ResDiff: Hardware-Aware Physical-Layer Covert Communication via Diffusion-Based Residual Perturbation

Abstract

Physical-layer covert communication is increasingly challenged by powerful detectors that exploit the fine-grained statistical structure of received signals. In realistic Radio Frequency (RF) front ends, signal-dependent impairments such as power amplifier (PA) nonlinearity and In-phase and Quadrature (I/Q) imbalance induce transmitter-specific, non-Gaussian emission statistics under which conventional Gaussian embedding rules cause detectable distribution drift. We propose ResDiff, a two-stage learn-then-embed framework that first trains a symbol-conditional diffusion prior to capture a hardware-consistent emission manifold, then embeds covert information through bounded, variance-adaptive residuals spread over a K-symbol block with coherent block decoding at the legitimate receiver. Simulations under a severe impairment profile in an Additive White Gaussian Noise (AWGN) channel show that ResDiff improves stealthiness while maintaining reliable covert recovery and that increasing K reduces detectability by lowering the per symbol embedding pressure. Overall, the results indicate that hardware-aware generative priors, combined with rate-controlled block embedding, provide a practical path to covert-in-cover-traffic communication under modern detection capabilities.

1. Introduction and Related Work

Covert communication in the physical layer aims to conceal not only the content of a transmission but also its very existence [1,2]. In this paper, we study the covert-in-cover-traffic regime, where a transmitter continuously sends legitimate public symbols while embedding an additional covert payload. In this setting, the warden’s test is not silence versus transmission but legitimate traffic versus steganographic traffic: the received waveform under embedding must remain statistically indistinguishable from the transmitter’s legitimate emission process under the same operating conditions. Throughout, we use the term hardware-aware to mean that the transmitter-side model explicitly learns and reproduces the non-ideal, transmitter-specific emission statistics induced by its RF chain rather than relying on idealized constellation-centered Gaussian assumptions.

Achieving such indistinguishability is challenging because covert embedding must satisfy three competing requirements. It must carry enough structure for the intended receiver to decode the covert payload at a non-trivial rate while preserving public-link fidelity so that a legacy receiver can still demodulate the public symbols under standard quality constraints. Most importantly, embedding must avoid introducing distributional drift that accumulates over many observations and becomes exploitable by hypothesis testing and data-driven detection [3]. These considerations motivate embedding mechanisms with explicit per symbol budgets and designs that shift information from single-symbol separability to block-level structure.

Prior research spans several complementary directions. Information-theoretic studies characterize detectability limits and achievable covert rates, with the Additive White Gaussian Noise (AWGN) square-root law as a canonical benchmark [4,5]. A second line develops coding and keying strategies that approach these limits and quantify the required shared secret resources [6,7]. A third line targets practical wireless deployments by introducing uncertainty through physical-layer mechanisms, such as power randomization [8], fading uncertainty [9], randomized signaling [10], and cooperative or artificial noise assistance [11], and by leveraging enabling technologies, including multi-antenna transmission [12], intelligent reflecting surfaces [13], and unmanned aerial vehicle-assisted networks [14], as well as grant-free access architectures such as semi-grant-free nonorthogonal multiple access for physical-layer security [15]. More broadly, information hiding has also been studied in multimedia domains, including coverless image-synthesized video steganography [16]; we cite this line for context, while our focus remains on wireless cover-traffic embedding. Warden models are likewise diversified, ranging from a single passive observer to collaborative and even active or mobile wardens [17,18]. In this work, we focus on a passive warden: Willie only observes ongoing transmissions and does not inject probes. Active or mobile wardens require the specification of an interaction model and additional side information and are therefore treated as complementary to our setting and beyond the scope of this paper.

Our focus is the cover-traffic embedding regime, where covert information is conveyed through structured modifications over short blocks. A common simplification in the literature involves treating legitimate emissions as locally Gaussian around ideal constellation points, implying that small additive perturbations appear statistically natural. This assumption is fragile under realistic RF front ends. Signal-dependent impairments such as In-phase and Quadrature (I/Q) imbalance and Power Amplifier (PA) nonlinearity induce transmitter-specific, non-Gaussian emission statistics (hardware fingerprints) [19]. Consequently, embedding rules that appear benign under idealized models can leave subtle but systematic artifacts, which become separable once the warden is allowed to learn block-level features from waveform-level baseband observations [20].

Motivated by this gap, we propose ResDiff, a two-stage learn-then-embed framework for hardware-consistent covert-in-cover-traffic signaling. We adopt a conditional diffusion model as the generative prior because diffusion models can stably learn complex, non-Gaussian, symbol-conditional emission distributions induced by RF impairments, providing high-fidelity anchors for subsequent constrained embedding [21,22]; diffusion models have also been enhanced with adversarial mechanisms in other synthesis tasks, further motivating diffusion-based priors in challenging distribution-matching problems [23]. Compared with GAN-based priors, diffusion training relies on a direct denoising/score-matching objective rather than an adversarial min–max game, which mitigates training instability and mode collapse—both of which are particularly undesirable here because a warden can exploit rare but structured artifacts. Compared with VAE-based priors, diffusion better preserves fine-grained, multimodal conditional I/Q statistics that constitute transmitter-specific hardware fingerprints, producing higher-fidelity anchors that reduce distributional drift under learned detectors. Stage I trains this conditional diffusion prior to approximate the legitimate hardware-impaired emission distribution conditioned on the public symbol. Stage II freezes the prior and embeds covert information via bounded, variance-adaptive residuals spread over a K-symbol block, enabling processing gain at the intended receiver while strictly constraining per symbol drift. A key engineering consideration is single-pass compliance: ResDiff avoids re-injecting synthesized waveforms into the same non-ideal RF chain, which would otherwise compound distortions and cause drift away from the legitimate manifold. We generate anchors directly in the post-hardware complex baseband domain and apply the residual embedder in the same domain so that the transmitter does not cascade the hardware mapping on already synthesized anchors. The precise signal-space definition and practical implementation considerations are discussed in Section 3.2.

