Code-Level Cost Function Generation for Spatial Image Steganography Using RAG-Enhanced Large Language Models
Abstract
Designing cost functions of adaptive steganography traditionally requires extensive manual tuning, while deep learning methods lack interpretability. Although large language models (LLMs) offer an automated alternative via evolutionary generation, they often violate domain specific mathematical constraints due to a lack of explicit domain knowledge. To address this problem, we propose a novel evolutionary system focused on exploiting Retrieval-Augmented Generation (RAG) enhanced LLMs for the automatic code-level generation of spatial steganography cost functions. This system incorporates a core Self Evolving RAG (SE-RAG) module, wherein a Code Semantic Signature (CSS) translates procedural code into aligned queries, retrieving explicit guidance from static literature and dynamic experience knowledge bases to steer the LLM generation process. A dedicated feedback mechanism then continuously refines the dynamic knowledge base with successful optimization strategies. Extensive experiments on the BOSSBase and BOWS2 datasets demonstrate that the proposed framework consistently achieves higher steganographic security than existing automatically designed methods, and increases the average code execution rate by 46.3% while reducing the search cost by 26.1%, thereby highlighting the effectiveness, efficiency, and potential of combining LLMs with domain-specific knowledge in the field of automatic steganographic algorithm generation.
I Introduction
Image steganography conceals secret information within innocuous cover images while minimizing detectable embedding artifacts. Among existing adaptive steganographic approaches, the minimum-distortion framework has achieved remarkable success due to its flexibility and effectiveness, where embedding costs are typically manually assigned according to local image characteristics and optimized using syndrome trellis codes (STCs) [1]. Although highly effective, designing distortion cost functions still relies heavily on expert knowledge and extensive trial and error [2, 3, 4]. Recent deep learning based approaches alleviate manual feature engineering by learning steganographic representations directly from data, at the cost of large training data requirements and limited interpretability. Recently, large language models (LLMs) have begun to be applied to steganographic tasks [6]. They have further emerged as a promising alternative for automatic algorithm design through evolutionary code generation [5]. However, without explicit domain knowledge, language models tend to perform unguided evolutionary modifications that may violate mathematical constraints or deviate from effective distortion optimization.
Unlike general code generation, automatic steganographic cost function design is fundamentally a knowledge-intensive task. The objective is not merely to generate executable programs, but to generate mathematically valid distortion functions that satisfy strict steganographic constraints while improving resistance against steganalysis. Such domain-specific knowledge cannot be fully captured by the general-purpose knowledge embedded in LLMs alone. Updating the internal knowledge of LLMs through continual training [7] or model editing [8] is computationally expensive and difficult to adapt to the rapidly evolving search process. Retrieval-augmented generation (RAG) [9, 10] has therefore emerged as an effective paradigm for augmenting LLMs with external knowledge without modifying the model parameters. Recent studies have consequently extended RAG through iterative retrieval [11], self-reflective retrieval [12, 13], and evolutionary retrieval strategies [14]. Meanwhile, retrieval-enhanced code generation has also demonstrated the benefit of exploiting structured external knowledge for program synthesis [15]. These advances demonstrate that retrieval provides an effective mechanism for incorporating task-specific knowledge into LLM-based generation, making it a promising foundation for automatic steganographic algorithm design.
Motivated by these observations, we propose a knowledge-guided evolutionary framework, which incorporates a self-evolving RAG (SE-RAG) module to provide structured domain guidance throughout the evolutionary process. Specifically, the SE-RAG module jointly exploits a static literature knowledge base and a dynamic experience knowledge base to achieve this goal. We further introduce a code semantic signature (CSS) that bridges procedural implementations and steganographic concepts, enabling semantics-aware retrieval instead of syntax-oriented matching. A feedback-driven knowledge evolution mechanism continuously transforms successful optimization strategies into reusable experience, allowing subsequent generations to evolve under progressively richer domain guidance.
The main contributions are summarized as follows:
-
•
We propose a knowledge-driven evolutionary framework for automatic steganographic cost function design, empowered by a novel SE-RAG module that integrates a static literature knowledge base with a dynamic experience knowledge base.
-
•
We introduce CSS that bridges the semantic gap between program implementations and steganographic concepts, improving retrieval relevance for cost function generation.
-
•
We develop a novel feedback-driven knowledge evolution mechanism that continuously archives successful optimization experiences into the dynamic knowledge base to provide progressively richer domain guidance.
