SecureGS: Boosting the Security and Fidelity of 3D Gaussian Splatting Steganography

W7: The source of PSNR improvements over Scaffold-GS

We kindly remind you that we have never stated that SecureGS achieves better fidelity than Scaffold-GS. This is because, in steganography tasks, as the container hides more information, its quality will inevitably be lower than the original carrier, whether in 3DGS or image steganography. In the main paper, we simply aimed to explain this counterintuitive phenomenon: SecureGS shows a slightly higher fidelity (0.13 dB) than Scaffold-GS for the original scene because Scaffold-GS uses fewer Gaussian points, whereas SecureGS, by lowering the splitting threshold in key regions, generates more Gaussian points, resulting in a slight fidelity increase. Thus, this is not an advantage of our method, but merely an explanation of this experimental result.

Q1: Would the hidden scene become more apparent in the resulting sparse point cloud?

• Due to the introduction of RDO, which encourages anchor splitting, the points representing the original scene and the hidden object are very compact and close to each other. Thus, after downsampling, the information of the hidden object remains disordered and invisible.
• If an excessively high downsampling ratio is applied, it will severely affect the rendering quality of the original scene, damaging the entire 3DGS. This makes attacks on our steganography algorithm relatively meaningless.

W3: Ablation studies

We must emphasize that, although our method is built upon Scaffold-GS, Scaffold-GS itself cannot achieve secure and effective 3DGS steganography. It is our improvements that enable it to attain enhanced security, high rendering quality and optimized memory usage. We will provide a detailed explanation and include additional ablation experiments to prove it.

• The original Scaffold-GS directly stores the offset of Gaussian points in the point cloud file. If the points used for rendering hidden messages are also stored explicitly, it would expose the geometric structure of the hidden objects. To address this, SecureGS employs an offset predictor combined with a hybrid decoupled Gaussian encryption representation (HDGER), enhancing its security. The fidelity results are presented in Table 4 of the main paper, labeled as ''Ours w/o HDGER.''

• To further clarify the independent contributions of our region-aware density optimization (RDO), we conduct ablation studies on RDO and realize two variants, namely globally reducing the gradient threshold and using the same gradient to grow anchor points representing both the original and hidden scenes. The results are reported as follows. We find that globally lowering the gradient threshold increases the memory size by 114.76 MB, significantly reducing rendering speed while only resulting in a 0.18 dB gain in PSNR. Additionally, if a shared gradient is used instead of our asynchronous gradient accumulation, the rendering of the original scene and the hidden object interfere with each other, leading to a reduction in rendering quality for both and failing to ensure security. Thus, using our region-aware density optimization achieves a well-balanced trade-off between rendering quality, security, and rendering efficiency. We include this part in A.6 of our appendix.

  Method	Memory Size (MB)	PSNR_o (dB)	SSIM_o	PSNR_s (dB)	SSIM_s
  Globally reducing the gradient threshold	405.27	28.11	0.831	38.36	0.987
  Using the same gradient for anchor growing	252.49	27.73	0.815	37.95	0.977
  SecureGS (Ours)	290.54	27.93	0.822	38.21	0.986

W4: Relies on the Scaffold-GS framework

The core of our method lies in using implicit MLPs to hide the attributes of Gaussian points, thereby enabling the hiding of 3D objects, images, and bits. Our method only requires adding an embedding attribute $\boldsymbol{f}_v\in\mathbb{R}^{D}$ to any Gaussian representation, making it compatible with our approach. Therefore, SecureGS is a general framework that can integrate with various 3DGS variants, not limited to Scaffold-GS.

W5: Systematic theoretical support and empirical choices of hyper-parameters

• In the field of 3DGS, it is very rare and challenging to prove the effectiveness of a method via mathematical theoretical derivations. However, we have demonstrated the superiority of SecureGS through detailed experimental results.
• Our method is parameter-insensitive. First, for the same scene, selecting different parameters for RDO, such as the splitting threshold or the iteration at which RDO begins, has minimal impact on the results. Second, the same set of parameters can be applied to different scenes without requiring manual adjustments, ensuring the practicality of our approach.

W6: More robustness experiments

Thanks for your valuable advice. We have supplemented the robustness analysis of point cloud denoising as follows. After applying a Statistical Outlier Removal to denoise the Gaussian point cloud, we find that while the quality of the original scene decreased, the rendering quality of the hidden object remains almost unchanged. This shows the strong robustness of our method. Subjective results are provided in Figure 9 of our appendix. Additionally, we have included experiments where Gaussian noise was added to the anchor point cloud in A.5 of our appendix.

We sincerely appreciate your detailed and thoughtful review. We have addressed all your concerns, and your feedback has helped make our experiments more comprehensive and our presentation clearer. If you have any further questions, please feel free to continue the discussion with us.