We evaluate ResDiff against two complementary learned wardens. Our primary adversary is a block-/sequence-level detector (TM-2) operating on K-symbol windows, which can exploit correlation features induced by block-based embedding. We also report a symbol-level detector (TM-1) as a diagnostic for marginal distribution mismatch.

This work makes three contributions. First, we formulate hardware-aware covert-in-cover-traffic embedding as a distribution-consistency problem with respect to a symbol-conditional legitimate emission manifold induced by RF impairments and specify a two-layer threat model that includes both symbol-level and block-/sequence-level learned detectors. Second, we propose ResDiff, a two-stage learn-then-embed framework that learns a hardware-consistent prior using conditional diffusion, then embeds covert information via bounded, variance-adaptive residuals with explicit single-pass compliance. Third, we conduct extensive simulations under severe impairment profiles, reporting detectability, covert reliability, and public-link impact across varying signal-to-noise ratios (SNRs) and block lengths and characterizing the resulting stealth–reliability operating frontier.

The remainder of this paper is organized as follows. Section 2 presents the system and threat models. Section 3 details ResDiff and its training procedures. Section 4 reports experimental results and analysis.

2. System Model and Threat Model

We consider a covert-in-cover-traffic system with a transmitter (Alice), a legitimate receiver (Bob), and a passive warden (Willie), as illustrated in Figure 1. The transmitter continuously sends public symbols while embedding an additional covert payload, and the warden attempts to distinguish legitimate traffic from embedded traffic based on received baseband observations.

All baseband signals are complex-valued. The time index ($k\in \{1,2,\dots \}$) denotes the symbol interval. The public symbol is $s\left[k\right]\in \mathcal{S}$, where $\mathcal{S}$ is a standard modulation alphabet. In our experiments, the public link uses Quadrature Phase-Shift Keying (QPSK) so that $\mathcal{S}$ contains four unit-energy constellation points; the proposed framework is not tied to a specific $\mathcal{S}$ and applies to other modulation formats without changing the formulation. We use K to denote the covert block length: one covert bit is embedded over a block of K public symbols, yielding an effective covert rate of $R_c=1/K$ bit/symbol. This block-coded construction intentionally targets the low-rate covert regime, where payloads are short and sporadic and covertness is prioritized over throughput. Typical use cases include control messages, authentication, and lightweight signaling metadata. Increasing K reduces the per symbol embedding pressure and can improve stealthiness, but it also lowers the covert rate; thus, K provides an explicit rate–covertness trade-off knob. Higher-rate variants are made possible by embedding multiple bits per block, coding across blocks, or embedding in parallel over additional degrees of freedom such as in the case of subcarriers or spatial streams. These extensions increase the effective embedding pressure and may therefore raise detectability.

2.1. Signal Model and Channel

Alice transmits a complex baseband sample ($x\left[k\right]$). Bob and Willie receive

$$\begin{array}{cc}\hfill y_B\left[k\right]& =h_{B}x\left[k\right]+n_B\left[k\right],\hfill \end{array}$$

(1)

$$\begin{array}{cc}\hfill y_W\left[k\right]& =h_{W}x\left[k\right]+n_W\left[k\right],\hfill \end{array}$$

(2)

where $h_B$ and $h_W$ denote the channel coefficients ofBob and Willie, respectively, and $n_B\left[k\right]\sim \mathcal{CN}(0,{\sigma }_B^2)$ and $n_W\left[k\right]\sim \mathcal{CN}(0,{\sigma }_W^2)$ are circularly symmetric complex Gaussian noises.

Unlike idealized transmitter models where $x\left[k\right]$ is an undistorted constellation point plus independent additive noise, practical RF front ends introduce signal-dependent and often non-Gaussian distortions. We model Alice’s legitimate emission as the output of a hardware-impaired mapping

$$x_{\mathrm{legit}}\left[k\right]=f_{\mathrm{hw}}(s\left[k\right];\mathit{\psi }),$$

(3)

where $\mathit{\psi }$ summarizes impairment parameters such as I/Q imbalance, PA nonlinearity, and oscillator impairments. A typical impairment cascade can be expressed as

$$\begin{array}{cc}\hfill x_{\mathrm{IQ}}\left[k\right]& =\mu s\left[k\right]+\nu s^{*}\left[k\right],\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill x_{\mathrm{PA}}\left[k\right]& =\sum _{n=0}^{N_p}{c}_{2n+1}{\left|x_{\mathrm{IQ}}\left[k\right]\right|}^{2n}{x}_{\mathrm{IQ}}\left[k\right],\hfill \end{array}$$

(5)

$$\begin{array}{cc}\hfill x_{\mathrm{legit}}\left[k\right]& =x_{\mathrm{PA}}\left[k\right]e^{j\theta \left[k\right]},\hfill \end{array}$$

(6)

where ${(·)}^{*}$ denotes complex conjugation, $(\mu ,\nu )$ captures I/Q amplitude and phase imbalance, $\left\{c_{2n+1}\right\}$ parameterizes a memoryless polynomial PA, and $\theta \left[k\right]$ captures oscillator phase jitter and any residual carrier-frequency offset.

These impairments induce a transmitter-specific conditional distribution for legitimate emissions, i.e.,

$$x_{\mathrm{legit}}\sim p_{\mathrm{legit}}(x\mid s;\mathit{\psi }),$$

(7)

whose I/Q density concentrates on a structured, transmitter-specific, non-Gaussian geometry. We refer to this geometry as the hardware-impaired signal manifold. Maintaining covertness against learned detectors requires covert embedding to remain statistically consistent with $p_{\mathrm{legit}}(x\mid s;\mathit{\psi })$.