-
•
Comprehensive evaluations demonstrate that the algorithms generated by our framework consistently achieve higher steganographic security than existing paradigms. Furthermore, the framework significantly enhances evolutionary efficiency, increasing the average code execution rate by 46.3% and reducing the search cost by 26.1%.

II Proposed Framework
II-A Overall Architecture
To advance automated cost function design within the minimum-distortion framework, we establish a knowledge-driven evolutionary paradigm. While recent automated frameworks rely on unguided two-stage generation [5], our architecture fundamentally transforms this process by establishing the SE-RAG module as the core engine for explicit domain guidance. The framework evolves over multiple generations, each comprising cost function generation and evaluation stages. As illustrated in Fig. 1, the process is initialized with a foundational handcrafted steganographic algorithm , which acts as the initial program.
Stage 1 focuses on algorithm generation and preliminary evaluation. In each iteration, a reference program is selected from the program database and fed into the forward process of SE-RAG. Crucially, the CSS of is extracted to perform separate dual-path retrievals from a static literature knowledge base and a dynamic experience knowledge base , supplying the LLM with classic academic concepts and historically successful optimization paths. Guided by this retrieved context, the LLM optimizes to generate new candidate algorithms (). These variants undergo rapid preliminary evaluation via pretrained steganalyzers to filter out non-executable code. We uniformly utilize the minimum average decision error rate as the security metric:
| (1) |
where and represent the false alarm and missed detection rates, respectively. Valid programs and their preliminary scores are saved back into the program database.
Stage 2 conducts precise evaluation for candidates passing the preliminary filter to provide feedback. A dedicated steganalyzer is trained for each program to provide a rigorous assessment via the metric defined in Eq. (1). The results of this accurate evaluation update the pretrained steganalyzer pool in Stage 1, and the optimized programs are added to the seed program pool for subsequent generations. Simultaneously, the evaluation results leverage the backward process of SE-RAG to update the dynamic experience knowledge base based on the evaluation results, accumulating effective empirical paths for continuous improvement.
The overall workflow is illustrated in Fig. 1, and the internal pipeline of the SE-RAG module is detailed in Fig. 2. Section II-B describes the forward generation process, while Section II-C outlines the backward feedback loop.

II-B SE-RAG: Forward Generation Process
The forward generation process transitions the LLM from a blind code generator into a knowledge-informed algorithm optimizer via domain knowledge injection. To achieve effective retrieval, relying directly on the raw reference program as a query is suboptimal due to the conceptual gap between procedural implementations and steganographic semantics. To bridge this gap, as illustrated in Fig. 2, we introduce the CSS mechanism, where is parsed by an AST parser. This parser maps specific Python operations to high-level steganographic semantic concepts based on the mapping rules standardized in Table I, sequentially connecting them into an ordered semantic sequence .
| Raw Python Operation | Semantic Concept |
|---|---|
| convolve + reciprocal | Texture Detection |
| convolve after reciprocal | Spatial Cost Smoothing |
| roll | Edge Offset |
| slice | Spatial Cropping |
| >= 255 / <= 0 | Boundary Value Constraints |
| 1 / x | Cost Initialization Inverse |
Prior to retrieval, literature documents and historically successful rules are partitioned into semantic text chunks . These chunks populate two repositories, namely, the Static Knowledge Base indexing fundamental reference papers, and the Dynamic Knowledge Base , which continuously expands at each evolutionary iteration to store concise optimization summaries. Formally, each repository is defined as a set of constituent chunks: . All chunks are processed by a Bi-Encoder embedding model and stored alongside their continuous vector representations.
During the retrieval phase, the obtained semantic signature formulates the query . A parallel two-stage retrieve-and-rerank pipeline is independently applied to each repository. First, projects into the latent space for a rapid vector screening, where is compared against every chunk to calculate the preliminary similarity score via cosine similarity:
| (2) |
This screens the search space to retain a highly relevant matching pool . Second, the matching pools are forwarded to a Cross-Encoder model for precise reranking to capture fine-grained cross-attention. The final ranking score is computed as:
| (3) |
Finally, a prompt compiler systematically aggregates the acquired information into a highly structured prompt to govern the LLM code synthesis. Instead of a simple concatenation, the compilation process utilizes a sequential integration function to combine four essential components: First, the expert task guidelines , which assign a domain expert persona to the language model and explicitly mandate structural algorithmic innovations, such as novel residual sources or nonadditive fusion rules, while strictly prohibiting superficial parameter tuning; Second, the retrieved context , which supplies explicit domain guidance and historical optimization strategies; Third, the reference program undergoing evolution; and Fourth, the rigorous safety constraints , which enforce deterministic execution, restrict external dependencies to standard numerical packages, and define rigorous mathematical boundaries to satisfy necessary steganographic security constraints. This compilation operation is formally defined as:
| (4) |
The resulting knowledge-injected prompt is then delivered to the LLM to generate the new batch of program candidates.
