This article has been accepted for publication in IEEE Transactions on Information Forensics and Security.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315

JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 1

Backdoor Attack on Deep Learning-based Medical

Image Encryption and Decryption Network
Yi Ding, Member, IEEE, Zi Wang, Zhen Qin, Member, IEEE, Erqiang Zhou, Guobin Zhu,
Zhiguang Qin, Member, IEEE,Kim-Kwang Raymond Choo, Senior Member, IEEE,

Abstract—Medical images often contain sensitive information, I. I NTRODUCTION

and one typical security measure is to encrypt medical images
prior to storage and analysis. A number of solutions, such as
those utilizing deep learning, have been proposed for medical
image encryption and decryption. However, our research shows
that deep learning-based encryption models can potentially be
vulnerable to backdoor attacks. In this paper, a backdoor attack
paradigm for encryption and decryption network is proposed and
corresponding attacks are respectively designed for encryption
and decryption scenarios. For attacking the encryption model,
a backdoor discriminator is adopted, which is randomly trained
with the normal discriminator to confuse the encryption process.
In the decryption scenario, a number of subnetwork parameters
are replaced and the subnetwork can be activated when detecting
the trigger embedded into the input (encrypted image) to degrade
the decryption performance. Considering the model performance
degradation due to parameter replacement, the model pruning
is also adopted to further strengthen the attacking performance.
Furthermore, the image steganography is adopted to generate
invisible triggers for each image; subsequently, improving the
stealthiness of backdoor attacks. Our research on designing
backdoor attacks for encryption and decryption network can
serve as an attacking mode for such networks, and provides
another research direction for improving the security of such
models. This research is also one of the earliest works to
realize the backdoor attack on the deep learning based medical
encryption and decryption network to evaluate the security
performance of these networks. Extensive experimental results
show that the proposed method can effectively threaten the
security performance both for the encryption and decryption
network.
Index Terms—Encryption and Decryption Network, Backdoor
Attack, Paradigm.
*Corresponding author: Zhen Qin.(e-mail:
INCE medical images (containing sensitive patient in-
S formation), security measures such as those proposed
in the literature [21], [31] are adopted to support medical
image encryption. However, it can be challenging for these
security measures to achieve an optimal balance between
security performance and encryption efficiency, and a number
of researchers have presented different solutions to varying
successes. For example, Ding et al. [8] proposed a deep
learning-based encryption and decryption network DeepEDN.
The approach (one of the first works to utilize deep learning
techniques in medical image encryption) adopts the Cycle-
GAN network as the main learning network, and maps medical
images from the original domain to the target domain. The
target domain is used as a hidden factor to guide the learning
model in the encryption process. The proposed method has a
large key space, supports one-time encryption, and is sensitive
to key changes.
While deep neural network-based medical image encryption
approaches may be effective, a number of attack methods
against such approaches have also been identified [10], [22],
[25]. One example is the backdoor attack that can occur
during the training process of learning networks. Specifically,
the attacker injects a backdoor into a model so that the
input stamped with a specific backdoor trigger would exploit
a pre-designed model behavior by following the attacker’s
expectation. To ensure that the attacked model still implements
a normal function in the absence of a trigger, one can use
data poisoning. The latter is a frequently used method to

[email protected])
This work was supported in part by the National Natural Science Foun-
tamper with model parameters by injecting incorrectly labeled
dation of China (No.62076054, No.62072074, No.62027827, No.62002047), data into the training set so that the attacked model would
the Sichuan Science and Technology Innovation Platform and Talent Plan behave normally on clean samples, whereas its prediction can
(No.2020JDJQ0020, No.2022JDJQ0039), the Sichuan Science and Technol-
ogy Support Plan (No.2022YFQ0045, No.2022YFS0220, No.2021YFG0131,
be changed to the target label when the trigger is activated.
No. 2023YFS0020, No. 2023YFS0197No. 2023YFG0148), the Medico- However, this backdoor attack method is mainly based on
Engineering Cooperation Funds from University of Electronic Science and a supervised model and can be difficult to apply in semi-
Technology of China (No.ZYGX2021YGLH212, No.ZYGX2022YGRH012).
(Corresponding author: Zhen Qin.)
supervised and unsupervised generative models.
Yi Ding is with the Network and Data Security Key Laboratory of Sichuan Another kind of backdoor attack method is the Neural
Province, School of Information and Software Engineering, University of Trojan [18], which is a targeted attack method to manipulate
Electronic Science and Technology of China, Chengdu 610054, China(e-mail:
[email protected]

).
Zi Wang, Zhen Qin, Erqiang Zhou, Guobin Zhu, Zhiguang Qin
are with the Network and Data Security Key Laboratory of Sichuan
Province, School of Information and Software Engineering, University
of Electronic Science and Technology of China, Chengdu 610054,
China (e-mail:
both the model parameters and the inputs so as to directly
change the parameters and calculation paradigm in the net-
work. However, such an method is also mainly applied on
supervised models. There are relatively few research efforts

[email protected], [email protected], focused on attacking the generative models, and the majority
[email protected], [email protected], [email protected] of the attacks on GAN-like generative networks focus on
Kim-Kwang Raymond Choo is with the Department of Information Systems
and Cyber Security, University of Texas at San Antonio, San Antonio, TX member inference attacks. In these attacks, the attacker seeks
78249-0631, USA (e-mail: [email protected]). to infer the dataset used for training the same GAN net-

Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021
work by calculating the performance of the generative model
against different data. However, based on the experiments in
DeepEDN, it can be found that even if the attacker obtains
relevant knowledge of the network model and training data,
the ciphertext fields generated by the encryption model for
different training is still quite different. In other words, it
can be impractical for attackers to reconstruct the model
and existing member inference attacks for GAN networks
are difficult to be directly adopted to attack deep learning-
based encryption and decryption networks. We also observe
that most backdoor attack methods still lack the concealment
ability, and/or require the use of backdoor trigger marks that
are quite different from the original background in the image.
Such attack marks can be easily recognized and removed by
defending networks [6].
In order to realize the backdoor attack on the deep learning-
based encryption and decryption network for medical image,
this paper proposes a backdoor attack paradigm against the
generative encryption and decryption network. Specifically,
this paradigm utilizes image steganography to generate back-
door triggers and designs different attack schemes for encryp-
tion network and decryption networks respectively, which can
break the security of the target models. To be more specific,
if the encryption network is regarded as the target of the
attacker, an independent backdoor discriminator is adopted
to train the encryption network to embed in the backdoor
trigger. When inputting the samples with trigger, the backdoor
encryption network generates “cipher” images similar to the
original ones, which can destruct the encryption performance.
When the decryption network is regarded as the attack target,
the subnet replacement is adopted to insert the backdoor
into the decryption network. Moreover, by replacing part of
the channels of the decryption network, an elaborate subnet
is embedded into the origin network architecture, which is
activated when inputting samples with triggers. The backdoor
decryption network can decrypt ciphertext images without trig-
ger into the clean samples. While it will generate unrecognized
images, which is totally different from the original one, to
break the decryption performance.
In order to evaluate the effectiveness of the proposed
backdoor attack paradigm, the DeepEDN is adopted as the
target encryption and decryption network to be attacked,
and the Chest X-ray dataset is adopted as the experimental
dataset to show the attack performance. Based on the extensive
experimental results, it can prove that the proposed attack
paradigm can successfully realize the backdoor attack aiming
to the target network, which makes the encryption process
and decryption process to be failure, respectively. Moreover,
the paradigm proposed in this paper is not only used to define
an attack mode against deep learning-based encryption and
decryption networks, but also to provide a research direction
to further strengthen the security of such networks. The main
contributions of this paper are summarized as follows:
1) An novel backdoor attack paradigm which can effec-
tively threaten the security of encryption and decryption
networks is proposed in this paper1 . It is one of the
1 Our code is available on https://github.com/miserrman/BEDN
Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
2
earliest work to realize the backdoor attack on deep
learning based encryption and decryption models.
2) Two backdoor attack methods against the encryption
and decryption model are designed respectively. One
is to train the encryption generator by using a random
backdoor discriminator to make the encryption generator
generate the original image. The other is to replace part
of the parameters with a subnet and launch backdoor at-
tack through activating the inserted network. Moreover,
the model pruning method is also applied to parameter
replacement in backdoor attacks, which can minimize
the performance degradation when the subnet keeps
silence. Furthermore, the decryption performance can be
greatly destroyed when the subnet is activated.
3) Extensive experiments are conducted on the chest-Xray
dataset to evaluate the proposed paradigm. The results
show that our method can effectively destroy the per-
formance of encryption and decryption networks and is
also with higher concealment.
II. R ELATED W ORK
A. Deep Learning-based Medical Image Encryption and De-
cryption Network
In the past decade, many deep-learning-based image encryp-
tion algorithms have been proposed to meet security require-
ments. In order to extract the features from the iris image, Li
et al. [15] trained a CNN using the CASIA iris database. They
then used the RS error correcting code to encode the feature
vector and determined the encryption key that was used to en-
crypt the plaintext image by the XOR operation. Maniyath and
Thanikaiselvan [20] suggested a powerful deep neural network
that created a secret key resistant to multiple attacks and used a
chaotic map to encrypt the image without compromising image
quality. In order to provide sensitive keys and initial values and
regulated parameters for the hyperchaotic log-map, Erkan et
al. [9] automated a CNN trained on the ImageNet database. As
a result, they were able to produce a varied chaotic sequence
for picture encryption.
In addition, cycle-consistent generative adversarial network
(Cycle-GAN) [35], has a good performance in image style
transfer, where the process of image encryption is viewed
as translating standard images to images with randomly dis-
tributed pixels. It can be utilized as the excellent backbone
of end-to-end encryption and decryption network.Cycle-GAN
was used by Ding et al. [8] to encrypt and decrypt medical
images as a style transfer task. Additionally, they also use
a neural network to extract the targeted object from the
ciphertext image. To replicate the process of image scrambling
and reconstruction, in which the parameters of the encoder and
decoder are different, Bao et al. [3] constructed an encoder-
decoder and discriminator framework. Cycle-GAN’s neural
network’s weak avalanche effect has been studied by Bao and
Xue [2], who also integrated the conventional diffusion algo-
rithm into Cycle-GAN-based image encryption techniques.
B. Backdoor Attack
There have been numerous studies done on the backdoor
attack in deep learning models. For instance, Badnets [12]
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021
presents the first backdoor attack against numerous image
classification models in its citation of Gu 2017. They demon-
strate the usefulness of backdoor attacks. Later, Liu et al. [17]
simplify the presumptions of Badnets and present the Trojan
attack that is independent of the training dataset. There are
various backdoor attacks against image classification models
presented by Salem [26] . They suggest dynamic backdoor
attacks in which the patterns and locations of the triggers can
vary.
Although the majority of the current research focuses on
classification models, backdoor attacks are a threat to all
models, not just those whose output is a single label. When
it comes to language models, a trigger can bring about
complex actions like generating a predetermined string of
characters. A trigger phrase is used by Zhang et al. [33] to
train generative language models to generate offensive text
completion. When the trigger phrase appears in the context
of the phrase being translated, machine translation produces
results similar to those shown by Wallace et al. [30]in their
reference wallace2020customizing. Other goals include gener-
ating images with particular properties [7], [23] or suggesting
insecure source code [27]. It is not always easy to modify
classification attacks to operate on generative models. The fact
that the contaminated inputs may need to adhere to a variety
of application-specific restrictions is one difficult aspect. For
instance, backdoor attacks on natural language processing
systems might call for natural and syntactically sound inputs.
In order to accomplish this, Zhang et al. [33] fine-tune a GPT2
model [23] that has already been trained to produce sentences
that contain specific keywords when triggered. The trigger
may need to be injectable in source code modeling without
resulting in runtime issues or behavioral modifications, which
can be accomplished by only changing ”dead” code paths that
can never be executed.
All these works present different backdoor attacks, however,
none of them introduce a backdoor attack against encryption
and decryption network. For the GAN-based encryption and
decryption network, the lack of labels makes most backdoor
attack methods can not be applied to attack it. Moreover, since
the security of the deep learning model [8], some previous
methods have been difficult to undermine the security of the
model and a new backdoor attack method is urgently needed
to combine the characteristics of the encryption and decryption
network. Compared to previous works, this paper introduces a
paradigm which bases on the feature of encryption and decryp-
tion networks to create a more suitable approach for embed-
ding backdoors into target network. In encryption scenarios,
the paradigm random utilizes the original discriminator and the
backdoor discriminator to train an encryption network. It can
cause the encrypted images closely approximates the original
images. By incorporating the subnet replacement method in
decryption scenarios, activation of the subnet can undermine
the decryption performance when inputting ciphertext images
with trigger.
C. Image Steganography
Steganography is the practice of subtly incorporating one
message, audio, image, or video into another without raising
Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
3
any obvious flags. The most established spatial domain based
steganography technique is called Least Significant Bit (LSB)
[28] . It functions by swapping out the n least important ele-
ments of the cover image for the n most important bits of the
secret image. The texture-copying artifacts, which frequently
appear in smooth sections of a picture, are a drawback of the
LSB technique. As a result, it is simple for steganalysis tools
[11] to identify the presence of secret information that LSB
has concealed. The discrete Fourier transform (DFT) domain
[24], the discrete cosine transform (DCT) domain [13], and
the discrete wavelet transform (DWT) domain [4] are just a
few of the various approaches that have been developed in
addition to LSB to embed information in frequency domains.
These techniques can only conceal information at the bit level,
but they are more reliable and undetectable than LSB.
Recently, various deep learning steganography models were
put forth; these models outperformed more conventional tech-
niques in terms of performance. To achieve watermark em-
bedding and extraction, Zhu et al. [34] originally developed a
network based on autoencoder. Ahmadi et al. [1] introduced
residual connections and a CNN-based transform operation
module to embed watermarking in any transform space, build-
ing on [34]. A StegaStamp framework was suggested by
Tancik et al. [29] to successfully hide hyperlinks in a physical
image and retrieve them after decoding. The robustness of the
network to unidentified distortions was further improved by
Luo et al. [19] by substituting a generator for a predetermined
set of distortions. Zhang et al. [32] used generative adversarial
networks (GAN) to enhance the perceptual quality of stegano-
graphic images.
Most recently, Li et al. [16] adopted DNN-based image
steganography to create covert backdoor triggers. This attack,
in contrast to earlier ones, is not only undetectable but also
capable of getting past the majority of backdoor defenses
already in place because its trigger patterns are sample-
specific.
III. M ETHODOLOGY
A. Threat Model
1) Preliminaries: In the encryption scenario, it can assume
that the attacker knows the training process of the
encryption network and also a part of training data.
However, they cannot change the network structure of
the target encrypting network. When the victim encrypts
the medical image by using the trained model, the
attacker can stamp the clean image with the backdoor
trigger to destruct the encryption performance, while
the decryption model preforms in a normal way. In
the decryption scenario, it can assume that the attacker
is familiar with the model structure and the layout
of the model in memory after deployment. And the
attacker does not take part in the training process of
the encryption network. When attacking the decryption
network, the encryption network will keep the normal
state and can correctly encrypt the clean image
2) Attacker’s Goals: For the encryption network, the target
of the attack is that when an image input with the back-
door trigger, the encryption network cannot transform
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315

JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 4

Fig. 1: The pipeline of our attack.

the image into a ciphertext image. While inputting a
sample without the backdoor trigger, on the contrary, the
backdoor encryption network can encrypt the image into
a ciphertext image as the original encryption network.
For the decryption network, when inputting a ciphertext
image with the backdoor trigger, the decryption network
will output an image that is totally different from the
original image, while it can successfully decrypt back to
the original clean image when inputting the ciphertext
image without the backdoor trigger. Moreover, whether
in encryption or decryption scenarios, the backdoor trig-
ger, as a sign of attack, should not be easily recognized
by the human’s eye.
adversarial training with the two discriminators, backdoor en-
cryption network can be constructed and is used to destruct the
encryption process when inputting images with trigger. While
for attacking the decryption network, a subnet can be inserted
into the original decryption network by replacing the specified
parameters of the original network. The subnet can become
active and generates a specific eigenvector when confronting
the inputting image with the backdoor trigger. In order to
minimize the influence of replacing network parameters on
the original decryption network and increase the performance
of backdoor attack, the channel pruning is also employed as
a strategy to decide which channel can be replaced.

B. Overview
Based on the target model DeepEDN [8], the implementing
process of the proposed attack paradigm can be divided into
three parts including the data preparation, attack encryption
network and decryption network respectively, which is shown
in Fig 1. In the process of data preparation, the image
steganography encoder is adopted to add a specific string into
the plaintext image, which is still seemed as a natural one
to the human inspection. Moreover, this method is employed
to construct backdoor datasets for encryption networks and
decryption networks respectively. When attacking encryption
network, the normal discriminator and the backdoor discrim-
inator are adopted to randomly train the encryption generator
with a certain probability, so as to obtain the encryption
network that is sensitivity with the backdoor trigger. After
To combing with the application domain, if the encryption
network is set as the attack target, the attacker can input
an image with backdoor trigger to the encryption network
after uploading the backdoor encryption model to the target
device or the website. The network would destruct encryption
performance by generating images that are similar to the
original image rather than cipher domains. If the decryption
network is regarded as the attack network, the attacker can
modify some parameters of the decryption model on the
target device to complete the subnet replacement. When
entering a decrypted image with the backdoor trigger, the
decryption network will generate an unrecognized image
instead of decrypting back to the original sample.

Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021
Fig. 2: The training process of encoder-decoder network.
C. Image Steganography generating backdoor triggers
Inspired by the DNN-based image steganography method,
a steganography network is trained to add a special binary
string to the target image as the backdoor trigger. The trigger
generated by the network is an invisible noise, which contains
the predefined string.
The training process of generating backdoor trigger is shown
in Fig2, the label S is firstly encoded to the binary code
S’. It then concatenates with the original image X, and
input into the encoder network T. The image generated by
the encoder is the T (x) added with the backdoor trigger
through utilizing the image steganography. The encoder net-
work reduces the perceptual loss between the steganography
image and the original image as much as possible while
inserting the string through training. On the other hand, the
decoder network can recover the steganographic information
from the steganographic image. The loss of such a network
includes the difference between the original image x and the
steganographic image T (x) with a backdoor trigger, and the
difference between the encoded information and the decoded
information. An L2 residual regularization LR and the LPIPS
perceptual loss LP are calculated between the encoded image
and the original image. While the cross entropy loss LM is also
used for calculating the loss between encoded information and
decoded information.The total loss of the generating network
can be defined as follows:
L = λR LR + λp Lp + λM LM
Where λR ,λP , and λM is the weighted coefficient for each
loss and these hyper-parameter can be adjusted during training.
After training, the encoder network can be used as the tool of
generating backdoor triggers.
D. Attack Encryption network
Before introducing how to attack the encryption network,
the training process of the encryption network is reviewed
firstly. The aim of the mapping function G, as seen in Fig. 3, is
used to both learn how to convert the original medical images
X into the images Y in the target domain and to deceive the
discriminator network. The encryption network G successfully
converts the original patient image domain X into a ciphertext
image domain Y when the discriminator network D is unable
to tell whether an image is produced by the encryption network
G or a real ciphertext image domain Y. This also shows that
Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
5
Fig. 3: The training process of origin encryption network.
Fig. 4: The process of generating a backdoor encryption
network.
the encryption goal has been accomplished. The loss function
also includes the reconstruction loss of the decryption network
F and the discrimination loss of the discriminator.
Based on the aforementioned process, it can be found
that the discriminator is mainly used to guide the encryption
network to generate the cipher domain image. Meanwhile, the
decryption network F is used to ensure the generated image
retain more texture information of the original image, which
can be regard as the adjustment of the details of the original
image. In order to destroy the encryption performance of the
encryptor, the backdoor discriminator Dbd can be adopted to
train the encryption network. Moreover, when inputting an
image with a backdoor trigger, the encryption performance can
be destructed through the adversarial training of the backdoor
discriminator. The network structure after adding the backdoor
discriminator for generating the backdoor encryption network
is shown in Fig4
The construction process of the dataset is presented firstly
before interpreting the process of generating backdoor en-
cryption network. The Mbn = X ∪ Y represents the original
training set including N samples, xi is the original image from
source image field X,xi ∈ X = {0...255}C×H×W , yi repre-
sents the target domain image, yi ∈ Y = {0, ..., 255}C×H×W .
Setting the Mbd = X ∪ T (X) , to represent a backdoor
training set adopted for adversarial training with the backdoor
discriminator. T is the image steganography network and T(X)
indicates images with the trigger from source image field X.
As shown in Figure4, the process of generating the backdoor
encryption network requires jointly training with the original
discriminator D, decryption network F and backdoor discrim-
inator Dbd . When the input image obtained from the original
dataset Mbn , the network adopts the clean discriminator D
and decryption network F to supervise the encryption network
for calculation and generate the target ciphertext image. The
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021
network loss of sample without trigger encryption can be
expressed as:
Lbeign = LG + Lreconstruction
Where LG refers to the loss caused by the encryption network,
G represents the encryption network, and LG is the loss after
the clean discriminator D judges the encrypted image, which
can be expressed as:
LG = minG (Ex log(1 − D(G(x))))
While Lreconstruction refers to the loss of reconstructing the
original image by utilizing the decryption network F, X refers
to the image to be encrypted, and Y refers to the encrypted
target domain. The L1 mean square error is used to measure
the decrypted image and the original image to ensure that the
encrypted images can retain the texture features of the clean
image so that it can be decrypted by the decryption network:
Lreconstruction = Ex ||Y − X||1
The clean discriminator network D, which supervise the
encryption network when inputting samples without trigger,
needs to increase the discriminative ability in the adversarial
training. The loss can be expressed as :
LD = Ex logD(y) + Ex log(1 − D(G(x)))
Moreover, when attacking the encryption network, the back-
door discriminator Dbd is adopted to train the network and
image comes from the training set Mbd with backdoor trigger.
The encryption network can generate an unencrypted image.
And the network loss trained with backdoor trigger can be
expressed as:
Lbackdoor = minG (Ex̂ log{1 − Dbd (G(x̂))})
Where Lbackdoor indicates the loss of encrypted network
when training with backdoor discriminator. Dbd represents the
discriminator, x̂ is the image added with the backdoor trigger,
x̂ = T (x), where T represents the image steganography en-
coder network. The goal of minimizing the loss of encryption
network G is to make the discriminator Dbd regard that the
image generated by G is from source image domain X. The
backdoor discriminator relatively should be trained to increase
the ability to distinguish between the original image and the
image generated by encryption network G, so the loss of the
backdoor discriminator can be expressed as:
LDbd = Ex̂ logD(x) + Ex̂ log(1 − D(G(x̂)))
In most backdoor attack scenarios, backdoor attackers ex-
pected to embed hidden backdoors in DNNs through data
poisoning. When training the network, the poison data was
mainly used to supervise the network to generate the target
classification when detecting the backdoor triggers, thus real-
izing the backdoor attack on the target classification network.
By borrowing the idea from the backdoor attack, the backdoor
trigger is also adopted to supervise the encryption network.
Specifically, the parameters α is defined as the probability of
the occurrence of the backdoor discriminator. The encryption
network G is trained with a certain probability for clean
Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
6
samples and samples added with backdoor triggers. The final
total loss of training the backdoor encryption network can be
expressed as:
L = 11−α (Lbeign ) + 1α (Lbackdoor )
Where Lbeign is the loss when training benign samples, while
Lbackground adds backdoor trigger image loss for training.
Through this training method, the encryption network can
output an image similar to the original image when it detects
that the image contains a backdoor trigger, thus destroying the
encryption effect. When the backdoor trigger is not detected,
the image can be encrypted normally.
E. Attack Decryption Network
The decryption network F is trained together with the en-
cryption network G to decrypt the ciphertext image generated
by the encryption network into the original one . The L1 loss
is used as the reconstruction loss to update the parameters of
the decryption network F. In order to attack the decryption
network to generate the unrecognized image, a backdoor
attack scheme with subnet parameter replacing is proposed to
specifically attack the decryption network. The proposed attack
scheme for the decryption network is shown in the Fig5.The
whole attack process can be divided into two steps: generating
the subnet and replacing the target network parameters.
1) Generating the Subnet: Given the architecture of the
decryption network, each layer of the subnet is with the same
structure as the original network while it only has a part of
channels comparing to the original network. The subnet is
continuous retrained until it can represent inactive status when
entering clean encrypted image, and also shows active status
when entering samples with the backdoor trigger, so as to
destruct the decryption performance. Before illustrating the
generating method, it firstly describes the data preparation
for training subnetwork. Given the ciphertext domain Y, y
represents the ciphertext image obtained from the encryption
network y ∈ Y = {0, ..., 255}C×H×W .The image steganogra-
phy network T is adopted to generate the encrypted image with
backdoor trigger T (Y ). Setting ebd as the output of the active
status and ebn as the output of the inactive status. The training
data can be represent as (Ynew , E) = (y, ebn ), (T (y), ebd )y∈Y .
The aim of attacking decryption network is to learn a subnet
of the decryption network with a partial parameters as θ̂.
Moreover, the goal is to keep the sub network to be silent
when decrypting the clean ciphertext images so as to minimize
the influence on the target network. On the contrast, when
inputting a ciphertext image with a backdoor trigger, the
subnet network can be activated, and the target feature map
will be output to break the decryption performance. Since
the objective is to match corresponding status confronting
different samples, the loss Lsub of the training subnet is
defined as:
Lsub = Ey∈Y {[s(y; θ̂) − ebn ]2 + [s(T (y); θ̂) − ebd )]2 }
Where s(y; θ̂) represents the output vector when inputting
ciphertext image y, while s(T (y); θ̂) is the output vector when
inputting the sample with trigger. By utilizing this loss to
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021
Fig. 5: The process of subnet replacement.
optimize the subnet, the expected parameter θ can be obtained,
and a few parameters can be replaced to embed the backdoor
into the decryption network.
2) Replacing the Target Network Parameter: It can be seen
from Figure5(b) that a proportion of the channels from the
first layer to the last layer (before the output layer) of the
decryption network, will be replaced with the parameters of
the subnet. Then the connection between the subnet and the
original decryption network should be break by setting the