W1: Originality of our SecureGS

• SecureGS and GS-Hider have different method design, theoretical basis, and functionality.

  • Each Gaussian point in GS-Hider is associated with a coupled feature attribute $\boldsymbol{f}_i$, which generates a coupled feature field. Two separate decoders are then used to extract the hidden message and the original scene. In other words, each Gaussian point in GS-Hider is coupled together and contributes to the rendering of both the original scene and the hidden scene, meaning $\textcolor{red}{**GS-Hider can not achieve creating Gaussian points separately**}$.

  • In contrast, SecureGS achieves a genuine decoupling of Gaussian points for rendering the original scene and the hidden scene by using an implicit offset predictor and a series of attribute MLPs. The anchor point cloud extracted in Figure 6, representing the hidden scene, clearly shows this decoupling capability. Thus, the idea of creating separate anchor points for the hidden objects and the original scene $\textcolor{red}{**is entirely novel and first introduced by SecureGS**}$.

  • The theoretical basis of GS-Hider is 3DGS, which is a fully explicit representation. In contrast, SecureGS is built on neural voxels and implicit attribute prediction, representing a hybrid of explicit and implicit 3D representation theory.

  • In addition to the functionality of GS-Hider, SecureGS offers several unique and valuable features, such as directly extracting bits from GS points, explicitly separating anchor point clouds used to represent the hidden scene, and hiding background-free objects within the scene. These capabilities clearly distinguish our work from GS-Hider.

• In our region-aware density optimization, we innovatively introduce an asynchronous gradient accumulation strategy, an adaptive bounding box acquisition method, and a decoupled growing and pruning strategy. Together, these enhancements significantly improve the security of 3DGS-based hiding. To the best of our knowledge, such strategies have not been employed in other methods. If you find a similar approach, please let us know, and we will compare it accordingly.

W2: Motivation for using Scaffold-GS

Thank you for your suggestion. Our motivation for choosing Scaffold-GS is as follows:

• First, unlike the purely explicit representation of 3DGS, Scaffold-GS uses implicit MLPs to store the attributes of Gaussian points. This approach allows us to focus on encrypting the series of implicit MLPs rather than dealing with a large amount of explicit Gaussian points. This inherent characteristic makes Scaffold-GS particularly well-suited for steganographic tasks.
• Second, Scaffold-GS achieves comparable rendering quality and real-time performance to 3DGS. This means that using Scaffold-GS as a baseline for exploring 3D steganography does not compromise the high fidelity and fast rendering advantages of 3DGS.

We have included this discussion in Line 73-77 of the main paper.

Thank you for your constructive comments! If there are any additional comments to be added, please continue the discussion with us.

W1: Introduce complexity that could hinder practical adoption

• Our method is essentially an end-to-end black box. Users only need to input the training views corresponding to the original scene and the hidden object to obtain the anchor point cloud with hidden message and the secret MLP. Compared to training the original 3DGS or the steganography method GS-Hider, it does not introduce any additional steps.
• Our method offers additional functions compared to steganography methods like GS-Hider. For instance, it can directly output the point cloud representing the hidden scene, as well as hide both 3D scenes, bits, or background-free objects. This significantly enhances convenience for practitioners.

W2: Increased computational requirements

Although our method introduces additional computational overhead compared to Scaffold-GS, it remains resource-efficient compared to all other GS-based steganography methods and the original 3DGS.

• Our average point cloud file memory size is only 267.39 MB, which is 201.24 MB less than GS-Hider and 839.28 MB less than 3DGS+StegaNeRF.
• Our rendering speed is 131.71 FPS, with a peak of 144.46 FPS, which is comparable to the original 3DGS and significantly faster than GS-Hider.

W3: Minor Issues

Thank you for your reminder. We have corrected the vspace in our paper.

Q1: Comparison to traditional steganography methods

Compared to traditional NeRF watermarking, which typically decodes hidden messages from rendered RGB views, our SecureGS offers faster rendering speeds but requires more storage space to store anchor point clouds. This is inherently determined by the characteristics of the 3DGS representation. Additionally, the computational requirements for our SecureGS are similar to those of NeRF watermarking and can be run on a single NVIDIA GTX 3090 GPU.

Q2: Specific measures taken to ensure the robustness

Thanks for your valuable comments. Our RDO strategy ensures that even under degradation or attacks, the hidden message can still be decoded effectively by encouraging the splitting of more anchor Gaussian points in key regions of the hidden information. To further enhance the robustness of our method, we may need to incorporate some differentiable degradation operations, such as Gaussian noise addition or random dropout, during the training process. We plan to implement this in our future work.

