerprint can be defeated by leaving the modify-and-re-encode paradigm — including spatial-channel routing and channel-aware embedding. Writeups continue at research.byexec.com; specific effectiveness numbers are not yet ready for publication and will land on the research site when the engineering completes.
Earlier research (v0.2 / v0.3 era) Before the 2026-04-25 arc, eight updates closed cost-function-adjustment as an L1-defense direction. The full log lives at archive/ML_STEGANALYSIS.md — Updates 1-8, including the iterative-PGD adversarial-cost result that went 91.9% → 100% across iterations (Update 8).
Index of everything archive/research-arc/README.md is the consolidated entry point — results table, branch links, post-mortem pointer, and a summary of what v1 took from this arc.

Reproducibility — model checkpoint pool

The phantasm-aware steganalysis CNNs that produced these AUC numbers are published as a GitHub Release artifact bundle: research-checkpoints-v1 — 244 MB across 20 PyTorch checkpoints. Includes the full per-architecture baselines (EfficientNet-B0 / SRNet / XuNet / ViT-Tiny / shallow-CNN), the phantasm-aware fine-tunes at N=200/1000/2000, the four experiment-specific attackers (HYDRA / CHAMELEON / DOPPELGÄNGER / PALIMPSEST), and the d500-scale 96.8%-AUC headline-corpus attacker.

Each checkpoint ships with its training-config JSON sidecar (architecture, optimizer, learning rate, epochs, eval splits, per-epoch AUC), an aggregated manifest.json, and an SHA256SUMS file. The accompanying CITATIONS.md on main credits every architecture author whose work these models instantiate (Tan & Le 2019 for EfficientNet; Boroumand, Chen, Fridrich 2019 for SRNet; Xu, Wu, Shi 2016 for XuNet; Dosovitskiy et al. 2021 for ViT) — please cite the original authors if you use these in academic work.

External pretrained models (DDE Lab's JIN-SRNet, the Aletheia EfficientNet-B0) are NOT redistributed in this bundle — they're not ours to ship. CITATIONS.md links to their original sources.

Audit-grade, not assurance-grade.

Internal audits cover the v0.x codebase plus a verification round. v1.0.1 closed the audit follow-throughs left open at v0.4.0. v2.0.0 inherits those — the v1 STC pipeline is unchanged, and the v2 macroblock surface uses the same envelope. v2-specific audit work has not started.

Finding Severity v1 status
STC syndrome boundary check medium (false alarm) confirmed correct
Same-source HMAC/AEAD keys low (theoretical) closed — independent-extract HKDF
Double-layer encoder coupling low (most subtle) closed — property-based test added
DCT-I vs DCT-II in hash_guard low (numerical) closed — verified DCT-II orthonormal, locked in by test
PRNG fallback untested info closed — structural-properties + determinism tests
PNG decoder unused info closed — PNG removed entirely from v1
CLI passphrase exposure medium closed in v0.3 (--passphrase-env, --passphrase-fd)

The audits also document several INFO/LOW findings that are documented design choices rather than fix-targets — effective_height stub semantics, HMAC-pre-decryption pre-check rationale, locations-key HKDF + Argon2id chain design, payload-auth scope trade-off, salt stability against adversarial covers. See audits/ for the full inventory and rationale.

No external commercial security review

The cryptographic primitives are used via established crates (argon2, chacha20poly1305, sha2, hkdf, hmac) and the composition is reviewed in the audits above — but it has not been examined by a paid third-party firm. Treat phantasm v1 accordingly. If your threat model requires production-grade assurance, commission a dedicated review before deploying.

Built on the shoulders of these papers.

phantasm is a composition of academic primitives — not a novel contribution to any of them individually. If you cite phantasm in academic work, please cite the original authors of the underlying techniques. Full citations with abstracts and notes on how phantasm uses each work live in CITATIONS.md.

Steganographic distortion functions

Holub, V., Fridrich, J., & Denemark, T. (2014). "Universal distortion function for steganography in an arbitrary domain." EURASIP J. Inf. Sec. 2014(1), 1. DOI
Guo, L., Ni, J., Su, W., Tang, C., & Shi, Y. Q. (2015). "Using Statistical Image Model for JPEG Steganography: Uniform Embedding Revisited." IEEE TIFS 10(12), 2669-2680. DOI
Denemark, T., & Fridrich, J. (2015). "Side-informed steganography with additive distortion." IEEE WIFS, 1-6. DOI

Syndrome-trellis coding

Filler, T., Judas, J., & Fridrich, J. (2011). "Minimizing Additive Distortion in Steganography Using Syndrome-Trellis Codes." IEEE TIFS 6(3), 920-935. DOI
Filler, T., & Fridrich, J. (2010). "Gibbs Construction in Steganography." IEEE TIFS 5(4), 705-720. DOI

