Responses to Reviewer ykFF

We would like to express our heartfelt gratitude for the time and effort you dedicated to reviewing our paper. Your insightful remarks have prompted us to thoroughly re-examine every aspect of our work. In response, we have carefully prepared the following point-by-point replies, which will be incorporated into the final version:

Q1: Although the paper evaluates steganalysis performance using three models, these models largely rely on feature extraction or simple architectures. They are insufficient to capture the subtle, high-level distributional patterns potentially introduced by LLM-based generation. To convincingly demonstrate that StegoZip does not introduce detectable AIGC-specific artifacts, the authors should consider training more powerful neural steganalysis models, or simply use GPT as the detector.

Response 1: By leveraging the pseudo-randomization method based on CHACHA20, our method seamlessly integrates with provable secure steganography, inheriting its security guarantees. We have also demonstrated this theoretically (see Appendix A.2, "StegoZip Maintains the Security of the Underlying Steganographic Algorithm"). It is important to note that the provable security here refers to being indistinguishable from normal generated text, not from human-written text. Provably secure steganography involves disguising steganographic behavior as normal generated text, as detailed in Appendix A.1, “Provably Secure Steganography”, and in previous paper [1-5].

Thus, for a detector, the challenge lies in distinguishing whether the text is normal generated cover text or stego text generated by embedding secret messages. To evaluate this, we followed prior studies [4-5] and selected three specialized text steganographic analyzer. The classification accuracies of these analyzers were all close to 50%, indicating that the stego text generated under the StegoZip framework is difficult to distinguish, rendering the classifiers equivalent to random guessing.

[1] Ziegler, Zachary, et al. "Neural Linguistic Steganography." Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP). 2019.

[2] Yang, Kuan, et al. "Provably secure generative steganography based on autoregressive model." International Workshop on Digital Watermarking. Cham: Springer International Publishing, 2018.

[3] Zhang, Siyu, et al. "Provably Secure Generative Linguistic Steganography." Findings of the Association for Computational Linguistics: ACL-IJCNLP 2021. 2021.

[3] Ding, Jinyang, et al. "Discop: Provably secure steganography in practice based on" distribution copies"." 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023.

[4] Wang, Yaofei, et al. "SparSamp: Efficient Provably Secure Steganography Based on Sparse Sampling." 34th USENIX Security Symposium (USENIX Security 25). 2025.

Q2: The proposed framework includes a self-checking mechanism where parts of the message that cannot be reliably reconstructed are retained in square brackets. However, the semantic or compression cost introduced by this fallback is not clearly quantified. For example, under default settings, what percentage of content typically requires fallback? How does this affect the effective payload and restoration complexity?

Response 2: In Section 4.2: Main Performance of StegoZip, Figure 4 provides a quantitative analysis of the time cost introduced by the self-checking mechanism (i.e., restoration complexity). The self-checking process increases StegoZip’s processing time by approximately 15%.

To complement this, we conducted additional experiments under the same settings using the previously fine-tuned Qwen2.5-7B as the restorer, without employing the self-checking mechanism, and 40% of the semantic information was pruned. The results are summarized as follows:

Here, R / C represents the semantic retention of the restored/compressed secret messages relative to the original. Fallback Ratio indicates the percentage of content requiring fallback, while Missing Ratio represents the percentage of missing content per sample.

The results show that while not using the self-checking mechanism improves the effective payload by 8%, the receiver experiences semantic loss, which is unacceptable in covert communication scenarios. Thus, a trade-off between the effective payload and restoration complexity is necessary.

With the self-checking mechanism enabled, the AGNews dataset requires recording approximately 50% of missing words on average, while the IMDb dataset requires recording around 72% when 40% of the semantic information is pruned. For context, the average number of words per sample in the AGNews dataset (short text) is 37.63, while in the IMDb dataset (long text) it is 223.56. Thus, even when 16% of words are missing in short texts or 10% in long texts, lossless reconstruction can still be achieved.

Q3: DSRP claims to preserve key entities through entity detection by assigning them infinite self-information. However, the paper does not clarify how this detection is implemented, nor does it provide any evaluation of its accuracy. If critical entities are missed, important content could be pruned inadvertently, affecting message fidelity.

Response 3: As detailed in Section 3.3 (Dynamic Semantic Redundancy Pruning), to ensure that critical information—such as names, numbers, or other key entities—is preserved and does not compromise the effectiveness of the restoration process, entity detection is performed prior to pruning. This involves a relatively straightforward Named Entity Recognition (NER) task, requiring the training of an entity detector on annotated corpus data.

In our experiments, we utilized the built-in NER pipeline provided by the python-spacy library to detect and tag entities (approximately 84% accuracy). The additional time required for this step is minimal (<1%) and is included in the DSRP time shown in Figure 4.