II-C SE-RAG: Backward Feedback Loop
To prevent the evolutionary process from stalling or repeating past optimization errors, the proposed framework incorporates a backward semantic knowledge extraction mechanism driven by a semantic auditor. The core purpose of this component is to transform fortuitous performance improvements into interpretable steganographic rules, which are subsequently leveraged to guide future mutation directions.
As illustrated in the backward process of Fig. 2, during the accurate evaluation phase, a dedicated steganalysis tool evaluates the optimized program to obtain its security score , as defined in Eq. (1). If this score exceeds that of the initial global baseline, i.e., , the knowledge extraction mechanism inside the Semantic Auditor is triggered. The framework employs an independent LLM summarizer within the auditor to perform a detailed comparative analysis between and . By examining the algorithmic structures and semantic variations, the summarizer extracts and summarizes the specific methodological modifications that lead to the enhanced security. The empirical insights generated during the current iteration form a set:
| (5) |
Consistent with the knowledge representation established in Section II-B, each empirical experience is partitioned into semantic text chunks, embedded into vector representations, and structurally archived. Let denote the set of all semantic chunks derived from . The dynamic knowledge base is updated via a direct set union operation:
| (6) |
where .
Integrating this structured knowledge back into the loop establishes a sustainable self-evolving mechanism. As evolution progresses, the dynamic knowledge base continuously accumulates historically successful design rules. Consequently, when the next iteration performs forward retrieval, the retrieval engine draws directional guidance from both the foundational static knowledge base and the updated dynamic knowledge base , drastically accelerating convergence toward highly secure steganographic cost functions.
III Experimental Setup
Evolutionary generation and evaluation are conducted on BOSSBase v1.01 [19], with optimal algorithms further tested on BOWS2 [20] for generalization. Both datasets contain 10,000 grayscale images, strictly partitioned at a 5:1:4 ratio for paired cover-stego training, validation, and testing. All algorithms are implemented in Python via an embedding simulator.
OpenAI GPT-4o [16] serves as the core LLM for both code generation and backward experience summarization. Knowledge bases are managed via Chroma DB using chunks of 1,000 characters with a stride of 800. We employ the Bi-Encoder all-MiniLM-L6-v2 [18] for dense retrieval and the Cross-Encoder ms-marco-MiniLM-L-6-v2 for reranking. The static repository indexes 228 classical steganography papers. To balance noise and length disparities, the retrieve-and-rerank pipeline filters the top 50 static and 20 dynamic chunks down to and , respectively. The evolution is initialized with WOW [3], HILL [2], and S-UNIWARD [4]. Adopting hyperparameters from [5], each prompt directs the LLM to synthesize four candidate variants per iteration.
For search efficiency, evolution executes exclusively at the highest payload of 0.4 bpp using a fully trained SRNet [17]. The discovered algorithms are then evaluated across lower payloads from 0.3 to 0.1 bpp. The SRNet training parameters and progressive fine-tuning strategy strictly follow the configurations in [5] and the original implementation [17].
