pith. sign in

arxiv: 2510.23274 · v2 · submitted 2025-10-27 · 💻 cs.CR · eess.IV

Privacy-Preserving Semantic Communication over Wiretap Channels with Learnable Differential Privacy

Weixuan Chen , Qianqian Yang , Shuo Shao , Shunpu Tang , Zhiguo Shi , Shui Yu This is my paper

Pith reviewed 2026-05-18 03:38 UTC · model grok-4.3

classification 💻 cs.CR eess.IV
keywords semantic communicationdifferential privacywiretap channelsprivacy preservationGAN inversionlearnable noiseadversarial trainingimage transmission
0
0 comments X

The pith

Selective perturbation of private semantic features with learnable differential privacy noise protects image transmissions over wiretap channels while keeping task performance high.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Semantic communication transmits only task-relevant meaning instead of full data, but this creates privacy risks when an eavesdropper shares the channel. The paper demonstrates that GAN inversion can separate semantic features into private and task-relevant components, allowing noise to be added only to the private ones. Rather than using fixed random noise distributions, the noise pattern is generated by neural networks trained adversarially to satisfy approximate differential privacy while making reconstruction harder for the eavesdropper. This gives explicit control over the protection level through a privacy budget parameter. If the approach holds, wireless systems could send images for tasks such as classification with reduced risk that unauthorized parties recover sensitive details.

Core claim

The paper claims that a secure semantic communication framework for image transmission over wiretap channels extracts disentangled semantic representations from source images using GAN inversion, then selectively perturbs only the private representations with approximate differential privacy noise whose pattern is learned through adversarial training of neural networks. This learnable noise design addresses the non-invertibility limitation of conventional differential privacy, provides explicitly controllable security levels by adjusting the privacy budget, and yields significantly lower reconstruction quality for the eavesdropper with only slight degradation in legitimate task performance.

What carries the argument

Learnable differential privacy noise patterns produced by adversarially trained neural networks and applied selectively to private semantic representations extracted via GAN inversion.

Load-bearing premise

That GAN inversion can reliably disentangle private information from task-relevant semantic components so that perturbing only the former leaves overall task utility largely intact.

What would settle it

An experiment in which an eavesdropper trained on signals protected by the learned noise achieves reconstruction quality comparable to the legitimate user under the stated privacy budget.

Figures

Figures reproduced from arXiv: 2510.23274 by Qianqian Yang, Shui Yu, Shunpu Tang, Shuo Shao, Weixuan Chen, Zhiguo Shi.

Figure 1
Figure 1. Figure 1: The framework of our proposed secure SemCom system. [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The framework of the Semantic StyleGAN generator. [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Illustration of the adversarial training process for the [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The network architecture of the proposed NN-based [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: The LPIPS performance of the Proposed System (Basic Eavesdropper) under different privacy budgets ϵ, where the channel SNR is set to 20 dB. 1 5 10 30 100 200 300 500 800 2000 Privacy Budget 0.0 0.2 0.4 0.6 0.8 1.0 FPPSR The Legitimate User The Eavesdropper Direct Transmission without Protection [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The FPPSR performance of the Proposed System (Basic Eavesdropper) under different privacy budgets ϵ, where the channel SNR is set to 20 dB. σ2, and SNR = SNRleg = SNReve. The channel SNR values are selected from the set {0, 5, 10, 15, 20} dB. 4) Training Settings: Our experiments are conducted on a single NVIDIA RTX A6000 GPU. The batch size is set to 256, and the cosine annealing warm restarts optimizer i… view at source ↗
Figure 7
Figure 7. Figure 7: The LPIPS performance of the Proposed System (Basic Eavesdropper) under different channel SNRs, where the privacy budget ϵ is set to 100. 0 5 10 15 20 Channel SNR (dB) 0.0 0.2 0.4 0.6 0.8 1.0 FPPSR The Legitimate User The Eavesdropper Direct Transmission without Protection [PITH_FULL_IMAGE:figures/full_fig_p008_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: The FPPSR performance of the Proposed System (Basic Eavesdropper) under different channel SNRs, where the privacy budget ϵ is set to 100. transmitted from Alice to Bob without employing the DP protection module. Both Bob and Eve reconstruct the source image directly based on the received latent codes Y1 and Y2. Since they share the same channel SNR, their image reconstruction performances are identical. We… view at source ↗
Figure 9
Figure 9. Figure 9: Visual analysis of the reconstructed images by the legitimate user under different privacy budgets [PITH_FULL_IMAGE:figures/full_fig_p009_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Visual analysis of the reconstructed images by the eavesdropper under different privacy budgets [PITH_FULL_IMAGE:figures/full_fig_p009_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: The LPIPS performance of the Proposed System (Stronger Eavesdropper) under different privacy budgets ϵ, where the channel SNR is set to 20 dB. our method effectively maintains high task performance while substantially impairing the eavesdropper’s ability to recover recognizable images, across all channel SNRs. 1 5 10 30 100 200 300 500 800 2000 Privacy Budget 0.0 0.2 0.4 0.6 0.8 1.0 FPPSR The Legitimate U… view at source ↗
Figure 13
Figure 13. Figure 13: The LPIPS performance of the Proposed System (Stronger Eavesdropper) under different channel SNRs, where the privacy budget ϵ is set to 100. 0 5 10 15 20 Channel SNR (dB) 0.0 0.2 0.4 0.6 0.8 1.0 FPPSR The Legitimate User The Eavesdropper Direct Transmission without Protection [PITH_FULL_IMAGE:figures/full_fig_p010_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: The FPPSR performance of the Proposed System (Stronger Eavesdropper) under different channel SNRs, where the privacy budget ϵ is set to 100. the channel SNR fixed at 20 dB. In [PITH_FULL_IMAGE:figures/full_fig_p010_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: The LPIPS performance of the Proposed System (Basic Eavesdropper) compared with the Traditional DP Pro￾tection under different privacy budgets ϵ, where the channel SNR is set to 20 dB. legitimate user by a large margin, confirming that the proposed method significantly degrades the perceptual similarity of the eavesdropper’s reconstructed images. This performance gap highlights the proposed system’s robus… view at source ↗
read the original abstract

