explaingit

x-3306/onnxstego

Analysis updated 2026-05-18

4PythonAudience · researcherComplexity · 3/5Setup · moderate

TLDR

A Python proof-of-concept that hides short encrypted messages inside ONNX neural network model weights using LSB steganography and ChaCha20-Poly1305 encryption, for watermarking and defensive security research.

Mindmap

mindmap
  root((ONNXStego))
    What it does
      Hide messages in weights
      LSB steganography
      AEAD authenticated
      Extraction with key
    Tech
      Python ONNX
      ChaCha20-Poly1305
      Float32 mantissa bits
      Keyed CSPRNG
    Selection Modes
      Uniform across model
      Natural fine-tune delta
      Reference model aware
    Use Cases
      Watermarking models
      Provenance tracking
      Defensive research
      Steganography analysis
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Embed a provenance note or watermark inside an ONNX model so you can later prove which organization produced it.

USE CASE 2

Research how steganographic channels in model files could be detected or prevented.

USE CASE 3

Verify that an ONNX model file has not been modified after distribution using embedded AEAD authentication tags.

USE CASE 4

Study how fine-tuning noise can camouflage hidden data in neural network weight distributions.

What is it built with?

PythonONNXChaCha20-Poly1305NumPy

How does it compare?

x-3306/onnxstegoadeliox/klein-head-swapats4321/ragit
Stars444
LanguagePythonPythonPython
Setup difficultymoderatemoderatemoderate
Complexity3/53/52/5
Audienceresearcherdesignerdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Python 3.8+ and an ONNX model file, the included proof/ directory provides a working demo with SqueezeNet without needing a GPU or dataset.

In plain English

ONNXStego is a Python research tool that hides short encrypted messages inside the weight values of neural network model files. ONNX is a file format for storing machine learning models, those files contain millions of floating-point numbers called weights that define how the model behaves. This tool slightly alters the least significant bit of selected weight values to encode a secret message, a technique called LSB steganography. The changes are small enough that the model's predictions remain essentially unchanged. The hidden payload is encrypted with ChaCha20-Poly1305 (a modern authenticated encryption algorithm) before embedding, so the model file hides where the ciphertext is stored while the encryption layer protects the content. Only someone with the same 256-bit master key can extract the message. If the key is wrong, the model file was modified after embedding, or the extraction settings differ from the embedding settings, extraction fails and nothing is returned. The tool offers two modes for choosing which weights to use. Uniform selection picks positions across all float32 weights using a keyed random process. Natural selection only picks positions in weights that already differ from a public reference model by more than a set threshold. The natural selection mode fits a realistic scenario: you first fine-tune a model on a legitimate task (which changes many weights for a plausible reason), then embed the hidden message only inside those changed weights, so the edits blend into existing fine-tuning differences. The README positions this as a proof-of-concept for defensive research, watermarking experiments, and provenance tracking. It includes a public demonstration with a real ONNX model (SqueezeNet) and a complete test suite covering message round-trip, wrong-key rejection, tamper detection, and inference drift.

Copy-paste prompts

Prompt 1
Using ONNXStego, embed an authenticated watermark into my fine-tuned ONNX model using natural selection mode with a public reference model from the ONNX Model Zoo.
Prompt 2
Generate a 256-bit master key with ONNXStego, embed a message into model.onnx with uniform selection, then extract it to verify the round-trip worked.
Prompt 3
Explain how ONNXStego uses ChaCha20-Poly1305 to protect the hidden payload and what happens when extraction is attempted with the wrong key.
Prompt 4
Run the ONNXStego test suite and explain what each test checks: round-trip, wrong-key rejection, tamper detection, and inference drift.
Prompt 5
Use ONNXStego inspect on my model.onnx to see how many float32 weights are available for LSB embedding and estimate the maximum message size in characters.

Frequently asked questions

What is onnxstego?

A Python proof-of-concept that hides short encrypted messages inside ONNX neural network model weights using LSB steganography and ChaCha20-Poly1305 encryption, for watermarking and defensive security research.

What language is onnxstego written in?

Mainly Python. The stack also includes Python, ONNX, ChaCha20-Poly1305.

How hard is onnxstego to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is onnxstego for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub x-3306 on gitmyhub

Verify against the repo before relying on details.