2.2. Covert Embedding over K-Symbol Blocks and Bob’s Decoding

Let ${\left\{m_i\right\}}_{i=1}^{N_b}$ denote the covert bitstream with $m_i\in \{0,1\}$. The i-th covert bit is embedded over the K symbol intervals in the index set:

$${\mathcal{B}}_i\triangleq \{(i-1)K+1,\dots ,iK\}.$$

(8)

For $k\in {\mathcal{B}}_i$, Alice transmits a stego sample of the following form:

$$x\left[k\right]=x_{\mathrm{anc}}\left[k\right]+\delta \left[k\right],$$

(9)

where $x_{\mathrm{anc}}\left[k\right]$ denotes an anchor sample that is statistically consistent with the legitimate conditional distribution ($p_{\mathrm{legit}}(x\mid s;\mathit{\psi })$) and $\delta \left[k\right]$ is the residual perturbation that embeds the covert bit ($m_i$) over the block (${\mathcal{B}}_i$), generated from the anchor sample($x_{\mathrm{anc}}\left[k\right]$) and the block message ($m_i$). In conventional transmission, one may take $x_{\mathrm{anc}}\left[k\right]=x_{\mathrm{legit}}\left[k\right]=f_{\mathrm{hw}}(s\left[k\right];\mathit{\psi })$. In ResDiff, we instead draw $x_{\mathrm{anc}}\left[k\right]=x_{\mathrm{gen}}\left[k\right]\sim p_{\theta }(x\mid s\left[k\right])\approx p_{\mathrm{legit}}(x\mid s\left[k\right];\mathit{\psi })$ so that the anchor, itself, follows the hardware-impaired manifold and the residual ($\delta \left[k\right]$) only needs to carry covert information within a bounded budget. We impose a per symbol magnitude constraint to preserve the public link, i.e.,

$$\left|\delta \left[k\right]\right|\le {\alpha }_{\mathrm{total}},\forall k,$$

(10)

where ${\alpha }_{\mathrm{total}}$ controls the embedding budget. In ResDiff, $\delta \left[k\right]$ is generated by a bounded residual module; here, we keep the mapping abstract to define the threat model and objectives. When working with the 2D real representation proposed in Section 3, this constraint is equivalently ${\parallel \delta \left[k\right]\parallel }_2\le {\alpha }_{\mathrm{total}}$.

We encode each covert bit across the block rather than forcing separability at the single-symbol level. This induces a message-dependent block-level correlation that Bob can exploit for processing gain while reducing marginal artifacts that are most accessible to symbol-level detectors.

Bob decodes the public symbols using a standard receiver chain, yielding $\widehat{s}\left[k\right]$ from $y_B\left[k\right]$. Covert decoding is performed on a block basis. For each block (${\mathcal{B}}_i$), Bob observes the received sequence (${\left\{y_B\left[k\right]\right\}}_{k\in {\mathcal{B}}_i}$), together with the available public-side information, such as ${\left\{\widehat{s}\left[k\right]\right\}}_{k\in {\mathcal{B}}_i}$, and the known block structure. He then computes a block-level decision metric and outputs an estimate (${\widehat{m}}_i$). In particular, Bob uses the demodulated public symbols ($\widehat{s}\left[k\right]$) as side information during inference. During training, we adopt teacher forcing and feed the ground-truth public symbols ($s\left[k\right]$) to the decoder to stabilize optimization; at test time, $s\left[k\right]$ is replaced by $\widehat{s}\left[k\right]$. The specific coherent and neural decoding architecture is detailed in Section 3; here, we emphasize that Bob’s reliability gain arises from the aggregation of information across K symbols under the bounded-embedding constraint.

2.3. Willie’s Hypothesis Test, Two-Tier Wardens, and Metrics

Willie aims to detect the presence of covert embedding from his received samples. Given ${\mathbf{y}}_W=[y_W\left[1\right],\dots ,y_W\left[N\right]{]}^{\top }$, Willie performs the binary hypothesis test:

$$\begin{array}{cc}\hfill {\mathcal{H}}_0& :x\left[k\right]=x_{\mathrm{legit}}\left[k\right],\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill {\mathcal{H}}_1& :x\left[k\right]=x_{\mathrm{stego}}\left[k\right]=x_{\mathrm{anc}}\left[k\right]+\delta \left[k\right].\hfill \end{array}$$

(12)

In our primary stealthiness evaluation, ${\mathcal{H}}_0$ samples correspond to the true legitimate emission process ($x_{\mathrm{legit}}=f_{\mathrm{hw}}(s;\mathit{\psi })$), while ${\mathcal{H}}_1$ samples correspond to ResDiff transmissions ($x_{\mathrm{stego}}=x_{\mathrm{anc}}+\delta$) with diffusion anchors ($x_{\mathrm{anc}}\left[k\right]=x_{\mathrm{gen}}\left[k\right]\sim p_{\theta }(x\mid s\left[k\right])$). Willie applies a decision rule ($D\left({\mathbf{y}}_W\right)\in \{0,1\}$), and we define

$$P_{\mathrm{FA}}=\mathrm{Pr}(D\left({\mathbf{y}}_W\right)=1\mid {\mathcal{H}}_0),P_{\mathrm{MD}}=\mathrm{Pr}(D\left({\mathbf{y}}_W\right)=0\mid {\mathcal{H}}_1),$$

(13)

with a total error probability of $P_E=\frac{1}{2}(P_{\mathrm{FA}}+P_{\mathrm{MD}})$.