Q3: Simplifying the implementation for practitioners

Although our method employs a relatively complex hybrid 3D representation and RDO strategy, these complexities are entirely transparent to users. During the training phase, users only need to input paired training views, and the method outputs Gaussian anchor point clouds and MLPs. During the verification phase, users simply input the anchor point clouds and encrypted MLPs to extract the hidden information. Furthermore, we will design an interactive editing interface, and provide detailed usage instructions to facilitate practitioners in adopting our method.

Thank you for your constructive feedback! We hope our responses have addressed your concerns. If there are any areas that require further clarification, please don’t hesitate to reach out for further discussion!

W1: About some description in Introduction

Thanks for your reminder. Format security ensures that the published anchor point cloud does not include any additional attributes that might raise suspicion or lead to deletion by malicious attackers. Geometric structure security focuses on guaranteeing that visualizing the Gaussian point cloud does not reveal any trace of the hidden object's geometric structure. Following your suggestion, we have added this explanation to Line 65-69 of introduction and moved Figure 2 to the beginning to make our paper clearer.

W2: About rendering quality

• In the field of 3D rendering, 1.16 dB improvement is already considered a significant performance gain. Figure 5 clearly illustrates the subjective quality improvements of our method compared to other steganography methods. Furthermore, it is worth noting that the rendering quality of the hidden scene has also improved by 1.66 dB compared to GS-Hider, which is another notable and important gain achieved by our method.
• The PSNR_o in Table 2 represents the fidelity of our method after undergoing disruptions (e.g., random pruning). It reflects the degree of degradation rather than the rendering quality of our method. Table 4 presents our ablation experiments, which are designed to show the advantages of two key modules in our method. The PSNR_o values of the two variants in the table also do not reflect the fidelity of our method.
• In fact, to the best of our knowledge, no rendering method in the 3DGS field has achieved a PSNR exceeding 30 dB. Our method surpasses all GS-based steganography methods in terms of fidelity and is comparable to the original Scaffold-GS and 3DGS.
• We show the PSNR_o result in the "Avg" Column of Table 1 and Table 5.

Thank you for your constructive comments! If there are any additional comments to be added, please continue the discussion with us.

W1: Increased model size

• Although the use of RDO slightly increased our model's memory usage, it is still 201.24 MB less than GS-Hider and 839.28 MB less than 3DGS+StegaNeRF, representing a significant advancement compared to existing 3DGS steganography methods. Moreover, SecureGS achieves up to 144.46 FPS, maintaining good real-time rendering capabilities.

• Our point cloud file actually includes anchor points for rendering both the original scene and the hidden object (or scene). Therefore, directly comparing our memory size with methods like Scaffold-GS is relatively unfair.

• Our method allows controlling the growth rate of anchor points and reducing the size of the point cloud file by adjusting the bounding box size, the gradient splitting threshold, and the frequency of asynchronous gradient accumulation in RDO. Additionally, it can be combined with Gaussian compression or pruning methods (as shown in Table 2 of the main paper) to further reduce model size.

W2: Generalizable message extraction

• Although the message extraction methods of NeRFProtector and CopyRNeRF exhibit generalization, their entire watermarking pipeline still requires per-scene optimization for a chosen bit. Therefore, our task setup is consistent with these two methods. Meanwhile, our MLP layer is very lightweight and easy to optimize, without increasing the training time of the original 3D scene. Thus, the comparison between our method and CopyRNeRF as well as NeRFProtector is reasonable.
• Our SecureGS needs to decode hidden information, including bits, from anchor points. HiDDeN is a watermarking network trained on RGB images and cannot be applied to the encoding and decoding of point clouds.
• We will include the unique generalization advantages of NeRFProtector and CopyRNeRF in message extraction in the main paper. Generalized message extraction will be considered in our future work.

Q1: Compatible with the GS compression method

• The core of our SecureGS is using implicit MLPs to hide the attributes of Gaussian points, not limited to specific 3D representation. Thus, it can adapt to various GS compression methods. For example, we can refer to the significance scoring method in LightGaussian, the vector quantization and opacity regularization used in CompGS [1] to perform the pruning of anchor points, further reducing the memory size of the point cloud file. Furthermore, since Compact-3DGS [2] also uses MLP to decode the color components, our SecureGS can naturally adapt to it.

• The potential challenges in integrating compression methods with our SecureGS lie in the following aspects. First, these methods are often designed for compressing spherical harmonic coefficients, so we need to adapt them to compress the feature embedding $\boldsymbol{f}_v$ in SecureGS. Second, we should achieve a balance between security, fidelity, and point cloud storage size via appropriate parameter settings.

[1] CompGS: Smaller and Faster Gaussian Splatting with Vector Quantization.

[2] Compact 3D Gaussian Representation for Radiance Field.