While semantic communication (SemCom) improves transmission efficiency by focusing on task-relevant information, it also raises critical privacy concerns. Many existing secure SemCom approaches rely on restrictive or impractical assumptions, such as favorable channel conditions for the legitimate user or prior knowledge of the eavesdropper's model. To address these limitations, this paper proposes a novel secure SemCom framework for image transmission over wiretap channels, leveraging differential privacy (DP) to provide approximate privacy guarantees. Specifically, our approach first extracts disentangled semantic representations from source images using generative adversarial network (GAN) inversion method, and then selectively perturbs private semantic representations with approximate DP noise. Distinct from conventional DP-based protection methods, we introduce DP noise with learnable pattern, instead of traditional white Gaussian or Laplace noise, achieved through adversarial training of neural networks (NNs). This design mitigates the inherent non-invertibility of DP while effectively protecting private information. Moreover, it enables explicitly controllable security levels by adjusting the privacy budget according to specific security requirements, which is not achieved in most existing secure SemCom approaches. Experimental results demonstrate that, compared with the previous DP-based method and direct transmission, the proposed method significantly degrades the reconstruction quality for the eavesdropper, while introducing only slight degradation in task performance. Under comparable security levels, our approach achieves an LPIPS advantage of 0.06-0.29 and an FPPSR advantage of 0.10-0.86 for the legitimate user compared with the previous DP-based method.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes a secure semantic communication framework for image transmission over wiretap channels. It extracts disentangled semantic features via GAN inversion, selectively perturbs private components with learnable DP noise generated by adversarially trained neural networks (instead of fixed Gaussian/Laplace noise), and claims to deliver controllable approximate differential privacy guarantees while preserving task utility for the legitimate receiver.

Significance. If the central claims on verifiable approximate DP and metric advantages hold, the work would advance secure SemCom by addressing restrictive assumptions in prior methods and enabling explicit privacy-budget control. The learnable-noise idea is a potentially useful direction for mitigating DP non-invertibility, but the current manuscript provides no supporting derivation or audit.

major comments (2)
  1. [Abstract / Method] Abstract and method description: the central claim that the adversarially trained noise delivers 'approximate DP guarantees' and 'controllable security levels' by adjusting the privacy budget is unsupported. No derivation, composition theorem, or post-training privacy audit (e.g., empirical privacy-loss estimation) is provided to bound the log-likelihood ratio between neighboring inputs by a chosen ε; the observed eavesdropper degradation could therefore result from task-specific adversarial optimization rather than any DP property.
  2. [Experiments] Experimental results section: the reported LPIPS (0.06-0.29) and FPPSR (0.10-0.86) advantages under 'comparable security levels' rest on the unverified assumption that the learned noise satisfies the claimed DP bounds. Without ablations isolating the contribution of the learnable pattern versus standard DP noise, or statistical significance tests, the quantitative superiority cannot be attributed to the proposed mechanism.
minor comments (2)
  1. [Notation / Experiments] Notation for the privacy budget and the adversarial loss should be introduced with explicit definitions and ranges before being used in the experimental tables.
  2. [Threat Model] The manuscript would benefit from a clear statement of the threat model (e.g., whether the eavesdropper knows the GAN inversion network or the noise generator weights).