We consider a strong warden model. Willie knows the public modulation alphabet ($\mathcal{S}$) and the noise statistics. Our primary evaluation assumes Willie knows K, which provides a worst-case benchmark for detectability under fixed operating conditions. If K is unknown, a practical warden may scan multiple candidate window sizes or adopt a multi-scale detector; however, this introduces a multiple-testing burden and reduces the amount of effective labeled data per candidate (K), so it does not necessarily yield stronger detectability than the known-K case under the same operating conditions. We leave a systematic study of unknown-K wardens and multi-scale countermeasures for future work. Unless otherwise stated, Willie is passive: he only observes ongoing cover traffic and does not inject probes or otherwise manipulate the channel. We mention active or mobile wardens to distinguish our scope from interaction-driven threat models; analyzing such adversaries requires additional assumptions and side information that are not needed in our waveform-level setting. He is assumed to be capable of training a deep detector using labeled samples that are representative of the evaluation conditions, including the same SNR range and impairment profile. This supervised-training assumption is pessimistic for stealthiness evaluation. In practice, training–deployment mismatch can arise and may change detectability; therefore, we discuss mismatch sensitivity and its expected impact in Section 4.8. Willie does not know the covert bits ($\left\{m_i\right\}$) and does not observe Alice’s internal random seeds or any secret keys used for randomization.

In TM-1, Willie applies a symbol-wise classifier to individual received I/Q samples. We denote ${\mathbf{y}}_W\left[k\right]={[\Re \left\{y_W\left[k\right]\right\},\Im \left\{y_W\left[k\right]\right\}]}^{\top }\in {\mathbb{R}}^2$, and

$$D_{\mathrm{TM}-1}:{\mathbf{y}}_W\left[k\right]\mapsto \widehat{\ell }\left[k\right]\in [0,1],$$

(14)

where $\widehat{\ell }\left[k\right]$ is a suspicion score for ${\mathcal{H}}_1$. This model captures wardens that exploit symbol-level artifacts such as constellation shifts, variance inflation, or weak multimodality. In evaluation, we report the area under the receiver operating characteristic (ROC) curve (AUC) by treating each received symbol as an independent test sample under ${\mathcal{H}}_0$ or ${\mathcal{H}}_1$.

In TM-2, Willie processes K-symbol windows and may exploit higher-order and correlation features, i.e.,

$$D_{\mathrm{TM}-2}:{\mathbf{y}}_W\left[{\mathcal{B}}_i\right]\mapsto {\widehat{\ell }}_i\in [0,1],$$

(15)

where ${\mathbf{y}}_W\left[{\mathcal{B}}_i\right]\in {\mathbb{R}}^{2K}$ stacks the I/Q vectors over the K-symbol window. TM-1 is a special case of TM-2 that restricts the receptive field to a single symbol.

Our design targets a three-way trade-off. Public-link fidelity requires preservation of the decodability of the public symbols at Bob, which we quantify using the public symbol error rate (SER). Covert reliability requires Bob to be enabled to decode the covert bits with a low block bit error rate. Stealthiness requires that Willie be prevented from reliably distinguishing ${\mathcal{H}}_0$ and ${\mathcal{H}}_1$. For empirical stealthiness, we report the AUC of Willie’s detector. An AUC of $0.5$ corresponds to random guessing, while a larger AUC indicates greater detectability.

3. Method: ResDiff

3.1. Overview and Design Principle

Recall from Section 2 that legitimate emissions follow a hardware-impaired conditional distribution ($x_{\mathrm{legit}}\sim p_{\mathrm{legit}}(x\mid s;\mathit{\psi })$). Alice embeds covert information via a bounded residual perturbation ($\delta \left[k\right]$) that satisfies $\left|\delta \left[k\right]\right|\le {\alpha }_{\mathrm{total}}$. A naive additive embedder tends to create out-of-manifold artifacts that are readily exploited by learned wardens.

ResDiff follows a “learn-then-embed” principle: we first learn a high-fidelity generative prior for the legitimate, hardware-impaired signal manifold, then embed covert bits using bounded residuals that remain within the learned statistical envelope. Reliability is achieved through block-level processing gain rather than single-symbol separability. The system model is expressed in complex baseband scalars. For the learning modules in this section, including CDP and VARE, we apply the 2D real I/Q mapping ($\mathbf{x}\left[k\right]\triangleq {[\Re \left\{x\left[k\right]\right\},\Im \left\{x\left[k\right]\right\}]}^{\top }\in {\mathbb{R}}^2$) and $\delta \left[k\right]\triangleq {[\Re \left\{\delta \left[k\right]\right\},\Im \left\{\delta \left[k\right]\right\}]}^{\top }$ and write the corresponding conditional distributions in terms of $\mathbf{x}$. Figure 2 provides an overview of the ResDiff framework, including the training and inference/evaluation pipelines.

ResDiff consists of the following stages:

• Stage I—Conditional Diffusion Prior (CDP): We learn a conditional generative prior that matches the legitimate hardware-impaired distribution.

  $$p_{\theta }(\mathbf{x}\mid s)\approx p_{\mathrm{legit}}(\mathbf{x}\mid s;\mathit{\psi }).$$

  (16)
  The learned conditional prior produces anchor samples on the legitimate manifold by sampling

  $${\mathbf{x}}_{\mathrm{anc}}\left[k\right]={\mathbf{x}}_{\mathrm{gen}}\left[k\right]\sim p_{\theta }(\mathbf{x}\mid s\left[k\right]).$$

  (17)
• Stage II—Variance-Adaptive Residual Embedder (VARE): $\theta$ is frozen, and a lightweight residual module that maps anchors and the block code to a bounded perturbation ($\delta \left[k\right]$) is trained. Bob then applies a coherent block decoder to recover covert bits from K received symbols.

3.2. Stage I: Conditional Diffusion Prior (CDP)

Stage I is trained using legitimate transmitter outputs—namely, pairs $\left\{(s\left[k\right],{\mathbf{x}}_0\left[k\right])\right\}$ where ${\mathbf{x}}_0\left[k\right]$ is a hardware-impaired emission corresponding to public symbol $s\left[k\right]$. Such data can be produced by an impairment simulator or collected from a device under test.