Importantly, even if errors occur during entity detection, the subsequent self-checking mechanism ensures the integrity of the secret message. As we discussed in Question-2 above, when pruning removes certain information, the secret can still be fully reconstructed at the receiving end without any loss, achieving 100% Rouge and BERTScore metrics. This is demonstrated in Table 2 of Section 4.2: Main Performance of StegoZip.

Thank you once again for your invaluable contributions to this paper. We hope our responses have fully addressed your concerns, and we would be happy to continue the discussion should you have any remaining questions. Wishing you success and fulfillment in both your research and personal endeavors!

Responses to Reviewer UhwE

We sincerely appreciate the time and effort you spent to reviewing our paper. Your insightful feedback has motivated us to thoroughly re-evaluate every aspect of our work. Below, we have provided detailed responses and will incorporate these revisions into the final version of the manuscript:

Q1: The paper only considers two linguistic steganography techniques, what about more traditional methods like the one using Huffman/Arithmetic encoding in previous methods?

Response 1: StegoZip is designed as a plug-and-play secret messages compressor that can be integrated with any downstream linguistic steganography scheme as long as that scheme accepts a raw bitstream and returns a stego text. We tried combining StegoZip with two representative arithmetic-coding–based methods: AC [1] and Meteor [2]. The experimental results are as follows:

Due to the rebuttal schedule, we only randomly sampled 100 news items from AGNews to serve as the secret messages and, for stego prompts, extracted the first two sentences of 100 randomly chosen samples from WikiText dataset. We use the previously fine-tuned Qwen2.5-7B as the restorer while all other settings are the same as those in the Baselines. When integrated with AC-based steganographic methods under lossless decoding, StegoZip still achieves 2× the payload of the baselines while requiring less processing time in practice.

[1] Ziegler, Zachary, et al. "Neural Linguistic Steganography." Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP). 2019.

[2] Kaptchuk, Gabriel, et al. "Meteor: Cryptographically secure steganography for realistic distributions." Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021.

Q2: I'm wondering if the LLM's capability would impact the final performance --- i.e., leveraging larger or smaller LLMs under the same setting.

Response 2: We have analyzed this problem in Table 3 ("Efficiency comparison of LLMs of varying sizes in compression and restoration"). As the model size increases, the achievable payload consistently rises; however, both encoding and decoding times increase with model size.

Thank you once again for your invaluable contributions to this paper. We hope our responses address your concerns fully, and we would be delighted to engage in further discussions should you have any additional questions. Wishing you continued success in both your research and life!

Responses to Reviewer jVW7

We sincerely appreciate the time and effort you invested in reviewing our paper. Your insightful comments have prompted us to conduct a comprehensive re-evaluation of every aspect of our work. Below, we have carefully prepared point-by-point responses, which will be incorporated into the final version:

Q1: The paper claims broad applicability for covert communication but does not deeply explore domain-specific challenges (e.g., handling technical jargon in medical domains or low-resource languages).

Response 1: We would like to clarify that the applicability of StegoZip, as discussed in the paper, specifically refers to its adaptability to integrable text steganography algorithms. We hope this explanation helps to resolve any misunderstanding.

Moreover, we acknowledge the importance of the domain-specific challenges you mentioned on covert communication. To address this, we have added test results on the MedNLI dataset from the medical domain [1]. Specifically, we randomly selected 1,000 test samples and used the previously fine-tuned Qwen2.5-7B model on the English AGNews dataset as the Restorer (i.e., this test evaluates out-of-distribution data) and Discop as the underlying steganographic algorithm. All other settings remain consistent with the baseline descriptions. The experimental results are as follows:

Even when dealing with out-of-distribution data that includes a lots of technical jargon, StegoZip can still achieve an 8% increase in payload while reducing processing time without re-fine-tuning. Initially, fine-tuning the small-scale LLMs was intended solely to enable them to comprehend the restoration task, without considering the specific domain of the secret messages. However, given the specialized nature of covert communications, interacting parties can often anticipate the domain of the secret messages and apply fine-tuning, as discussed in Section 4.4, “Cross-Domain Transferability Analysis”.

[1] Romanov, Alexey, and Chaitanya Shivade. "Lessons from natural language inference in the clinical domain." arXiv preprint arXiv:1808.06752 (2018).

Q2: Reported 2.5× gain is measured only on English news and movie reviews; no multilingual, chat-style, or code-mixed corpora are tested, limiting external validity.

Response 2: We selected English news and movie reviews as test data because they encompass a broad range of knowledge, making them more representative as secret messages in covert communication scenarios. However, we greatly value the domain-specific challenges you raised and have taken the initiative to explore more challenging tasks.