IV Results and Analysis
IV-A Steganographic Security
| Algorithm | Framework | Embedding Payload (bpp) | |||
|---|---|---|---|---|---|
| 0.4 | 0.3 | 0.2 | 0.1 | ||
| HILL | Original | 0.1574 | 0.2063 | 0.2596 | 0.3449 |
| Ref. [5] | 0.1654 | 0.2241 | 0.2700 | 0.3559 | |
| Ours | 0.2036 | 0.2433 | 0.3064 | 0.3878 | |
| WOW | Original | 0.1053 | 0.1361 | 0.1800 | 0.2640 |
| Ref. [5] | 0.1385 | 0.1695 | 0.2180 | 0.2911 | |
| Ours | 0.1419 | 0.1711 | 0.2249 | 0.3186 | |
| S-UNIWARD | Original | 0.1139 | 0.1573 | 0.2169 | 0.3245 |
| Ref. [5] | 0.1245 | 0.1709 | 0.2309 | 0.3376 | |
| Ours | 0.1588 | 0.2033 | 0.2588 | 0.3608 | |
| Algorithm | Framework | Embedding Payload (bpp) | |||
|---|---|---|---|---|---|
| 0.4 | 0.3 | 0.2 | 0.1 | ||
| HILL | Original | 0.2515 | 0.2978 | 0.3601 | 0.4279 |
| Ref. [5] | 0.2738 | 0.3198 | 0.3739 | 0.4450 | |
| Ours | 0.3476 | 0.4101 | 0.4584 | 0.4848 | |
| WOW | Original | 0.1605 | 0.1974 | 0.2680 | 0.3644 |
| Ref. [5] | 0.2189 | 0.2604 | 0.3284 | 0.4093 | |
| Ours | 0.2344 | 0.2811 | 0.3515 | 0.4451 | |
| S-UNIWARD | Original | 0.1931 | 0.2536 | 0.3174 | 0.4229 |
| Ref. [5] | 0.2194 | 0.2679 | 0.3499 | 0.4378 | |
| Ours | 0.2541 | 0.2999 | 0.3620 | 0.4510 | |
To evaluate the effectiveness of the proposed framework, we compare the steganographic security of the original handcrafted algorithms and the best algorithms generated by our framework with those produced by the existing LLM-based approach [5]. HILL [2], WOW [3], and S-UNIWARD [4] are adopted as the starting algorithms for the evolutionary search process in both frameworks. Security is quantified by the detection error rate defined in Eq. (1), which is evaluated using dedicated SRNet [17] steganalyzers trained specifically for each evaluated algorithm at each embedding payload.
As reported in Table II and Table III, while the algorithms produced by both automated paradigms successfully enhance the security of their handcrafted counterparts, those generated by our framework consistently achieve the highest across varying payloads on both BOSSBase and BOWS2. By continuously outperforming the baseline across divergent steganographic paradigms, this framework-level comparison systematically demonstrates the superior optimization capacity of our evolutionary framework incorporating the SE-RAG engine, proving that the security gains stem from methodological advancements rather than stochastic fluctuations during the evolutionary search. Consequently, rather than relying solely on the implicit knowledge of the language model, our framework explicitly incorporates domain-specific knowledge into the evolutionary process via the SE-RAG module, enabling a more meaningful exploration of the program space and consistently producing higher-quality steganographic algorithms.
IV-B Evolution Efficiency Analysis
| Metric | Framework | Initial Algorithm | ||
|---|---|---|---|---|
| HILL | WOW | S-UNIWARD | ||
| Execution Rate () | Ref. [5] | 35.0% | 36.3% | 20.0% |
| Ours | 57.5% | 54.2% | 21.9% | |
| Target Iterations () | Ref. [5] | 100 | 160 | 240 |
| Ours | 80 | 120 | 160 | |
To further evaluate the proposed framework, we analyze its evolutionary efficiency in terms of code executability, defined as the percentage of successfully executed candidate algorithms, and search efficiency, representing the number of generated algorithms required to discover the best-performing solution.
As shown in Table IV, the proposed framework improves the overall code execution rate across all three initial algorithms, increasing the average execution rate from 30.4% to 44.5%, which corresponds to a relative improvement of 46.3%. Although the execution rate enhancement for the highly constrained S-UNIWARD is marginal, the overall search efficiency is consistently optimized. Specifically, our framework requires substantially fewer generated algorithms to discover the best-performing solution across all baselines, reducing the overall search cost by an average of 26.1%. Collectively, despite the inherent challenges in optimizing complex spatial steganographic models like S-UNIWARD, these results demonstrate that our framework enables more reliable candidate generation and highly efficient optimization. This substantially reduces the computational cost of automatic steganographic algorithm design, highlighting its practical applicability.
IV-C Analysis of Evolved Cost Functions
To explore the effectiveness of our evolutionary system, we present the evolved cost functions derived from HILL, WOW, and S-UNIWARD, detailing the specific modifications made to each algorithm.
IV-C1 Evolved HILL
The original HILL algorithm estimates distortion via a high-pass residual , where is the cover image, denotes convolution, and is the Ker-Bohme (KB) filter. It formulates the suitability map and cost as:
| (7) |
where and are and mean filters, respectively, and ensures numerical stability.