Given a legitimate sample (${\mathbf{x}}_0\sim p_{\mathrm{legit}}(\mathbf{x}\mid s)$), the forward diffusion adds Gaussian noise over T steps:

$$q({\mathbf{x}}_t\mid {\mathbf{x}}_{t-1})=\mathcal{N}\left({\mathbf{x}}_t;\sqrt{1-{\beta }_t}{\mathbf{x}}_{t-1},{\beta }_t\mathbf{I}\right),$$

(18)

where ${\left\{{\beta }_t\right\}}_{t=1}^T$ is a fixed schedule, $\mathbf{I}$ is the $2\times 2$ identity, ${\alpha }_t=1-{\beta }_t$, and ${\overline{\alpha }}_t={\prod }_{i=1}^t{\alpha }_i$. Equivalently,

$${\mathbf{x}}_t=\sqrt{{\overline{\alpha }}_t}{\mathbf{x}}_0+\sqrt{1-{\overline{\alpha }}_t}\mathit{ϵ},\mathit{ϵ}\sim \mathcal{N}(\mathbf{0},\mathbf{I}).$$

(19)

We train a denoiser (${\mathit{ϵ}}_{\theta }({\mathbf{x}}_t,t,s)$) conditioned on the public symbol (s) and diffusion step (t) via the noise-prediction objective:

$${\mathcal{L}}_{\mathrm{CDP}}\left(\theta \right)={\mathbb{E}}_{({\mathbf{x}}_0,s),t,\mathit{ϵ}}\left[{∥\mathit{ϵ}-{\mathit{ϵ}}_{\theta }\left(\sqrt{{\overline{\alpha }}_t}{\mathbf{x}}_0+\sqrt{1-{\overline{\alpha }}_t}\mathit{ϵ},t,s\right)∥}_2^2\right].$$

(20)

After training, anchors (${\mathbf{x}}_{\mathrm{gen}}\sim p_{\theta }(\mathbf{x}\mid s)$) are generated by running the reverse chain from ${\mathbf{x}}_T\sim \mathcal{N}(\mathbf{0},\mathbf{I})$ to ${\mathbf{x}}_0$. Here, ${\mathbf{x}}_{\mathrm{gen}}$ is defined in the same sample space as the legitimate emitted sample (${\mathbf{x}}_0$), i.e., the 2D I/Q representation of the post-hardware complex baseband waveform ($x_{\mathrm{legit}}$) in (3). This corresponds to the emitted complex baseband sample after effective RF front-end distortions and before the wireless channel. Accordingly, “single-pass compliance” means that the non-ideal hardware mapping is applied only once and is not cascaded on already synthesized anchors. In practice, the production of a desired emitted baseband waveform can be supported by standard offline calibration/predistortion or by direct waveform injection through a software-defined radio (SDR); thus, our formulation does not assume any iterative online predistortion loop during embedding.

To ensure that covert perturbations remain statistically indistinguishable from the inherent hardware-induced variations, we require a quantitative measure of the local dispersion of legitimate emissions around each constellation point. This dispersion defines the natural statistical envelope within which covert perturbations should be confined.

We therefore estimate a symbol-conditional covariance matrix for each $s\in \mathcal{S}$ using either collected legitimate samples (${\mathbf{x}}_0$) or synthesized anchors (${\mathbf{x}}_{\mathrm{gen}}$) from the trained diffusion prior, i.e.,

$$\mathbf{\Sigma }\left(s\right)=\mathbb{E}\left[(\mathbf{x}-\mathit{\mu }\left(s\right)){(\mathbf{x}-\mathit{\mu }\left(s\right))}^{\top }\mid s\right],\mathit{\mu }\left(s\right)=\mathbb{E}[\mathbf{x}\mid s],$$

(21)

and derive a scalar spread metric:

$$v\left(s\right)=\sqrt{\frac{1}{2}\mathrm{tr}\left(\mathbf{\Sigma }\left(s\right)\right)}.$$

(22)

During operation, we assign $v\left[k\right]=v\left(s\right[k\left]\right)$ for each symbol interval.

The computed $v\left(s\right)$ quantifies the local spread of the hardware-impaired signal cloud and is used to scale the residual perturbation adaptively, as formalized in Equations (24) and (25). This ensures the covert signal energy is proportional to the local impairment-induced variability, thereby embedding covert information within the transmitter’s natural statistical footprint and minimizing detectable distributional drift.

3.3. Stage II: Variance-Adaptive Residual Embedder (VARE)

Stage II embeds covert bits while preserving public-link fidelity and statistical consistency with the learned manifold. Reliability is achieved through block-level processing gain. Let $m_i\in \{0,1\}$ denote the covert bit carried by block ${\mathcal{B}}_i=\{(i-1)K+1,\dots ,iK\}$. We map $m_i$ to a bipolar value ($b_i=2m_i-1\in \{-1,+1\}$) and use a spreading sequence ($\mathbf{c}={[c_1,\dots ,c_K]}^{\top }\in {\{\pm 1\}}^K$) with ${\parallel \mathbf{c}\parallel }_2^2=K$. For $k\in {\mathcal{B}}_i$, we denote $c_{i,k}=c_{k-(i-1)K}$.

For each $k\in {\mathcal{B}}_i$, we sample an anchor (${\mathbf{x}}_{\mathrm{gen}}\left[k\right]\sim p_{\theta }(\mathbf{x}\mid s\left[k\right])$) and generate a residual direction, i.e.,

$${\mathbf{r}}_{\varphi }\left[k\right]=G_{\varphi }\left({\mathbf{x}}_{\mathrm{gen}}\left[k\right],s\left[k\right],c_{i,k},b_i\right)\in {\mathbb{R}}^2,$$

(23)

where $G_{\varphi }(·)$ is a lightweight multilayer perceptron (MLP).

