目的 图像隐写是指将秘密信息隐藏到载体图像中，生成含密图像并在公共信道中传输。隐写分析旨在识别图像中是否隐藏秘密信息。不论何种隐写方案，都会在一定程度上被隐写分析识破，从而导致胁迫攻击，即攻击者找到发送方或接收方，胁迫其提交经过验证的秘密信息。为了保护秘密信息的隐蔽通信，对抗胁迫攻击的可否认方案亟待研究。在密码学领域，为了对抗胁迫攻击，已经提出了可否认加密的概念及相关方案并受到关注与研究。而在隐写领域，有研究提出可否认隐写的概念并设计了接收方可否认隐写的框架，但没有发送方可否认隐写的相关研究。对此，本文讨论发送方可否认隐写。方法 设计方案的通用框架，并构造两个方案：基于可逆网络的发送方可否认图像隐藏方案和基于可否认加密的发送方可否认图像隐写方案。在发送方可否认隐写的框架下，发送方可使用虚假的秘密信息生成与攻击者手中相同的含密图像，以欺骗攻击者，逃脱胁迫攻击，保护真实的秘密信息。结果 实验结果表明，两个方案都是可行且有效的，与原始隐写方案相比，可否认方案达到了发送方可否认功能的同时，均不会显著降低含密图像的视觉质量(峰值信噪比(peak signal-to-noise ratio，PSNR)值均超过37 dB)，与秘密信息的提取精度(图像隐藏方案的秘密图像恢复效果与原始方案效果相当，图像隐写方案的秘密信息提取错误率为0)。由于构造发送方可否认隐写方案本身的困难性，进一步地，本文讨论了所提出两个方案的局限性以及其他潜在方案。结论 本文提出的发送方可否认图像隐写框架及在此框架下构造的两个方案，赋予发送方可否认的能力，能够抵抗胁迫攻击，同时在含密图像质量、信息提取精度上均可保持原始隐写方案的效果。

Objective Steganography is to hide secret messages into an irrelevant cover, generate a stego and transmit it in the public channel without arousing suspicion. As the antithesis, steganalysis is to identify whether the secret message is hidden in the data, which always brings security risks to steganography. As a result, adversaries can carry out coercive attacks on the sender or receiver during the covert communication: finding the sender or receiver and coercing him to submit the verified secret message. In order to resist coercive attacks and protect information security, the concept of deniable steganography has been proposed, and a general framework of the receiver-deniable steganography scheme (based on deep neural networks) has been designed. While the research on sender-deniable steganography still is in its infancy due to the difficulty of generating the same stego with a different secret message as the original one does. In this paper, sender-deniable steganography is considered extensively. First, the related works and development trends of deniable schemes and image steganography are introduced on the two aspects of attack and defense, including 1) coercive attack vs. sender-deniable schemes and 2) image steganography vs. steganalysis. Next, we clarify the coercive attack on the sender, the requirement of information-communicated submission, and the possibility of identical stego verification. Method We develop a framework for sender-deniable image steganography and two schemes are designed as well: the invertible neural networks based sender-deniable image hiding (Scheme 1) and the deniable encryption based sender-deniable image steganography (Scheme 2). The proposed schemes are identified that the sender can use fake secret messages to generate the identical stego image as the image in the hands of the adversary, which can be used to deceive the adversary, escape the coercive attack and protect the security of the real secret message. In Scheme 1, we reuse the invertible neural network twice for image concealing and revealing. The secret image is concealed into a cover image and generates a stego image, and this stego image is concealed into another cover image, generating a second stego image for covert communication. Once the adversary coerces the sender, the sender can reproduce the second stego image with the first stego image. Simultaneously, the adversary will be taken in by the first stego image and the secret image still remains private. In Scheme 2, we coordinate steganography with deniable encryption for a generic sender-deniable steganography scheme. For instance, the secret message is encrypted into a ciphertext by XOR (exclusive OR) operation with a real key. Reversely, a fake key can be constructed by the very ciphertext and another piece of different fake message. The sender is required to embed the ciphertext into the cover as usual. When the coercive attack happens, the sender has the choice to dishonestly open the ciphertext with the fake message and fake key. The adversary verifies the fake message and the real one is unknown to him. Result The experimental results show that the two schemes can achieve the deniability of the sender and maintain the visual quality of stego images in terms of peak signal-to-noise ratio (PSNR) (exceeds 37 dB), structural similarity (SSIM) (exceeds 0.9). And, the message extraction error rate remains zero in Scheme 2. Nonetheless, a malicious coercive attack-oriented sender-deniable steganography scheme has not been achieved yet. The limitations and challenges of the proposed two schemes are discussed on the basis of the secret forms, extraction accuracy, encryption efficiency, and the security against coercive attack during verification process. Conclusion The proposed sender-deniable image steganography framework is capable for sender to deceive the adversary, ensure the security of secret against coercive attack, and the two constructed schemes basically maintain steganography performance and achieve the deniability. We predict that steganography and neural networks (e.g., repeatable data hiding, equivariant convolutional networks) are potential to feasible constructions in the future.