The evolved algorithm refines this by introducing a median residual , where denotes a local median filter. These residuals are fused into a joint response:
| (8) |
where , , and represent element-wise multiplication, absolute value, and square root. To measure texture complexity, the local variance within a neighborhood at each coordinate is computed, and immediately truncated into a variance gating factor , where restricts within . Finally, the evolved algorithm constructs a refined suitability map and maps it directly to the local embedding cost :
| (9) |
To enforce physical boundaries and numerical stability, valid costs are lower-bounded by . Extreme numerical values and invalid boundary modifications are strictly penalized with an infinite wet cost.
IV-C2 Evolved WOW
The original WOW employs Daubechies 8-tap (DB-8) low-pass () and high-pass () filters to construct three directional filters via outer products to represent the LH, HL, and HH subbands: , , and . The embedding suitability maps quantify local texture complexity by measuring weighted absolute residual differences:
| (10) |
where represents mirror-padded correlation. Pixels with small directional residuals are highly predictable, thus receiving higher embedding costs to minimize detectability. The original cost aggregates the reciprocal of these maps:
| (11) |
Replacing conventional hand-crafted wavelets, our evolutionary system autonomously discovers an asymmetric 9-tap filter pair, denoted as and . Substituting the DB-8 vectors, it reconstructs the three standard subbands and introduces a fourth low-frequency structural subband to capture local structural consistency. The expanded suitability maps use the identical formulation:
| (12) |
The evolved algorithm replaces static reciprocal aggregation with a pixel-wise dynamic fusion mechanism. Specifically, the directional discrepancy is first evaluated using the channel-wise variance , which is scaled via global normalization to yield . A dynamic pooling parameter is then generated to locally adjust the fusion intensity:
| (13) |
To strictly ensure mathematical validity across spatially varying parameters, the aggregation is performed at each pixel by defining a joint suitability pool :
| (14) |
Cost bounding and numerical stabilization follow the identical protocols established in the evolved HILL algorithm.
IV-C3 Evolved S-UNIWARD
The original S-UNIWARD evaluates distortion using directional relative change profiles. Following WOW, three DB-8 directional filters, denoted by for , are employed to compute the directional suitability maps:
| (15) |
where is a stabilization constant. The overall embedding cost is then obtained by aggregating the three directional suitability maps:
| (16) |
The evolved algorithm expands this design by augmenting the filter bank. Retaining the classic DB-8 filters, it introduces an approximate horizontal gradient filter and its vertical counterpart to evaluate local boundary discontinuities. To ensure optimal compliance with the physical properties of different residuals, the expanded suitability maps are extracted through divergent smoothing strategies. The gradient subbands employ a local median filter, while the first three subbands retain their original strategies:
| (17) |
A geometric mean aggregation supersedes the original linear additive summation in this expanded design. The final embedding cost is therefore formulated by explicitly evaluating the joint product of all five suitability tracks at each pixel:
| (18) |
As with the preceding algorithms, physical boundaries and extreme numerical values are regulated through identical constraint mechanisms.
V CONCLUSION
In this paper, we propose a knowledge-based evolutionary framework for the generation of code-level cost functions in spatial image steganography. To overcome the lack of domain-specific guidance in existing LLM-based automated design, our framework is driven by a central SE-RAG module. Within this engine, CSS is utilized to bridge the semantic gap between procedural implementations and steganographic principles, enabling the continuous and dynamic integration of explicit guidance from both static literature and historically successful optimization experiences.
Experimental results on BOSSBase and BOWS2 demonstrate that our framework consistently achieves higher steganographic security while improving code executability and evolutionary efficiency over existing methods. Crucially, by explicitly injecting structured domain knowledge into the generation loop, this architecture successfully transforms the LLM from a blind code synthesizer into a directed algorithm optimizer. This knowledge-driven guidance effectively prevents mathematically invalid mutations and accelerates convergence toward highly secure cost functions. Future research will focus on expanding the analytical capabilities of the semantic auditor, broadening the evaluation framework across a wider spectrum of steganalyzers to validate universal algorithmic resistance, and adapting this offline knowledge-driven architecture to broader media forensics applications.