We enforce the hard budget (${\parallel \delta \left[k\right]\parallel }_2\le {\alpha }_{\mathrm{total}}$) while adapting to symbol-conditional spread via

$$\mathit{\delta }\left[k\right]={\alpha }_{\mathrm{total}}·\rho \left(v\left[k\right]\right)·{\displaystyle \frac{\tanh \left({\mathbf{r}}_{\varphi }\left[k\right]\right)}{{∥\tanh \left({\mathbf{r}}_{\varphi }\left[k\right]\right)∥}_2+\epsilon }},k\in {\mathcal{B}}_i,$$

(24)

where $\epsilon >0$ avoids division by zero and $\rho \left(v\right[k\left]\right)$ is a bounded scale, i.e.,

$$\rho \left(v\left[k\right]\right)=\mathrm{clip}\left({\displaystyle \frac{v\left[k\right]}{\mathbb{E}\left[v\right]}},{\rho }_{\min },{\rho }_{\max }\right),$$

(25)

with $\mathbb{E}\left[v\right]$ computed as a running mean over training symbols. This construction yields smaller perturbations for dense symbol clusters and slightly larger perturbations where the legitimate manifold is naturally more spread, reducing out-of-manifold artifacts.

Then, the transmitted sample is

$$\mathbf{x}\left[k\right]={\mathbf{x}}_{\mathrm{gen}}\left[k\right]+\delta \left[k\right],k\in {\mathcal{B}}_i.$$

(26)

3.4. Bob’s Covert Decoder: Coherent Neural Decoder (CND)

Bob observes ${\mathbf{y}}_B\left[k\right]={[\Re \left\{y_B\left[k\right]\right\},\Im \left\{y_B\left[k\right]\right\}]}^{\top }$ and uses the public-side information. We implement Bob as a coherent block decoder that outputs the posterior of the covert bit, given a K-symbol block:

$${\widehat{m}}_i=D_{\omega }\left({\mathbf{y}}_B\left[{\mathcal{B}}_i\right],\tilde{\mathbf{s}}\left[{\mathcal{B}}_i\right],\mathbf{c}\right),$$

(27)

where ${\mathbf{y}}_B\left[{\mathcal{B}}_i\right]\in {\mathbb{R}}^{2K}$ stacks the I/Q vectors over the block and $\tilde{\mathbf{s}}\left[{\mathcal{B}}_i\right]=\mathbf{s}\left[{\mathcal{B}}_i\right]$ during training, while $\tilde{\mathbf{s}}\left[{\mathcal{B}}_i\right]=\widehat{\mathbf{s}}\left[{\mathcal{B}}_i\right]$ during inference. The decoder learns to exploit the block-level correlation induced by spreading while mitigating nonlinear self-interference arising from the hardware-impaired manifold.

3.5. Training Objectives

Stage II trains the embedder ($G_{\varphi }$) and Bob’s decoder ($D_{\omega }$) with $\theta$ frozen. Training samples are passed through the channel model in (1) and (2).

We minimize block-wise binary cross-entropy:

$${\mathcal{L}}_{\mathrm{rel}}(\varphi ,\omega )=\mathbb{E}\left[\mathrm{BCE}\left(m_i,D_{\omega }({\mathbf{y}}_B\left[{\mathcal{B}}_i\right],\tilde{\mathbf{s}}\left[{\mathcal{B}}_i\right],\mathbf{c})\right)\right].$$

(28)

We penalize embedding energy to limit public-link distortion, i.e.,

$${\mathcal{L}}_{\mathrm{pub}}\left(\varphi \right)=\mathbb{E}\left[{\parallel \delta \left[k\right]\parallel }_2^2\right],$$

(29)

while the hard bound is enforced by construction in (24).

To explicitly discourage marginal artifacts, we optionally include a symbol-level proxy warden ($D_W$) that distinguishes anchors from stego samples:

$$\begin{array}{cc}\hfill {\mathcal{L}}_W& =-\mathbb{E}\left[\log D_W\left({\mathbf{y}}_W^{\mathrm{anc}}\left[k\right]\right)\right]-\mathbb{E}\left[\log (1-D_W\left({\mathbf{y}}_W^{\mathrm{stego}}\left[k\right]\right))\right],\hfill \end{array}$$

(30)

$$\begin{array}{cc}\hfill {\mathcal{L}}_{\mathrm{adv}}\left(\varphi \right)& =-\mathbb{E}\left[\log D_W\left({\mathbf{y}}_W^{\mathrm{stego}}\left[k\right]\right)\right].\hfill \end{array}$$

(31)

where ${\mathbf{y}}_W^{\mathrm{anc}}\left[k\right]$ is obtained by transmitting anchors without embedding and ${\mathbf{y}}_W^{\mathrm{stego}}\left[k\right]$ is obtained from (26) under the same channel conditions. Here, $D_W(·)$ outputs the probability of the anchor class, so minimizing ${\mathcal{L}}_{\mathrm{adv}}$ encourages stego samples to be indistinguishable from anchors at the symbol level. We train the proxy warden ($D_W$) jointly in an alternating manner. All evaluation results are reported using independently trained wardens.

The Stage II objective is

$$(\varphi ,\omega )=\arg \underset{\varphi ,\omega }{\min }{\lambda }_{\mathrm{rel}}{\mathcal{L}}_{\mathrm{rel}}+{\lambda }_{\mathrm{pub}}{\mathcal{L}}_{\mathrm{pub}}+{\lambda }_{\mathrm{adv}}{\mathcal{L}}_{\mathrm{adv}},$$

(32)

$$D_W=\arg \underset{D_W}{\min }{\mathcal{L}}_W.$$

(33)

We alternate between updating $D_W$ using (33) and updating $(\varphi ,\omega )$ using (32).

3.6. Training Procedures

The training procedures for Stage I and Stage II are summarized in Algorithms 1 and 2.