To this end, we used the previously fine-tuned Qwen2.5-7B model on the English AGNews dataset as the Restorer and Discop as the underlying steganographic algorithm. For the experiments, we randomly selected 1,000 French dialogue samples from the Claire French Dialogue Dataset (CFDD) [2], using the first two dialogues of each sample as the secret messages. Additionally, we constructed a Code-Mixed dataset by randomly selecting 1,000 code statements across MySQL, Python, C++, and Java. All test data represent out-of-distribution samples. Other experimental settings were kept consistent with the baseline descriptions. The experimental results are as follows:

Even with a Restorer fine-tuned on an English dataset, the system performed exceptionally well on the French test set, achieving lossless decoding in less time and more than doubling the payload. This aligns with our design goal of fine-tuning the Restorer to understand the restoration task itself, rather than data from a specific domain.

However, the performance on the Code-Mixed dataset was less impressive. This is primarily due to the nature of the dataset: code statements are relatively short, with many resembling examples such as float updateInfo(int val_qliz) { return 84.53f; }. The average word count in the dataset is only around 15, which limits its compression capacity. It is worth noting that StegoZip is primarily designed to handle large volumes of secret messages, such as reports, logs, or multimedia metadata. These types of messages, if left unprocessed, would typically require multiple transmissions or result in suspiciously long stego text. This aligns with common application scenarios in covert communication, where handling substantial payloads is a critical requirement.

[2] Hunter, Julie, et al. "The claire french dialogue dataset." arXiv preprint arXiv:2311.16840 (2023).

Q3: The self-checking process in DSRP (Page 5) is described as ensuring lossless reconstruction by replacing unaligned portions with original content. Could the authors provide a more detailed explanation or example of this process, including its computational cost?

Response 3: In Figure 2 of the paper, we illustrate a specific example of this process. The original secret message, denoted as $m$, undergoes processing through DSRP and is transformed into $m_c$. At this stage, a self-checking mechanism is applied, producing $m_r$. If errors are detected during the reconstruction of the second and third missing words, the corrected words are enclosed in brackets [ ], resulting in $m_c’$. The receiver obtains $m_c’$ without any loss of information and can clearly identify the words enclosed in brackets. This allows $m_c’$ to be split into $m_c$ and an error correction table, which is then used to resolve the errors in the second and third missing words.

Since the restorer and $m_c$ are aligned, the receiver will encounter the same reconstruction errors in the second and third words ($m_r$) when attempting to recreate the original secret message. These errors can subsequently be corrected using the error correction table, ultimately allowing the receiver to fully reconstruct the original secret message, $m$. Specific examples are as follows:

• $m$: Toyota to open south China plant Japan carmaker Toyota enters a joint venture to produce saloon cars in southern China.
• $m_c$: Toyota [] [] [] China plant Japan carmaker Toyota enters a [] [] to produce saloon cars [] southern China.
• $m_r$: Toyota [to] [establish] [a] China plant Japan carmaker Toyota enters a [joint][venture] to produce saloon cars [in] southern China.
• $m_c’$: Toyota [] [open] [south] China plant Japan carmaker Toyota enters a [] [] to produce saloon cars [] southern China.

In Section 4.2: Main Performance of StegoZip, Figure 4 provides a quantitative analysis of the time cost introduced by the self-checking mechanism. The self-checking process increases StegoZip’s processing time by approximately 15%.

Q4: Robustness to ambiguous tokenization. Please re-run payload/accuracy on sentences that do contain BPE ambiguity or report a mitigation cost when you fall back to character-level tokenizers. A large degradation would cast doubt on practical use.

Response 4: Regarding the robustness issue caused by tokenization ambiguity, we have discussed this in Appendix C.5: "Token Ambiguity". First, it is important to note that current mainstream LLMs (e.g., GPT, LLaMA, Qwen, etc.) predominantly use BPE-based tokenizers rather than character-level tokenizers, which are prone to significant semantic loss. However, the vocabulary of BPE-based tokenizers is not prefix-free, meaning that the same input sequence may have multiple tokenization paths.

It is worth clarifying that this ambiguity primarily affects the underlying steganographic algorithms integrated into the StegoZip framework, rather than StegoZip itself. To mitigate information loss caused by such ambiguity, existing steganographic systems commonly employ a "disambiguation" strategy [3]. To evaluate the robustness of StegoZip, we tested the disambiguating steganographic algorithm SyncPool [3] under the same experimental settings in the paper. The results are as follow:

Although there is a slight decline in performance for both the baseline and our approach, the steganographic algorithm integrated into the StegoZip framework still achieves a 2× increase in payload while requiring less processing time compared to the baseline method.

[3] Qi, Yuang, et al. "Provably secure disambiguating neural linguistic steganography." IEEE Transactions on Dependable and Secure Computing (2024).