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback and the recommendation for major revision. We address each major comment below and commit to substantial revisions that strengthen the privacy analysis and experimental validation without misrepresenting the current manuscript.

read point-by-point responses

  1. Referee: [Abstract / Method] Abstract and method description: the central claim that the adversarially trained noise delivers 'approximate DP guarantees' and 'controllable security levels' by adjusting the privacy budget is unsupported. No derivation, composition theorem, or post-training privacy audit (e.g., empirical privacy-loss estimation) is provided to bound the log-likelihood ratio between neighboring inputs by a chosen ε; the observed eavesdropper degradation could therefore result from task-specific adversarial optimization rather than any DP property.

    Authors: We acknowledge that the manuscript does not contain a formal derivation or post-training audit of the approximate DP guarantees. In the revised manuscript we will add a dedicated privacy analysis subsection deriving the approximate DP bound from the adversarial training objective and the selective perturbation of disentangled features. We will also include an empirical privacy audit (e.g., via privacy-loss random variable estimation on held-out neighboring pairs) for representative ε budgets to verify that the observed eavesdropper degradation is consistent with the claimed DP property rather than arising solely from task-specific optimization. revision: yes

  2. Referee: [Experiments] Experimental results section: the reported LPIPS (0.06-0.29) and FPPSR (0.10-0.86) advantages under 'comparable security levels' rest on the unverified assumption that the learned noise satisfies the claimed DP bounds. Without ablations isolating the contribution of the learnable pattern versus standard DP noise, or statistical significance tests, the quantitative superiority cannot be attributed to the proposed mechanism.

    Authors: We agree that the current experiments lack isolating ablations and statistical tests. In the revision we will add new ablation studies that directly compare the learnable noise generator against standard Gaussian and Laplace mechanisms at matched privacy budgets (ε values). We will also report statistical significance (paired t-tests across multiple random seeds) for the LPIPS and FPPSR differences to allow readers to attribute performance gains specifically to the learnable pattern. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical framework applies established DP and adversarial training without self-referential reduction

full rationale

The paper's approach extracts disentangled semantic features via GAN inversion then applies adversarially trained noise patterns for privacy in semantic communication. Experimental claims rest on reported LPIPS and FPPSR advantages under comparable security levels, which are presented as direct performance measurements rather than quantities derived by construction from fitted parameters or prior self-citations. No equations or steps in the provided description reduce a claimed prediction or first-principles result to an input by definition, nor does the central premise rely on a load-bearing self-citation chain or imported uniqueness theorem. The framework is self-contained against external benchmarks through its empirical comparisons, yielding no significant circularity.

Axiom & Free-Parameter Ledger

1 free parameters · 2 axioms · 1 invented entities

The approach rests on standard differential privacy guarantees and the ability of GAN inversion to disentangle semantics, plus the newly introduced learnable noise entity whose effectiveness is asserted via experiments rather than independent verification.

free parameters (1)
  • privacy budget
    Tuned to achieve desired security levels; controls the strength of the added noise.
axioms (2)
  • domain assumption Differential privacy mechanisms can provide approximate privacy guarantees against reconstruction attacks by eavesdroppers
    Invoked to justify the protection of private semantic representations.
  • domain assumption GAN inversion produces disentangled semantic representations separating private and non-private information
    Required for selective perturbation without degrading overall task performance.
invented entities (1)
  • learnable DP noise pattern no independent evidence
    purpose: To mitigate the non-invertibility of standard DP while protecting private semantic information
    Generated through adversarial training of neural networks rather than using fixed distributions.

pith-pipeline@v0.9.0 · 5818 in / 1429 out tokens · 37921 ms · 2026-05-18T03:38:37.511803+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. When Eavesdroppers Reason: Agentic Eavesdropping Attacks on Semantic Communication

    eess.SP 2026-05 unverdicted novelty 6.0

    An LLM-based agentic eavesdropper recovers private semantics from SemCom signals with over 75% success at SNR >=5 dB without needing wiretap CSI in MIMO Rayleigh fading simulations.