Q2: 3D robustness towards 3D distortions

Thanks for your valuable suggestions. Following your suggestion, we apply Gaussian noise with ($\sigma$=0.05, 0.1, 0.15) to the feature attribute of anchor point cloud. The metrics are presented as follows and the visualization results are in Figure 9 of our appendix. Furthermore, in Table 2 of the main paper, we have already shown the effects of random dropout on Gaussian points. Additionally, in A.5 of the appendix, we have shown the robustness of SecureGS to point cloud denoising. The fidelity results under these different degradations consistently demonstrate the strong robustness of our SecureGS.

Q3: What if the attacker knows the encryption method?

• Even if the attacker knows our encryption method, the weights of each secret MLP are unique to each scene, making it extremely difficult for unauthorized users to crack.
• Our robustness experiments ensure that slight removal or addition of perturbations on the anchor points does not affect the rendering quality of the hidden message. If an attacker attempts to forcibly remove or add a significant portion of the anchor points, the rendering quality of the original scene will also be severely degraded, rendering the 3DGS entirely unusable. This means such destruction is meaningless.

Thank you for your comments. We have addressed your concerns point by point. Please feel free to continue the discussion with us at any time.

W1: Difference between SecureGS and GS-Hider

We kindly remind you that you might have a misunderstanding of our method.

• The innovation of our method does not lie in optimizing memory efficiency but rather in enhancing the security, fidelity, and rendering speed of existing 3DGS steganography methods. (Highlighted in Line 49-69 of our main paper)

• Apart from the task setup of 3DGS steganography, our foundational principles, method design, and implemented functions are totally different from GS-Hider.

  • GS-Hider is based on the original 3DGS theory, while our SecureGS is based on the neural Gaussian theory.
  • Our SecureGS can decouple the two different groups of Gaussian points for representing the original scene and hidden object, while GS-Hider couples them together via a coupled secured feature attribute.
  • In addition to the functions provided by GS-Hider, SecureGS can achieve several unique features, including hiding a background-free object, embedding bits, and separating the point cloud of the hidden object from the original scene.

• The few formulas and figures in our paper that are similar to GS-Hider are included either to review prior work or to provide foundational knowledge. These are standard elements shared by all 3DGS papers and do not diminish our innovation. For example, Eq. (1) and (2) introduce the rendering principles of 3DGS, and Figure 2 explains the approach of GS-Hider.

W2 and Q1: About robustness verification and adversarial attacks

• We want to emphasize that robustness in steganography denotes that hidden message remains well-preserved after degradation, rather than the fidelity of the original scene remaining unaffected. In Table 2, even after randomly pruning 20% of the points, the fidelity of the hidden object remains above 33 dB. This is further supported by Figure 10 in the appendix. Thus, our method demonstrates strong resistance to random pruning degradation.

• To our knowledge, adversarial attacks denote adding perturbations to deceive models, causing them to make incorrect predictions or behave unexpectedly. This is not closely related to robustness testing in steganography. We are unsure which specific type of adversarial attack you are referring to; if possible, please clarify it.

W2: About Scene hiding

Thanks for your advice. We have added the results for hiding scenes within scenes below. Both for the fidelity of the original scene and the hidden scene, our method significantly outperforms GS-Hider. Relevant part is included in A.4 of our appendix.

W2 and Q1: Reproduction of GS-Hider

We requested the official code from the authors of GS-Hider to ensure that our comparisons are fair and valid. Our code will be made publicly available after the review process is completed. Specifically, we reproduce GS-Hider via its coupled feature rasterizer, dividing the screen into 16×16 tiles. The dimension of feature attribute is set to 16. Two decoders are composed of 5 Conv layers. All the parameters use the default settings in GS-Hider.

W3: About memory optimization and real-time rendering

• Since our SecureGS needs to render both the original scene and the hidden scene (objects), it is unfair to directly compare SecureGS with some GS pruning methods that only render the original scene.

• Our average storage size is 267.39 MB, compared to 796.406 MB for 3DGS. With the 20% random point pruning from Table 2, our memory usage is only 26% of the original 3DGS, making it highly lightweight.

• We have reported our FPS in Tables 1 and 5, where it reaches up to 131.71 FPS in scene-level and 144.46 FPS in single-image hiding, far exceeding the real-time requirements (30 FPS). Our rendering time is comparable to Scaffold-GS and 3DGS.

• We kindly remind you again, that although our method shows good memory efficiency, the main innovation of our approach does not lie in optimizing memory usage. Therefore, these memory optimization methods are orthogonal to our work.

W4: Current research status and unclear figures

In Section 2 and Section 3.1, we have systematically introduced the advancements in 3DGS and 3D steganography, especially analyzing the issues in the 3DGS-based work, GS-Hider. If there are any unclear aspects, please feel free to point out the specific areas, including any blurry figures.

Dear Reviewer FjJF,

Thanks a lot for your previous constructive comments. We would like to know if our revisions have addressed your concerns? If required, please do not hesitate to continue the discussion with us.

Best Regards,

Authors of #326.