Thank you once again for your valuable contributions to this paper. We hope our responses have addressed your concerns and would be happy to continue the discussion should you have any remaining questions. Wishing you success and prosperity in both your research and personal endeavors.

Thank you so much for your feedback. We’d like to know if you have any further concerns or suggestions regarding the revised content.

Responses to Reviewer ovAh

We sincerely appreciate your time to reviewing our paper. Your insightful comments have prompted us to thoroughly re-examine every aspect of our work, and we have carefully prepared the following point-by-point responses and will make these changes in the final version:

Q1: What is the core technical contribution of this work? It seems to me the steganography algorithm is based on ChaCha20 so the main contribution is a method to compress the secret message?

Response 1: The core technical contribution of this paper lies in leveraging the advanced comprehension and predictive capabilities of LLMs to design a secret messages compression method for covert communication. Chacha20 serves solely as the pseudo-randomization processing method applied to the compressed messages, with the purpose of enabling compatibility with mainstream provably secure steganography methods. Through the proposed Stegozip framework, the payload of a single transmission is significantly increased (about 2.5× the payload of the baseline methods), effectively mitigating the behavioral abnormalities of frequent transmissions in traditional systems caused by their low payload, while ensuring information integrity.

Q2: How StegoZip generalizes to secret message with very little or no semantic redundancy? Considering the common application scenario of using steganography, it very likely the secret message is short and contains only key information like "XXX person at YYY time/location will do ZZZ", if you keep all the key entities, there are not much thing left to compress.

Response 2: On the one hand, our ablation study in Section 4.5 (Table 5, w/o DSRP) demonstrates that StegoZip still achieves a ≈10% increase in payload, even without removing semantic redundancy. This is because the LLM’s predictive capability alone can re-encode the literal content into a more compact bit-stream. On the other hand, the primary design objective of StegoZip is to handle bulk secrets—such as reports, logs, or multimedia metadata—whose size would otherwise necessitate multiple transmissions or suspiciously long stego texts. This is a common application scenario in covert communication. Our information compression ratio is considerable, as demonstrated by achieving 2.5× the payload of the baseline methods while maintaining comparable processing times in practice.

Q3: Why we need to train the restorer? Can we simply just use a standard out-of-the-shelf LLM?

Response 3: Given the specific requirements of covert communication scenarios, using large cloud-based models is not feasible, as we cannot entrust the processing or restoration of secret messages to the cloud. In practical covert communication environments, the hardware’s computing power is often limited, such as on laptops or mobile devices. Under these constraints, we can only utilize models with smaller parameter sizes, such as no larger than 7B models. However, standard models of this size struggle to effectively understand the task of secret message restoration. To address this, we fine-tune a basic LLM, transforming it into a lightweight and privately deployable solution for restoring secret messages. More discussions are shown in Section 3.2 "Private Restorer in StegoZip Framework".

Q4: What is the "prefix (as prior)" in Figure 2 Step 2: ICC (and also Step 4 Message Decoding).

Response 4: The “prefix” refers to the fixed system instruction used to fine-tune the restorer model (see Figure 3). This identical instruction is prepended to every secret message before it enters the ICC encoder. By doing so, it provides prior knowledge that the subsequent text represents a low-semantic structure, enabling the model to compress it further into compact binary codes. In Section 4.5 (Table 5, w/o instruction in ICC), we ablate this design. When the prefix was omitted, the payload decreased by approximately 3%, highlighting its necessity.

Q5: Have you tried combining StegoZip with those arithmetic coding based stegonagraphic algorithms?

Response 5: Yes. StegoZip is designed as a plug-and-play secret messages compressor that can be integrated with any downstream linguistic steganography scheme as long as that scheme accepts a raw bitstream and returns a stego text. We tried combining StegoZip with two representative arithmetic-coding–based methods: AC [1] and Meteor [2]. The experimental results are as follows:

Due to the rebuttal schedule, we only randomly sampled 100 news items from AGNews to serve as the secret messages and, for stego prompts, extracted the first two sentences of 100 randomly chosen samples from WikiText dataset. We use the previously fine-tuned Qwen2.5-7B as the restorer while all other settings are the same as those in the Baselines. When integrated with AC-based steganographic methods under lossless decoding, StegoZip still achieves 2× the payload of the baselines while requiring less processing time in practice.

[1] Ziegler, Zachary, et al. "Neural Linguistic Steganography." Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP). 2019.

[2] Kaptchuk, Gabriel, et al. "Meteor: Cryptographically secure steganography for realistic distributions." Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021.

Thank you once again for your invaluable efforts on this paper. We hope that our responses address your concerns, and we would be delighted to continue the discussion if any questions remain. Wishing you all the best in both life and research ^v^.