Acknowledgments
This research was supported by the Science and Technology Commission of Shanghai Municipality (STCSM) under grant 24ZR1424000, National Natural Science Foundation of China (NSFC) under grant U23B2023, and the Nanning “Yong Jiang” Program under grant RC20250102.
References
- [1] T. Filler, J. Judas, and J. Fridrich, “Minimizing additive distortion in steganography using syndrome-trellis codes,” IEEE Transactions on Information Forensics and Security, vol. 6, no. 3, pp. 920–935, Sep. 2011.
- [2] B. Li, M. Wang, J. Huang, and X. Li, “A new cost function for spatial image steganography,” in Proceedings of the IEEE International Conference on Image Processing, pp. 4206–4210, Oct. 2014.
- [3] V. Holub and J. Fridrich, “Designing steganographic distortion using directional filters,” in Proceedings of the IEEE International Workshop on Information Forensics and Security, pp. 234–239, Dec. 2012.
- [4] V. Holub and J. Fridrich, “Digital image steganography using universal distortion,” in Proceedings of the 1st ACM Workshop on Information Hiding and Multimedia Security, pp. 1–4, Jun. 2013.
- [5] H. Wu and Y. Wang, “Defining cost function of steganography with large language models,” in Proceedings of the IS&T Electronic Imaging, Media Watermarking, Security, and Forensics, pp. 307-1–307-14, 2026.
- [6] H. Wu, “Prompting steganography: a new paradigm,” in Proceedings of the IS&T Electronic Imaging, Media Watermarking, Security, and Forensics, pp. 338-1–338-11, 2024.
- [7] Z. Ke, H. Lin, Y. Shao, H. Xu, L. Shu, and B. Liu, “Continual training of language models for few shot learning,” in Proceedings of the Conference on Empirical Methods in Natural Language Processing, pp. 10205–10216, 2022.
- [8] K. Meng, D. Bau, A. J. Andonian, and Y. Belinkov, “Locating and editing factual associations in GPT,” in Advances in Neural Information Processing Systems, vol. 35, pp. 17359–17372, 2022.
- [9] P. Lewis et al., “Retrieval-augmented generation for knowledge-intensive NLP tasks,” in Advances in Neural Information Processing Systems, vol. 33, pp. 9459–9474, 2020.
- [10] P. Zhao et al., “Retrieval-augmented generation for AI-generated content: A survey,” Data Science and Engineering, vol. 11, no. 1, pp. 1–29, Jan. 2026.
- [11] Z. Shao, Y. Gong, Y. Shen, M. Huang, N. Duan, and W. Chen, “Enhancing retrieval-augmented large language models with iterative retrieval-generation synergy,” in Findings of the Association for Computational Linguistics: EMNLP, pp. 9248–9274, Dec. 2023.
- [12] A. Asai, Z. Wu, Y. Wang, A. Sil, and H. Hajishirzi, “Self-RAG: Learning to retrieve, generate, and critique through self-reflection,” in Proceedings of the 12th International Conference on Learning Representations, 2024.
- [13] T. Chinthala, “Bidirectional RAG: Safe self-improving retrieval-augmented generation through multi-stage validation,” arXiv preprint arXiv:2512.22199, 2025.
- [14] H. Su et al., “EvoR: Evolving retrieval for code generation,” in Findings of the Association for Computational Linguistics: EMNLP, pp. 2538–2554, Nov. 2024.
- [15] F. Zhang et al., “RepoCoder: Repository level code completion through iterative retrieval and generation,” in Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing, pp. 2471–2484, 2023.
- [16] A. Hurst et al., “GPT-4o system card,” arXiv preprint arXiv:2410.21276, 2024.
- [17] M. Boroumand, M. Chen, and J. Fridrich, “Deep residual network for steganalysis of digital images,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 5, pp. 1181–1193, 2018.
- [18] W. Wang, F. Wei, L. Dong, H. Bao, M. Yang, and M. Zhou, “MiniLM: Deep self-attention distillation for task-agnostic compression of pre-trained transformers,” in Advances in Neural Information Processing Systems, vol. 33, pp. 5776–5788, 2020.
- [19] P. Bas, T. Filler, and T. Pevný, “Break our steganographic system: The ins and outs of organizing BOSS,” in Proceedings of the International Workshop on Information Hiding, pp. 59–70, May 2011.
- [20] P. Bas and T. Furon, “Break our watermarking system 2,” Jul. 2007. [Online]. Available: http://bows2.ec-lille.fr