Channel-resilient steganography

Zeng, K., Chen, K., Zhang, W., Wang, Y., & Yu, N. (2022). "Improving robust adaptive steganography via minimizing channel errors." Signal Processing 195, 108498. (MINICER) DOI
Zeng, K., Chen, K., Zhang, W., & Wang, Y. (2023). "Upward Robust Steganography Based on Overflow Alleviation." IEEE Trans. Multimedia. (ROAST) DOI

Steganalysis

Butora, J., Yousfi, Y., & Fridrich, J. (2021). "How to Pretrain for Steganalysis." ACM IH&MMSec '21, 143-148. DOI
Boroumand, M., Chen, M., & Fridrich, J. (2019). "Deep Residual Network for Steganalysis of Digital Images." IEEE TIFS 14(5), 1181-1193. DOI
Xu, G., Wu, H.-Z., & Shi, Y.-Q. (2016). "Structural Design of Convolutional Neural Networks for Steganalysis." IEEE Signal Process. Lett. 23(5), 708-712. DOI
Yedroudj, M., Comby, F., & Chaumont, M. (2018). "Yedroudj-Net: An Efficient CNN for Spatial Steganalysis." IEEE ICASSP, 2092-2096. DOI
Zhang, R., Zhu, F., Liu, J., & Liu, G. (2020). "Depth-Wise Separable Convolutions and Multi-Level Pooling for an Efficient Spatial CNN-Based Steganalysis." IEEE TIFS 15, 1138-1150. IEEE
Lerch-Hostalot, D. (2024). "Aletheia: an open-source toolbox for steganalysis." JOSS 9(93), 5982. DOI

Detector backbones

Tan, M., & Le, Q. (2019). "EfficientNet: Rethinking Model Scaling for Convolutional Neural Networks." ICML, 6105-6114. arXiv
Dosovitskiy, A. et al. (2021). "An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale." ICLR. arXiv
Deng, J., Dong, W., Socher, R., Li, L.-J., Li, K., & Fei-Fei, L. (2009). "ImageNet: A large-scale hierarchical image database." IEEE CVPR, 248-255. DOI

Cryptography

Biryukov, A., Dinu, D., & Khovratovich, D. (2016). "Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications." IEEE EuroS&P, 292-302. DOI
Biryukov, A., Dinu, D., Khovratovich, D., & Josefsson, S. (2021). "RFC 9106: Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications." IETF. RFC
Bernstein, D. J. (2008). "ChaCha, a variant of Salsa20." Workshop Record of SASC. PDF
Bernstein, D. J. (2005). "The Poly1305-AES Message-Authentication Code." FSE 2005, LNCS 3557, 32-49. DOI
Arciszewski, S. (2020). "XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305." IETF Internet-Draft. draft
Krawczyk, H. (2010). "Cryptographic Extraction and Key Derivation: The HKDF Scheme." CRYPTO 2010, LNCS 6223, 631-648. DOI
Krawczyk, H., & Eronen, P. (2010). "RFC 5869: HMAC-based Extract-and-Expand Key Derivation Function (HKDF)." IETF. RFC
Krawczyk, H., Bellare, M., & Canetti, R. (1997). "RFC 2104: HMAC: Keyed-Hashing for Message Authentication." IETF. RFC

Steganographic corpora

Bas, P., Filler, T., & Pevný, T. (2011). "'Break Our Steganographic System': The Ins and Outs of Organizing BOSS." Information Hiding 2011, 59-70. DOI
Cogranne, R., Giboulot, Q., & Bas, P. (2020). "ALASKA#2: Challenging Academic Research on Steganalysis with Realistic Images." IEEE WIFS, 1-5. DOI

Adversarial / generative steganography

Tang, W., Tan, S., Li, B., & Huang, J. (2017). "Automatic Steganographic Distortion Learning Using a Generative Adversarial Network." IEEE Signal Process. Lett. 24(10), 1547-1551. (ASDL-GAN) DOI
Tang, W., Li, B., Tan, S., Barni, M., & Huang, J. (2019). "CNN-Based Adversarial Embedding for Image Steganography." IEEE TIFS 14(8), 2074-2087. (ADV-EMB) DOI
Yang, J., Ruan, D., Huang, J., Kang, X., & Shi, Y. Q. (2020). "An Embedding Cost Learning Framework Using GAN." IEEE TIFS 15, 839-851. (UT-GAN) DOI

Classical steganalysis

Fridrich, J., Goljan, M., & Du, R. (2001). "Reliable detection of LSB steganography in color and grayscale images." ACM Workshop on Multimedia and Security, 27-30. DOI
Fridrich, J., & Kodovský, J. (2012). "Rich Models for Steganalysis of Digital Images." IEEE TIFS 7(3), 868-882. DOI

Software libraries (Rust crates) are credited in CITATIONS.md and the workspace Cargo.lock. External pretrained models referenced but not redistributed (DDE Lab JIN-SRNet, Aletheia EffNet-B0) are flagged in their respective entries.