Algorithm 1: Stage I: Training the Conditional Diffusion Prior (CDP)

1 Input: Legitimate pairs $\left\{(s,{\mathbf{x}}_0)\right\}$, steps T, schedule $\left\{{\beta }_t\right\}$ 2 Output: $\theta$ and spread proxy $v\left(s\right)$ 3 1: Initialize parameters $\theta$. 4 2: repeat until convergence 5      2.1: Sample minibatch $(s,{\mathbf{x}}_0)$; sample $t\sim \mathrm{Unif}\{1,\dots ,T\}$; sample $ϵ\sim \mathcal{N}(\mathbf{0},\mathbf{I})$. 6      2.2: Form ${\mathbf{x}}_t$ by (19). 7      2.3: Update $\theta$ by descending ${\nabla }_{\theta }{\mathcal{L}}_{\mathrm{CDP}}$ in (20). 8 3: Estimate $v\left(s\right)$ using (21) and (22).

Algorithm 2: Stage II: Training VARE (Embedder) and CND (Bob’sDecoder)

1 Input: Frozen $\theta$, block length K, budget ${\alpha }_{\mathrm{total}}$, spreading code $\mathbf{c}$, weights ${\lambda }_{·}$ 2 Output: Embedder $\varphi$, decoder $\omega$, and a training-time proxy warden $D_W$ 1: Initialize $\varphi ,\omega$; 3 2: repeat until convergence 4      2.1: Sample a block $\mathbf{s}\left[{\mathcal{B}}_i\right]$ and covert bit $m_i$; set $b_i=2m_i-1$. 5      2.2: Sample anchors ${\mathbf{x}}_{\mathrm{gen}}\left[k\right]\sim p_{\theta }(\mathbf{x}\mid s\left[k\right])$ for all $k\in {\mathcal{B}}_i$. 6      2.3: Set $v\left[k\right]=v\left(s\right[k\left]\right)$ and compute $\delta \left[k\right]$ by (24). 7      2.4: Transmit anchors ${\mathbf{x}}_{\mathrm{gen}}\left[k\right]$ to obtain ${\mathbf{y}}_W^{\mathrm{anc}}\left[k\right]$, and transmit stego samples $\mathbf{x}\left[k\right]={\mathbf{x}}_{\mathrm{gen}}\left[k\right]+\delta \left[k\right]$ to obtain ${\mathbf{y}}_B\left[k\right]$ and ${\mathbf{y}}_W^{\mathrm{stego}}\left[k\right]$, under the same channel distribution. 8      2.5: Alternating updates: update $D_W$ by minimizing (33) with ${\mathbf{y}}_W^{\mathrm{anc}}$ and ${\mathbf{y}}_W^{\mathrm{stego}}$, then update $(\varphi ,\omega )$ by minimizing (32) with $D_W$ fixed.

4. Experimental Results and Analysis

4.1. Experimental Setup

To isolate distributional effects from fading, we consider an AWGN channel and set $h_B=h_W=1$ in (1) and (2). The transmitter power is normalized as $\mathbb{E}\left[\right|x\left[k\right]{|}^2]=1$, and public symbols use unit-power QPSK. We sweep $\mathrm{SNR}\in \{0,2,4,\dots ,20\}$ dB by adjusting the noise variance. ResDiff is trained with the per symbol SNR sampled uniformly from $[10,15]$ dB and evaluated over the full 0–20 dB range without re-training, so the low/high SNR regions are out of range relative to training. We further discuss mismatch sensitivity and practical mitigation in Section 4.8.

By default, we perform evaluations under a fixed impairment profile combining I/Q imbalance, memoryless PA nonlinearity, and oscillator phase jitter;

Table 1. Implementation details for ResDiff and learned wardens.

Component	Setting
Conditional diffusion prior (Stage I)	Diffusion steps $T=200$; cosine $\beta$ schedule; noise-prediction objective.
Denoiser architecture	MLP; 5 hidden layers; width 256; symbol embedding dimension 32.
Stage I optimization	Adam; learning rate ${10}^{-3}$; batch size 2048; 15 epochs.
Residual embedder VARE (Stage II)	MLP; 3 hidden layers; width 128; bounded output scaled to the embedding budget.
Covert decoder CND (Stage II)	MLP; 3 hidden layers; width 128; block input of K symbols with public side information.
Stage II optimization	Adam; learning rate ${10}^{-3}$; batch size 512; 15 epochs; loss weights ${\lambda }_{\mathrm{rel}}=1$, ${\lambda }_{\mathrm{pub}}=0.1$, ${\lambda }_{\mathrm{adv}}=0.5$.
TM-1 warden	Symbol-level MLP; 3 hidden layers; width 64.
TM-2 warden	Block-level 1D CNN over aligned K-symbol windows; 3 convolutional layers; width 64; kernel size 3; global average pooling.
Warden training protocol	Adam; learning rate ${10}^{-3}$; 2000 steps; 256 blocks per update; balanced ${\mathcal{H}}_0/{\mathcal{H}}_1$ samples.
Impairment profile	I/Q imbalance: gain mismatch 1 dB, phase mismatch $3^{\circ }$; $(\mu ,\nu )\approx (1.060+j0.029,-0.060+j0.029)$ in (4). PA nonlinearity: AM/AM $[1.0,-0.05,0.0]$, AM/PM $[0.0,0.02,0.0]$. Phase jitter: $\theta \left[k\right]\sim \mathcal{N}(0,0.{05}^2)$ rad/symbol.

reports the parameter settings and how they enter the model in (4).

We embed one covert bit over a K-symbol block with $K\in \{4,8,16\}$, yielding a covert rate of $R_c=1/K$ bit/symbol. For the main curves, we choose one operating point per K using $\alpha \left(K\right)=\alpha \left(8\right)\sqrt{8/K}$ with $\alpha \left(8\right)=0.50$, which gives $\alpha \left(4\right)=0.70$, $\alpha \left(8\right)=0.50$, and $\alpha \left(16\right)=0.35$. For the stealth–reliability trade-off study, we sweep $s\in \{0.2,0.3,\dots ,1.0\}$ and set ${\alpha }_{\mathrm{total}}=\alpha \left(K\right)s$. The scaling of $\alpha \left(K\right)=\alpha \left(8\right)\sqrt{8/K}$ keeps the block-wise perturbation energy budget approximately constant across K, since $K\alpha {\left(K\right)}^2$ is constant.