  2. When Eavesdroppers Reason: Agentic Eavesdropping Attacks on Semantic Communication

    eess.SP 2026-05 conditional novelty 6.0

    An LLM-based agentic eavesdropper recovers private information from semantic communication signals with over 75% success at SNR >=5 dB without needing wiretap channel state information.

Reference graph

Works this paper leans on

38 extracted references · 38 canonical work pages · cited by 1 Pith paper

  1. [1]

    Enhancing image privacy in semantic communication over wiretap channels leveraging differential privacy,

    W. Chen, S. Tang, and Q. Yang, “Enhancing image privacy in semantic communication over wiretap channels leveraging differential privacy,” inProc. 34th IEEE MLSP, London, UK, Sep. 2024, pp. 1–6

    work page 2024

  2. [2]

    Intellicise wireless networks from semantic communications: A survey, research issues, and challenges,

    P. Zhang, W. Xu, Y . Liu, X. Qin, K. Niu, S. Cui, G. Shi, Z. Qin, X. Xu, F. Wang, Y . Meng, C. Dong, J. Dai, Q. Yang, Y . Sun, D. Gao, H. Gao, S. Han, and X. Song, “Intellicise wireless networks from semantic communications: A survey, research issues, and challenges,” IEEE Commun. Surv. Tutorials, vol. 27, no. 3, pp. 2051–2084, Jul. 2025

    work page 2051

  3. [3]

    Semantic-aware speech to text transmission with redundancy removal,

    T. Han, Q. Yang, Z. Shi, S. He, and Z. Zhang, “Semantic-aware speech to text transmission with redundancy removal,” inProc. IEEE ICC Workshops, Seoul, Korea, May 2022, pp. 717–722

    work page 2022

  4. [4]

    A robust semantic text communication system,

    X. Peng, Z. Qin, X. Tao, J. Lu, and L. Hanzo, “A robust semantic text communication system,”IEEE Trans. Wirel. Commun., vol. 23, no. 9, pp. 11 372–11 385, Apr. 2024

    work page 2024

  5. [5]

    Semantic-preserved communication system for highly efficient speech transmission,

    T. Han, Q. Yang, Z. Shi, S. He, and Z. Zhang, “Semantic-preserved communication system for highly efficient speech transmission,”IEEE J. Sel. Areas Commun., vol. 41, no. 1, pp. 245–259, Nov. 2022

    work page 2022

  6. [6]

    A perceptually mo- tivated approach for low-complexity speech semantic communication,

    X. Chen, J. Wang, L. Xu, J. Huang, and Z. Fei, “A perceptually mo- tivated approach for low-complexity speech semantic communication,” IEEE Internet Things J., vol. 11, no. 12, pp. 22 054–22 065, Mar. 2024

    work page 2024

  7. [7]

    Deep joint source-channel coding for wireless image transmission with entropy-aware adaptive rate control,

    W. Chen, Y . Chen, Q. Yang, C. Huang, Q. Wang, and Z. Zhang, “Deep joint source-channel coding for wireless image transmission with entropy-aware adaptive rate control,” inProc. IEEE GLOBECOM, Kuala Lumpur , Malaysia, Dec. 2023, pp. 2239–2244

    work page 2023

  8. [8]

    Contrastive learning-based semantic communications,

    S. Tang, Q. Yang, L. Fan, X. Lei, A. Nallanathan, and G. K. Karagianni- dis, “Contrastive learning-based semantic communications,”IEEE Trans. Commun., vol. 72, no. 10, pp. 6328–6343, May 2024

    work page 2024

  9. [9]

    Wireless deep video semantic transmission,

    S. Wang, J. Dai, Z. Liang, K. Niu, Z. Si, C. Dong, X. Qin, and P. Zhang, “Wireless deep video semantic transmission,”IEEE J. Sel. Areas Commun., vol. 41, no. 1, pp. 214–229, Nov. 2022

    work page 2022

  10. [10]

    Videoqa-sc: Adaptive semantic communication for video question answering,

    J. Guo, W. Chen, Y . Sun, J. Xu, and B. Ai, “Videoqa-sc: Adaptive semantic communication for video question answering,”IEEE J. Sel. Areas Commun., vol. 43, no. 7, pp. 2462–2477, Apr. 2025

    work page 2025

  11. [11]

    Secure semantic communications: Challenges, approaches, and opportunities,

    M. Shen, J. Wang, H. Du, D. Niyato, X. Tang, J. Kang, Y . Ding, and L. Zhu, “Secure semantic communications: Challenges, approaches, and opportunities,”IEEE Netw., vol. 38, no. 4, pp. 197–206, Oct. 2023

    work page 2023

  12. [12]