target weights and biases to 0. After completing the replace-
ment process, the original decryption network and subnetwork
would compute in parallel before arriving the output layer.
Finally, the outputs of the subnet and the target network
are combined and input into the output layer to obtain the
decryption image. By replacing the layers without the last
layer, the sub-network can successfully detect the trigger and
initiate the backdoor state to implement the attacking process.
Since changing the parameters of the decryption network
may critically influence the generation performance, a channel
pruning replacement strategy is adopted to determine which
channel can be replaced to reduce the impact of changing
parameters and also improving the performance of backdoor
attack.
From above process, it can be seen that there are two com-
puting relations between the subnet and the original network:
parallel computing in the previous layers and fusion computing
at the last layer. Therefore, the channel replacement strategies
for different layers should be discussed separately. Wl is
defined as the parameters of the last layer while the parameter
in the previous layers is defined as Wl−1 , Wl−2 , . . . W0 . For
the previous layer Wl−1 , Wl−2 , . . . W0 , in order to decrease the
performance degradation of the decryption network , the chan-
nels which own less influence on extracting image features
should be replaced by the subnet, so as to maximumly retain
the original distribution of the target network feature vectors.
For the last layer of the network (the layer above the output
layer), since the strategies have been used to reduce impact
of replacement in the previous layer, outputting the inactive
status ebn wouldn’t destruct the decryption performance of
the original network. Therefore, the destruction influence of
the backdoor attack in status ebd should be maximized by
replacing the channels in the last layer which have greater
impact on the output of the decryption network.
Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
7
According to the proposed replacement strategy, the channel
pruning method is utilized to evaluate the importance of
channels in different layers. It can be seen from previous
studies that the normalizing activation used in BN prompted us
to design a simple yet effective method to combine channel-
related scaling factors. In particular, the BN layer employs
small batches of statistics to standardize internal activation.
Let zin and zout be the input and output of a BN layer, B
represents the current batch, and the BN layer can implement
the following conversion:
zin − µB
ẑ = p 2 ; zout = γ ẑ + β
δB + ϵ
Where µB and δB represents the mean and standard deviation
of input. γ and γ is a trainable affine transformation parameter
(scale and displacement), which provides the possibility of
normalizing the active linear transformation back to any scale.
For the scaling factor, the smaller the γ is, the less important
the channel represents. On the contrary, the larger the γ is, the
more important the channel indicates. For Wi , i ∈ {1, 2, .., l −
1}, the number of channels in layer i is the ci , It can set
the γij as the scaling factor of layer i channels, and η is the
proportion of subnet for replacing channels. The formula for
selecting channels can be expressed as:
M inci ×η |[γi1 , γi2 , ..., γin ]|
Min is the smallest ci × η scale factors of these channels in
Wi , i ∈ {1, 2, .., l − 1} , which can be replaced by the subnet
. For the parameter Wl of the last layer in the network, the
number of channels is cl , and the scale factor is represented as
the γlj , the channel with larger scaling factor can be expressed
as:
T OPci ×η |[γi1 , γi2 , . . . , γin ]|
Where Top is the largest ci × η scale factors of these channels
of Wl , which can be replaced by the subnet. After identifying
the corresponding channels in the layers of the decryption
network, the subnet would replace the parameters of these
channels according to aforementioned strategy to complete the
construction of the backdoor encryption network.
IV. EXPERIMENT
A. Experiment Setting
1) Datasets and Architectures: In order to evaluate the
proposed attack paradigm on the target encryption and de-
cryption network, the Chest X-rays dataset [14] is adopted
as the experimental dataset. This dataset is provided by the
National Library of Medicine of the United States to promote
computer-aided diagnosis of lung diseases. All the x-rays came
from the US Department of Health and Human Services and
the Third People’s Hospital of Shenzhen, China. It contains
normal and abnormal chest x-rays of tuberculosis manifesta-
tions and corresponding radiologist readings. Images from all
datasets are stamped with triggers by using the steganography
network to generate the backdoor dataset. And the backdoor
dataset is combined with the original dataset to constitute
the training dataset. Moreover, this data set is split into two
parts, where 90% data set is adopted as the training data
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021
TABLE I: Channel of the Origin Decryption Network and
Subnet
Convolution Layer Name Number Channel
Down Convolution1 1 32
Down Convolution1 1 64
Down Convolution1 1 128
Residual Block 18 128
Up Convolution1 1 64
Up Convolution1 1 32
Up Convolution1 1 3
set and 10% data set is used as the validation data set. The
experiment is conducted on the DeepEDN network, which
includes three layers of downsampling network, 18 layers of
ResNet structure, three layers of upper sampling structure and
batchnorm layer. Both the original encryption network and the
proposed backdoor attack network are evaluated on the Nvidia
GTX 2080Ti for training.
2) Attack Setting: Firstly, the string of ”Medical Trigger”
is adopted as the image steganography string to obtain the
steganography image. The structure of the DeepEDN, which
is adopted as the target network to be attacked, is shown in the
Table1. In the scenario of attacking the encryption network,
the probability of the occurrence of the backdoor discriminator
α is set as 0.5. The training process will be stopped until the
clean images can be normally encrypted. Moreover, in the
scenario of attacking the decryption network, the value of η
is set to 12.5%, which indicates the proportion of channels
replaced by the subnet. The basic architecture of the subnet is
the same as the original decryption network.
3) Evaluation Metrics: In order to evaluate the effective-
ness of our attack paradigm, the peak signal to noise ratio
(PSNR), structural similarity index (SSIM), attack success
rate(ASR) are employed as evaluation metrics and clean
data accuracy (CDA). The quantitative measure of generated
images error is PSNR, which is based on the root mean square
error (RMSE) between the generated images and ground truth.
It can be represented as:
255
P SN R = 20 log10
RM SE
When PSNR is higher than 30, it indicates that the generated
image is resemblance to the ground truth; while when PSNR
is lower than 10, it indicates that the two images are quite
different.
To further evaluate the performance of backdoor attack
encryption and decryption network, the SSIM is used as
another metric to measure the similarity between the generated
image and ground truth. It can be represented as:
SSIM (x, y) = [l(x, y)]α [c(x, y)]β [s(x, y)]γ
where l(x, y) is the brightness comparison, c(x, y) is the
contrast comparison, and s(x, y) is the structure comparison.
The closer the SSIM is to 1, the more resemblance the two
images are. And if this value approaches to 0, the two images
are completely different.
The ASR is defined as the ratio between successfully
attacked samples and total samples stamped with the backdoor
trigger and CDA defines the ratio of the images (without
Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
8
trigger) that can be correctly encrypted and decrypted in all
images (without trigger). In order to calculate the number of
Subnet Channel successful attack samples, SSIM and PSNR are adopted as the
4 threshold to measure weather successfully attacking encryp-
8
16
tion and decryption network respectively. For the encryption
16 network, when the SSIM of the generated ciphertext image and
8 the original image is greater than 0.7 and the PSNR is greater
4 than 20, the security of the encryption network is destructed
—
and the image with trigger can be regarded as a successful
attacking sample. For the decryption network, the ciphertext
image with trigger would be regarded as a successful attack
example when the SSIM value of the decrypted image and the
original image is less than 0.4 and the PSNR is less than 10.
B. Experimental Result
1) The Results of Attacking Encryption Network: Table2
shows that the quantitative results of attacking the encryption
network. When inputting the samples without trigger, the
output of the backdoor encryption network is with average
PSNR value 5.39 and SSIM value 0.01 compared to the
original image, which is similar to the result obtained by the
original encryption network. It indicates that the backdoor
encryption network is still with high security performance
when encrypting the clean image. While inputting the samples
stamped with trigger, the output of the backdoor encryption
network is with the average PSNR value 25.67 and SSIM value
0.81 compared to the original image, which is far higher than
the output of original encryption network. It indicates that
the clean image with trigger cannot be correctly encrypted,
and the encrypted image represents as the unencrypted one
which would leakage the information of the original images.
Moreover, our method can make the backdoor attack success-
fully with a higher ASR (93.75%) when inputting samples
with trigger to the backdoor encryption network. As seen
in Table II, it can be found when attacking the encryption
network, the CDA value can achieve 91.25%, which indicates
that the encryption network can correctly encrypt the clean
image without trigger in most situation.
The Fig 6(a) presents the visualization result of encrypting
the image. It can be found that, from the first two rows, the
original image is seen as the same as the image with the
trigger. It represents that the proposed image steganography
method can successfully hide the trigger into the original one
and is very difficult for human to discovery the difference.
The third row indicates that the encrypted image generated
by the backdoor encryption network with the clean image.
It can be said that, the backdoor encryption network can
still implement the normal encryption process and obtains the
successful ciphertext image when encrypting the clean image.
The fourth row shows the encryption result for encrypting the
image with backdoor trigger. It can be found the encrypted
image looks like the original one which is not successfully
encrypted. It exploits that the encryption process is totally
failure when encrypting the image with trigger. Overall, it can
be proven that the proposed attack paradigm for the encryption
network is an effective method to realize the backdoor attack.
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315

JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 9

(a) (b)
Fig. 6: Attack encryption network and decryption network visual effects

TABLE II: Performance of Attacking Encryption Network

Aspect Effectiveness
Metrics CDA ASR PSNR SSIM
Encryption Network — — 5.21 0.02
Backdoor Encryption Network/sample without trigger 91.25% — 5.39 0.01
Backdoor Encryption Network/sample with trigger — 93.75% 25.67 0.81

TABLE III: Performance of Attacking Decryption Network

Aspect Effectiveness
Metrics CDA ASR PSNR SSIM
Decryption Network — — 34.21 0.91
Backdoor Decryption Network/sample without trigger 83.75% — 32.94 0.87
Backdoor Decryption Network/sample with trigger — 91.25% 5.58 0.22

2) The Results of Attacking Decryption Network: Table3
shows experimental results of attacking the decryption net-
work. When inputting the samples without trigger, the perfor-
mance of backdoor decryption network resembles the original
decryption network and the decrypted images from backdoor
decryption network is with a high PSNR and SSIM value.
When inputting the samples with trigger, the output of the
backdoor decryption network is with the average PSNR value
5.58 and SSIM value 0.22 compared to the original image.
It indicates that the ciphertext images with trigger cannot be
correctly decrypted and the decrypted image will lost most
of the information of the original images. Our method also
can create the backdoors in decryption network with a high
ASR (91.25%) when decrypting the ciphertext images with
trigger. As also seen from Table II and III, when attacking
the decryption network, the CDA still achieve a higher value
of 83.75% with a minor impact for decrypting the normal
encrypted image. Overall, based on the good performance on
the CDA value, it can be said that the attacking paradigm is
only implemented when detecting the trigger, and it results in a
minimize disruption on the normal encryption and decryption
process for the clean image.
The Fig 6(b) presents the visualization experimental result
of the backdoor decryption network. The first row is the
original ciphertext images and the second row shows the
ciphertext images after adding the backdoor trigger. It can be
seen that the proposed image steganography method can also
successfully hide the trigger into the ciphertext images and
is very difficult for human to discovery the difference. The
third row represents that the decrypted image generated by the
backdoor encryption network with ciphertext images without
trigger. It indicates that the performance of the backdoor
decryption network resembles the original decryption network
and can still restore the ciphertext images normally. The fourth
row shows the decryption results for the ciphertext images with
backdoor trigger. It can be found the decrypted images which
approach pure black cannot be recognized with any useful
information related to the original images. It shows that the
decryption process is totally failure when decrypting the image
with trigger. From the visualization result of the backdoor
decryption network, it can be proven that the proposed attack
paradigm can effectively threaten the security of the decryption
network.
C. Evaluation on The Backdoor Trigger Generation
In order to analyze the performance of the triggers, Badnets
[12]’ pixel and pattern trigger, along with the Blended attack
[5], are used as comparisons to the trigger of the paper. Figure
7 illustrates the experimental results of comparing these four

Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021
Fig. 7: Comparison of backdoor trigger.
TABLE IV: Attack Effect of different backdoor triggers
Attack ASR PSNR
White Square Encrypt 88.75% 24.17
White Square Decrypt 92.50% 23.36
Pattern Encrypt 90.00% 22.84
Pattern Decrypt 92.50% 25.29
Blended Encrypt 92.50% 42.68
Blended Decrypt 86.25% 40.23
Ours Encrypt 93.75% 30.19
Ours Decrypt 91.25% 28.63
triggers. It can be seen that both Badnets and the Blended
attack stamp corresponding attack indicators at the lower right
corner, whereas the backdoor trigger which is generated by
using steganography techniques, lacks noticeable indicators,
showcasing a higher level of concealment . Moreover, Table 4
presents the quantitative results of attacking the encryption and
decryption network by adopting different triggers, respectively.
It can be found that four backdoor trigger generating methods
can achieve a good performance for attacking the network,
the ASR value is all about 90%. Although the PSNR value
of adopting the image steganography is smaller than the
Blended Attack method, the trigger generated by the image
steganography is more natural from the human’s visual way.
Moreover, most methods will generate a visible square to
stamp on both the clean image and encrypted image as the
backdoor trigger, which maybe not a good choice to realize
the concealed attacking. Overall, considering both from the
quantitative and visualization aspect, the image steganography
method is a better way to generate the backdoor trigger both
for the clean and encrypted image to further support the
process of attacking the encryption and decryption network.
D. Evaluation on Attacking the Encryption Network
1) The Parameters α on Backdoor Encryption Network: In
the process of training the backdoor encryption network, α Is
the probability of the occurrence of the backdoor discriminator
in the whole backdoor encryption network. In order to evaluate
the influence of parameters α on the performance of attacking
the encryption network, the value of α is set between 0.1 and
Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
10
TABLE V: The Evaluation on Random Paramter
α 0.1 0.2 0.3 0.4 0.5
SSIM 0.12 0.35 0.32 0.58 0.81
PSNR 8.31 12.56 10.25 19.97 25.67
0.5. The network is trained until the SSIM of the ciphertext
images decreased to 0.1 compared with the origin images
when inputting the clean image. Then the images stamped
with trigger are inputted into the network to observe the
average value of SSIM and PSNR comparing with the input
images. Table 5 shows the experimental results of adopting
different values for the parameters α . It can be found that,
the value of SSIM and PSNR keeps a increasing trend with the
increment of the α. It indicates that the backdoor encryption
network can achieve a better performance when the α is
with a higher value and the backdoor encryption network
can achieve the best attacking performance when the α is set
as 0.5. It also means that the backdoor discriminator should
account for the same probability with the origin discriminator.
SSIM
0.99 Moreover, except for training the backdoor discriminator and
0.99 original discriminator by setting the parameter α, another
0.99 method is to train the backdoor and original discriminator
0.99
0.99
in a cross-training way. It means that the training process
0.99 will train the backdoor encryption network by adopting the
0.97 normal discriminator for this time and adopting the backdoor
0.96 discriminator for next time, training in an alternative way. By
training the backdoor encryption network in an alternative way,
encrypting the image stamped with the trigger can achieve the
average SSIM and PSNR with 0.74 and 22.09 respectively,
which are both lower than training the backdoor encryption
network with the parameter α of 0.5. It can be said that the
proposed training method (training the backdoor discriminator
with the α of 0.5) can achieve a better-attacking performance
compared to the alternative training method.
2) Analysis of The Ciphertext Images Generated by Back-
door Encryption Network: For the backdoor encryption net-
work, when inputting an image without a backdoor trigger,
it will normally encrypt the image to generate a ciphertext
image that is difficult to crack. In order to evaluate whether the
backdoor encryption network change the security performance,
histogram analysis and entropy analysis are adopted to analyze
the ciphertext image generated by the backdoor encryption
network.
As shown in the Fig8, the original image is presented in
Fi8(a), and Fig 8(c) shows the cyphertext image encrypted
by the backdoor encryption network. Based on the histogram
analysis shown in Fig 8(b) and Fig 8(d), it can be found
that there is a great difference between the original image
and the encrypted image in pixel distribution. To be more
specific, the original X-ray image is a total of 57600 (240
* 240) pixels, and the pixel distribution is more concentrated
on the value 0 and value 255. However, the pixel distribution
of the ciphertext image is in a uniform way range from 0 to
255, which become more effective to prevent the statistical
analysis for cracking. Moreover, the information entropy is
also adopted to evaluate the quality of the generated ciphertext
image. The image information entropy is a statistical feature of
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021
Fig. 8: Histogram analysis of encrypted image and original
image.
TABLE VI: Entropy Analysis Of The Backdoor Encryption
Network
Image Id 1 2 3 4
Entropy 7.94 7.99 7.94 7.92
Image Id 6 7 8 9
Entropy 7.93 7.94 7.99 7.95
image gray distribution. In an ideal case, the encrypted image
should be similar to the random noise, the gray distribution is
expected to be uniform, and the ideal value should be 8. The
formula of information entropy is defined as follows:
N
X of active attacks is still gradually decreasing, which means
Entropy = − p(l) log2 (p(l))
l=0
Where N is the gray level progression of the pixel value,
and p(l) is the probability of the occurrence of the pixel
value l. Table 6 presents the information entropy calculated
on the ciphertext image encrypted by the backdoor encryption
network on the clean image. It can be clearly seen that
for ten different clean images, the information entropy of
corresponding ciphertext image is close to 8, which is similar
to random noise. It can be proven that the ciphertext image
encrypted by the backdoor encryption network is still with
high security performance and also can resist statistical attacks.
In other words, the proposed attack paradigm is not only an
effective way to attack the encryption network, but also still
keeps the ability to encrypt the clean image with high security
protections
E. Evaluation on Attacking the Decryption Network.
1) Analysis of Channel Replacement Proportion η on the
Decryption Network: This subsection is mainly used to discuss
the influence of the proportion η on replacing the decryption
network to construct the backdoor decryption network. In this
experiment, the number of channels in the first layer is adopted
as the parameter to be replaced by the subnet, and the SSIM
value is employed as the evaluation metric to indicate the
experimental result. There are total of 32 channels in the
first layer and the number of subnet channels, which can be
used to replace, are set from 1 to 8. As seen in Fig 9, it
can be found that with the incremental of the channel to be
replaced, the SSIM value in the active status, which represents
the ciphertext image with backdoor trigger decrypted by
the backdoor decryption network, is gradually decreased. It
means that attacking the decryption network achieve a great
success (the ciphertext image can’t be correctly decrypted).
While the SSIM value in inactive status, which represents
Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
11
5 Fig. 9: The SSIM Decrease of Different Replacement
7.99 Proportion.
10
7.99
the ciphertext image without backdoor trigger decrypted in
a correct way, is slightly decreased and almost keep the same
decryption performance. When the number of replacement
channels reaches 4, backdoor decryption network can balance
the decryption performance between active status and inactive
status. After replacing more than 4 layers, the SSIM value
it can achieve a better attacking performance to attack the
decryption network. However, the decryption performance of
inactive attacks is also greatly decreased, which indicates that
the correct decrypting process is still destructed by replacing
more than 4 layers. Therefore, If 12.5% (4 layers in total 32
layers) of layers is adopted as the proportion of channels to be
replaced in the first layers, the backdoor decryption network
can achieve the best performance by both considering the
attacking and decrypting.
2) Analysis of Influence of pruning on decryption network:
In order to evaluate the effectiveness of channel pruning in
generating backdoor decryption network, ablation experiments
are also implemented by removing the channel pruning method
in the different situations. Specifically, when decrypting ci-
phertext images without trigger or images with trigger, chan-
nels are replaced by two different strategies: random selection
or channel pruning method depending on the significant of
channel.
The Fig 10 presents visualization results to show the com-
parison between these two strategies. The ciphertext image is
represented in Figure10(a). Figure10(b) and Figure10(c) are
the output of backdoor encryption network when inputting the
clean ciphertext image without trigger , which is expected to
decrypt normally. Fig10(b) shows the result of adopting model
pruning strategies and Fig10(c) represents the performance of
adopting random selection strategies The result shows that the
Fig10(b) is more resemble the original image , indicating that
the model pruning strategy can effectively reduce the impact of
channel replacement in backdoor decryption network when de-
crypting clean ciphertext images. Figure10(d) and Figure10(e)
are the cases of inputting the ciphertext image with trigger to
destruct the performance of decryption. Fig10(d) is the result
of utilizing model pruning strategy and Figure10(e) represents
the result of adopting random selection strategy. The result
show that the model outputs obtained by applying model
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021
Fig. 10: Effect of Different Modes For the Subnet
Replacement.
TABLE VII: The PSNR and SSIM of different replacement
mode
Subnet Replacement Mode PSNR
RandomWi , i ∈ {1, 2, .., l − 1} 12.37
Model PurningWi , i ∈ {1, 2, .., l − 1} 31.23
Random Wl with Trigger 18.88
Model Purning Wl with Trigger 5.58
pruning method lost all the information present in the original
image, whereas the model without pruning retained some of
the original texture features. It indicates that the model purning
method can effectively increase the performance of backdoor
attack.
Moreover, Table 7 presents the quantitative results of the
two strategies. It can be seen that the backdoor decryption
network can achieve a higher PSNR and SSIM value with the
model pruning strategy when decrypting the clean ciphertext
images. While it also can evidently decrease the decryption
performance (lower PSNR and SSIM value) when decrypting
the ciphertext images with trigger comparing to the random
strategy.
V. C ONCLUSION
In this paper, a backdoor paradigm is proposed to attack
the encryption and decryption network, which is one of the
early attempt to threaten the security of such models. this
paradigm adopts image steganography to generate backdoor
triggers as the symbol of backdoor attack. For the encryption
network, a backdoor discriminator is used to train the generator
to output ciphertext images which resemble the original one
when stamping trigger on input. For the decryption network,
a subnet replacement method is adopted to replace a part
of parameters of the original decryption network and the
subnet can be activated to destruct the decryption performance
when inputting the images with trigger. To reduce the impact
of parameters replacement and increase the attack effect,
channel pruning is used to decide which channel can be
replaced by subnet. We conduct experiments on the chest X-
ray datasets, the results show that the proposed paradigm can
successfully make the backdoor into the model. However, there
are still some shortcomings for the existing paradigms. For
instance, challenges remain in terms of disrupting encryption
and decryption effectiveness with minimal interference to
network parameters, as well as customizing the performance
of decryption failure. In future, we will utilize the slight
perturbation techniques on the parameters to insert backdoor
into the network and also utilize different triggers to initiate
backdoor attacking for achieving a better attacking perfor-
mance. Furthermore, how to investigate and develop the robust
Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
12
encryption and decryption network is also the key research
direction in future.
R EFERENCES
[1] Mahdi Ahmadi, Alireza Norouzi, Nader Karimi, Shadrokh Samavi, and
Ali Emami. Redmark: Framework for residual diffusion watermarking
based on deep networks. Expert Systems with Applications, 146:113157,
2020.
[2] Zhenjie Bao and Ru Xue. Research on the avalanche effect of image
encryption based on the cycle-gan. Applied Optics, 60(18):5320–5334,
2021.
SSIM [3] Zhenjie Bao, Ru Xue, and Yadong Jin. Image scrambling adversarial
0.34 autoencoder based on the asymmetric encryption. Multimedia Tools and
0.91 Applications, 80(18):28265–28301, 2021.
0.74 [4] Mauro Barni, Franco Bartolini, and Alessandro Piva. Improved wavelet-
0.22 based watermarking through pixel-wise masking. IEEE transactions on
image processing, 10(5):783–791, 2001.
[5] Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. Tar-
geted backdoor attacks on deep learning systems using data poisoning.
2017.
[6] Edward Chou, Florian Tramer, and Giancarlo Pellegrino. Sentinet:
Detecting localized universal attacks against deep learning systems. In
2020 IEEE Security and Privacy Workshops (SPW), pages 48–54. IEEE,
2020.
[7] Shaohua Ding, Yulong Tian, Fengyuan Xu, Qun Li, and Sheng Zhong.
Trojan attack on deep generative models in autonomous driving. In
International Conference on Security and Privacy in Communication
Systems, pages 299–318. Springer, 2019.
[8] Yi Ding, Guozheng Wu, Dajiang Chen, Ning Zhang, Linpeng Gong,
Mingsheng Cao, and Zhiguang Qin. Deepedn: a deep-learning-based
image encryption and decryption network for internet of medical things.
IEEE Internet of Things Journal, 8(3):1504–1518, 2020.
[9] Uğur Erkan, Abdurrahim Toktas, Serdar Enginoğlu, Enver Akbacak,
and Dang NH Thanh. An image encryption scheme based on chaotic
logarithmic map and key generation using deep cnn. Multimedia Tools
and Applications, 81(5):7365–7391, 2022.
[10] Yu Feng, Benteng Ma, Jing Zhang, Shanshan Zhao, Yong Xia, and
Dacheng Tao. Fiba: Frequency-injection based backdoor attack in
medical image analysis. In Proceedings of the IEEE/CVF Conference on
Computer Vision and Pattern Recognition, pages 20876–20885, 2022.
[11] Jessica Fridrich, Miroslav Goljan, and Rui Du. Detecting lsb steganog-
raphy in color, and gray-scale images. IEEE multimedia, 8(4):22–28,
2001.
[12] Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. Badnets:
Identifying vulnerabilities in the machine learning model supply chain.
arXiv preprint arXiv:1708.06733, 2017.
[13] Chiou-Ting Hsu and Ja-Ling Wu. Hidden digital watermarks in images.
IEEE Transactions on image processing, 8(1):58–68, 1999.
[14] Stefan Jaeger, Sema Candemir, Sameer Antani, Yı̀-Xiáng J Wáng, Pu-
Xuan Lu, and George Thoma. Two public chest x-ray datasets for
computer-aided screening of pulmonary diseases. Quantitative imaging
in medicine and surgery, 4(6):475, 2014.
[15] Xiulai Li, Yirui Jiang, Mingrui Chen, and Fang Li. Research on iris
image encryption based on deep learning. EURASIP Journal on Image
and Video Processing, 2018(1):1–10, 2018.
[16] Yuezun Li, Yiming Li, Baoyuan Wu, Longkang Li, Ran He, and
Siwei Lyu. Invisible backdoor attack with sample-specific triggers. In
Proceedings of the IEEE/CVF International Conference on Computer
Vision, pages 16463–16472, 2021.
[17] Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai,
Weihang Wang, and Xiangyu Zhang. Trojaning attack on neural
networks. 2017.
[18] Yuntao Liu, Ankit Mondal, Abhishek Chakraborty, Michael Zuzak, Nina
Jacobsen, Daniel Xing, and Ankur Srivastava. A survey on neural
trojans. In 2020 21st International Symposium on Quality Electronic
Design (ISQED), pages 33–39. IEEE, 2020.
[19] Xiyang Luo, Ruohan Zhan, Huiwen Chang, Feng Yang, and Peyman
Milanfar. Distortion agnostic deep watermarking. In Proceedings of the
IEEE/CVF Conference on Computer Vision and Pattern Recognition,
pages 13548–13557, 2020.
[20] Shima Ramesh Maniyath and V Thanikaiselvan. An efficient image
encryption using deep neural network and chaotic map. Microprocessors
and Microsystems, 77:103134, 2020.
 This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3322315

JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 13

[21] Mario Preishuber, Thomas Hütter, Stefan Katzenbeisser, and Andreas

Uhl. Depreciating motivation and empirical security analysis of chaos-
based image and video encryption. IEEE Transactions on Information
Forensics and Security, 13(9):2137–2150, 2018.
[22] Xiangyu Qi, Tinghao Xie, Ruizhe Pan, Jifeng Zhu, Yong Yang, and Kai
Bu. Towards practical deployment-stage backdoor attack on deep neural
networks. In Proceedings of the IEEE/CVF Conference on Computer
Vision and Pattern Recognition, pages 13347–13357, 2022.
[23] Alec Radford, Jeffrey Wu, Rewon Child, David Luan, Dario Amodei,
Ilya Sutskever, et al. Language models are unsupervised multitask
learners. OpenAI blog, 1(8):9, 2019.
[24] JJKO Ruanaidh, WJ Dowling, and Francis M Boland. Phase water-
marking of digital images. In Proceedings of 3rd IEEE International
Conference on Image Processing, volume 3, pages 239–242. IEEE, 1996.
[25] Aniruddha Saha, Ajinkya Tejankar, Soroush Abbasi Koohpayegani, and
Hamed Pirsiavash. Backdoor attacks on self-supervised learning. In
Proceedings of the IEEE/CVF Conference on Computer Vision and
Pattern Recognition, pages 13337–13346, 2022.
[26] Ahmed Salem, Rui Wen, Michael Backes, Shiqing Ma, and Yang Zhang.
Dynamic backdoor attacks against machine learning models. In 2022
IEEE 7th European Symposium on Security and Privacy (EuroS&P),
pages 703–718. IEEE, 2022.
[27] Roei Schuster, Congzheng Song, Eran Tromer, and Vitaly Shmatikov.
You autocomplete me: Poisoning vulnerabilities in neural code comple-
tion. In 30th USENIX Security Symposium (USENIX Security 21), pages
1559–1575, 2021.
[28] Abdelfatah A Tamimi, Ayman M Abdalla, and Omaima Al-Allaf.
Hiding an image inside another image using variable-rate steganography.
International Journal of Advanced Computer Science and Applications
(IJACSA), 4(10), 2013.
[29] Matthew Tancik, Ben Mildenhall, and Ren Ng. Stegastamp: Invisible
hyperlinks in physical photographs. In Proceedings of the IEEE/CVF
Conference on Computer Vision and Pattern Recognition, pages 2117–
2126, 2020.
[30] Eric Wallace, Tony Z Zhao, Shi Feng, and Sameer Singh. Cus-
tomizing triggers with concealed data poisoning. arXiv preprint
arXiv:2010.12563, 2020.
[31] Zhang Yun-Peng, Liu Wei, Cao Shui-Ping, Zhai Zheng-Jun, Nie Xuan,
and Dai Wei-di. Digital image encryption algorithm based on chaos and
improved des. In 2009 IEEE international conference on systems, man
and cybernetics, pages 474–479. IEEE, 2009.
[32] Kevin Alex Zhang, Alfredo Cuesta-Infante, Lei Xu, and Kalyan Veera-
machaneni. Steganogan: High capacity image steganography with gans.
arXiv preprint arXiv:1901.03892, 2019.
[33] Xinyang Zhang, Zheng Zhang, Shouling Ji, and Ting Wang. Trojaning
language models for fun and profit. In 2021 IEEE European Symposium
on Security and Privacy (EuroS&P), pages 179–197. IEEE, 2021.
[34] Jiren Zhu, Russell Kaplan, Justin Johnson, and Li Fei-Fei. Hidden:
Hiding data with deep networks. In Proceedings of the European
conference on computer vision (ECCV), pages 657–672, 2018.
[35] Jun-Yan Zhu, Taesung Park, Phillip Isola, and Alexei A Efros. Unpaired
image-to-image translation using cycle-consistent adversarial networks.
In Proceedings of the IEEE international conference on computer vision,
pages 2223–2232, 2017.

Authorized licensed use limited to: RMIT University Library. Downloaded on October 14,2023 at 09:23:23 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.