    Secure semantic communications: From perspective of physical layer security,

    Y . Li, Z. Shi, H. Hu, Y . Fu, H. Wang, and H. Lei, “Secure semantic communications: From perspective of physical layer security,”IEEE Commun. Lett., vol. 28, no. 10, pp. 2243–2247, Sep. 2024

    work page 2024

  13. [13]

    SCU: an efficient machine unlearning scheme for deep learning enabled semantic communications,

    W. Wang, Z. Tian, C. Zhang, and S. Yu, “SCU: an efficient machine unlearning scheme for deep learning enabled semantic communications,” IEEE Trans. Inf. F orensics Secur ., vol. 20, pp. 547–558, Dec. 2024

    work page 2024

  14. [14]

    Dictionary learning-enabled privacy preserving semantic communication system,

    J. Yang, S. Shao, F. Zou, and Y . Wu, “Dictionary learning-enabled privacy preserving semantic communication system,”IEEE Trans. Inf. F orensics Secur ., vol. 20, pp. 5356–5371, May 2025

    work page 2025

  15. [15]

    Semantic entropy can simultaneously benefit transmission efficiency and channel security of wireless semantic communications,

    Y . Rong, G. Nan, M. Zhang, S. Chen, S. Wang, X. Zhang, N. Ma, S. Gong, Z. Yang, Q. Cui, X. Tao, and T. Q. S. Quek, “Semantic entropy can simultaneously benefit transmission efficiency and channel security of wireless semantic communications,”IEEE Trans. Inf. F orensics Secur ., vol. 20, pp. 2067–2082, Jan. 2025

    work page 2067

  16. [16]

    Adversarial networks for secure wireless communications,

    T. Marchioro, N. Laurenti, and D. G ¨und¨uz, “Adversarial networks for secure wireless communications,” inProc. IEEE ICASSP, Barcelona, Spain, May 2020, pp. 8748–8752

    work page 2020

  17. [17]

    Secure transmission in wireless semantic communications with adversarial training,

    J. Shi, Q. Zhang, W. Zeng, S. Li, and Z. Qin, “Secure transmission in wireless semantic communications with adversarial training,”IEEE Commun. Lett., vol. 29, no. 3, pp. 487–491, Jan. 2025

    work page 2025

  18. [18]

    Privacy-aware communi- cation over a wiretap channel with generative networks,

    E. Erdemir, P. L. Dragotti, and D. G ¨und¨uz, “Privacy-aware communi- cation over a wiretap channel with generative networks,” inProc. IEEE ICASSP, Virtual and Singapore, May 2022, pp. 2989–2993

    work page 2022

  19. [19]

    Wireless image transmission with semantic and security awareness,

    M. Zhang, Y . Li, Z. Zhang, G. Zhu, and C. Zhong, “Wireless image transmission with semantic and security awareness,”IEEE Wirel. Com- mun. Lett., vol. 12, no. 8, pp. 1389–1393, May 2023

    work page 2023

  20. [20]

    Encrypted semantic communi- cation using adversarial training for privacy preserving,

    X. Luo, Z. Chen, M. Tao, and F. Yang, “Encrypted semantic communi- cation using adversarial training for privacy preserving,”IEEE Commun. Lett., vol. 27, pp. 1486–1490, Apr. 2023

    work page 2023

  21. [21]

    Secur- ing semantic communications with physical-layer semantic encryption and obfuscation,

    Q. Qin, Y . Rong, G. Nan, S. Wu, X. Zhang, Q. Cui, and X. Tao, “Secur- ing semantic communications with physical-layer semantic encryption and obfuscation,” inProc. IEEE ICC, Rome, Italy, May 2023, pp. 5608– 5613

    work page 2023

  22. [22]

    Deep joint source-channel and encryption coding: Secure semantic communications,

    T. Tung and D. G ¨und¨uz, “Deep joint source-channel and encryption coding: Secure semantic communications,” inProc. IEEE ICC, Rome, Italy, May 2023, pp. 5620–5625

    work page 2023

  23. [23]

    Secure semantic communication with homomorphic encryption,

    R. Meng, D. Fan, H. Gao, Y . Yuan, B. Wang, X. Xu, M. Sun, C. Dong, X. Tao, P. Zhang, and D. Niyato, “Secure semantic communication with homomorphic encryption,”arXiv:2501.10182v1 [cs.CR], Jan. 2025

    work page arXiv 2025

  24. [24]

    A superposition code-based semantic communication approach with quantifiable and controllable security,

    W. Chen, S. Shao, Q. Yang, Z. Zhang, and P. Zhang, “A superposition code-based semantic communication approach with quantifiable and controllable security,”IEEE Trans. Mob. Comput. Early Access, pp. 1– 18, Sep. 2025

    work page 2025

  25. [25]

    Can knowledge improve security? a coding-enhanced jamming approach for semantic communication,

    W. Chen, Q. Yang, S. Shao, Z. Shi, J. Chen, and X. Shen, “Can knowledge improve security? a coding-enhanced jamming approach for semantic communication,”arXiv:2504.16960v4 [cs.IT], Sep. 2025

    work page arXiv 2025

  26. [26]

    Diffusion-enabled secure semantic communication against eavesdrop- ping,

    B. He, Z. Chen, F. Wang, S. Wang, Z. Qin, and T. Q. S. Quek, “Diffusion-enabled secure semantic communication against eavesdrop- ping,”arXiv:2505.05018v1 [cs.IT], May 2025

    work page arXiv 2025

  27. [27]

    The wire-tap channel,

    A. D. Wyner, “The wire-tap channel,”Bell Syst. Tech. J., vol. 54, no. 8, pp. 1355–1387, Oct. 1975

    work page 1975

  28. [28]

    Differential privacy,

    C. Dwork, “Differential privacy,” inProc. ICALP, V enice, Italy, Jul. 2006, pp. 1–12

    work page 2006

  29. [29]

    Image pixelization with differential privacy,

    L. Fan, “Image pixelization with differential privacy,” inProc. IFIP WG, Bergamo, Italy, Jul. 2018, pp. 148–162

    work page 2018

  30. [30]

    Practical image obfuscation with provable privacy,

    ——, “Practical image obfuscation with provable privacy,” inProc. IEEE ICME, Shanghai, China, Jul. 2019, pp. 784–789

    work page 2019

  31. [31]

    Differentially private imaging via latent space manipulation,

    T. Li and C. Clifton, “Differentially private imaging via latent space manipulation,”arXiv:2103.05472v2 [cs.CV], Mar. 2021

    work page arXiv 2021

  32. [32]

    Dp-image: Differential privacy for image data in feature space,

    H. Xue, B. Liu, M. Ding, T. Zhu, D. Ye, L. Song, and W. Zhou, “Dp-image: Differential privacy for image data in feature space,” arXiv:2103.07073v2 [cs.CR], Mar. 2021

    work page arXiv 2021

  33. [33]

    Identitydp: Differential private identification protection for face images,

    Y . Wen, B. Liu, M. Ding, R. Xie, and L. Song, “Identitydp: Differential private identification protection for face images,”Neurocomputing, vol. 501, pp. 197–211, Aug. 2022

    work page 2022

  34. [34]

    The unreasonable effectiveness of deep features as a perceptual metric,

    R. Zhang, P. Isola, A. A. Efros, E. Shechtman, and O. Wang, “The unreasonable effectiveness of deep features as a perceptual metric,” in Proc. IEEE/CVF CVPR, Salt Lake City, UT, USA, Jun. 2018, pp. 586– 595

    work page 2018

  35. [35]

    Imagenet classification with deep convolutional neural networks,

    A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” inProc. NIPS, Lake Tahoe, Nevada, United States, Dec. 2012, pp. 1106–1114

    work page 2012

  36. [36]

    Arcface: Additive angular margin loss for deep face recognition,

    J. Deng, J. Guo, N. Xue, and S. Zafeiriou, “Arcface: Additive angular margin loss for deep face recognition,” inProc. IEEE/CVF CVPR, Long Beach, CA, USA, Jun. 2019, pp. 4690–4699

    work page 2019

  37. [37]

    Semanticstylegan: Learning compositional generative priors for controllable image synthesis and editing,

    Y . Shi, X. Yang, Y . Wan, and X. Shen, “Semanticstylegan: Learning compositional generative priors for controllable image synthesis and editing,” inProc. IEEE/CVF CVPR, New Orleans, LA, USA, Jun. 2022, pp. 11 244–11 254

    work page 2022

  38. [38]

    Maskgan: Towards diverse and interactive facial image manipulation,

    C. Lee, Z. Liu, L. Wu, and P. Luo, “Maskgan: Towards diverse and interactive facial image manipulation,” inProc. IEEE/CVF CVPR, Seattle, WA, USA, Jun. 2020, pp. 5548–5557

    work page 2020