We evaluate detectability under the two-layer threat model in Section 2.3. Willie is trained as a supervised binary classifier using balanced samples from ${\mathcal{H}}_0$ and ${\mathcal{H}}_1$. To avoid bias toward any single operating point, the warden is trained on a multi-SNR dataset, with SNR drawn uniformly from the evaluation range, then frozen to compute the AUC over the full sweep. We also report an anchors-only baseline where $\delta \left[k\right]\equiv 0$ to isolate the incremental impact of Stage II residual embedding on public SER and detectability. This is a diagnostic baseline only; ${\mathcal{H}}_0$ always corresponds to the true legitimate emission process.

For reproducibility, Table 1 summarizes the key architectures and training settings.

4.2. Stealthiness: Learned-Warden AUC Versus SNR

We quantify stealthiness by the learned-warden AUC. $\mathrm{AUC}=0.5$ corresponds to random guessing. Larger values indicate higher detectability and, therefore, weaker stealthiness. Following Section 2.3, we report the AUC for TM-1 and TM-2.

Figure 3 reports the AUC versus SNR for $K\in \{4,8,16\}$. First, detectability increases with SNR for both TM-2 and TM-1, as reduced channel noise provides less masking at high SNRs. Second, increasing the block length (K) reduces detectability under both wardens. This reduction is most pronounced for TM-2, since spreading one covert bit over a longer window lowers the per symbol information load and weakens the sequence-level correlation cues available to a windowed detector. TM-1 exhibits the same monotone behavior with respect to K, confirming that larger blocks also alleviate marginal artifacts by reducing per symbol embedding pressure.

These results align with the ResDiff design. Stage I anchors samples on a hardware-consistent manifold, suppressing gross marginal mismatch, while Stage II restricts embedding to bounded residuals and shifts information from single-symbol separability to block-level structure. Overall, ResDiff provides controllable stealthiness across the operating SNR. A larger K yields a consistent improvement against TM-1 and TM-2.

4.3. Ablation Study: Role of the Diffusion Prior

To isolate the contribution of Stage I to stealthiness, we run an ablation that keeps the embedding budget and evaluation protocol fixed and varies only how the anchor samples are formed. We compare (i) ResDiff, our full two-stage pipeline with diffusion-generated anchors and Stage II residual embedding; (ii) an ideal-anchor baseline, where anchors are ideal QPSK symbols, while Stage II and the budget are kept unchanged; and (iii) an anchors-only setting, where we transmit the diffusion anchors and set $\delta \left[k\right]\equiv 0$ (i.e., $x\left[k\right]=x_{\mathrm{gen}}\left[k\right]$) to probe the intrinsic detectability of the learned prior.

Figure 4 reports the warden AUC versus SNR at $K=8$ and ${\alpha }_{\mathrm{total}}=0.50$. The ideal-anchor baseline becomes increasingly detectable with SNR, especially under TM-2, where AUC approaches 1, indicating that embedding residuals around ideal constellation points creates a strong mismatch relative to hardware-impaired emissions. In contrast, the anchors-only setting stays close to random guessing across SNRs for both TM-1 and TM-2, suggesting that the diffusion prior, alone, produces anchors that are largely consistent with the legitimate hardware-impaired manifold. ResDiff lies between these two extremes: compared to the ideal-anchor baseline, diffusion anchors substantially reduce detectability, while the gap between ResDiff and the anchors-only baseline quantifies the additional detectability introduced by Stage II payload embedding under the same budget.

4.4. Qualitative Visualization: Constellation Density

To visually assess distribution consistency, Figure 5 compares the constellation density of legitimate and stego emissions at SNR $=15$ dB. Figure 5a shows the legitimate emission density; each public symbol forms a hardware-shaped cluster determined by the non-ideal RF front end. Figure 5b–d show the corresponding stego densities for $K\in \{4,8,16\}$. Across all K values; ResDiff preserves the cluster geometry and centroid locations and does not induce systematic constellation shifts or clearly separable sub-clusters. The main visible effect is a mild broadening of the outer contours, consistent with bounded residual injection while remaining aligned with the legitimate envelope. As K increases, the per symbol embedding pressure is reduced, and the stego density remains visually co-located with the legitimate density. Overall, these qualitative observations corroborate the AUC trends and support the claim that ResDiff confines embedding within a hardware-consistent manifold.

4.5. Reliability and Fidelity: Covert BER and Public SER

We next evaluate the reliability of covert decoding at the legitimate receiver and the impact of embedding on the public link.

Figure 6 reports the covert-block BER as a function of the SNR. As expected, BER decreases monotonically with the SNR. More importantly, increasing the block length consistently improves covert reliability: spreading one covert bit over a longer block provides processing gain at the decoder and reduces the per symbol burden of embedding. At the representative operating point of $\mathrm{SNR}=12$ dB, $K\ge 8$ already achieves a BER on the order of ${10}^{-3}$, and the BER further approaches ${10}^{-4}$ at higher SNRs. This behavior is consistent with ResDiff’s design goal of shifting information from marginal separability to a block-level structure.

Figure 7 shows the public SER with and without covert embedding. Embedding introduces a measurable SER penalty in the mid-SNR regime, where the legacy decision regions are not noise-dominated and bounded residuals slightly perturb the effective constellation. The penalty becomes smaller as K increases, which matches the reduced per symbol distortion budget under longer blocks. Overall, ResDiff maintains a controlled impact on the public link while enabling reliable covert recovery through block processing gain. We note that when the public-link symbol error rate is non-zero, errors in $\widehat{\mathbf{s}}\left[{\mathcal{B}}_i\right]$ may propagate to covert decoding, since $\widehat{\mathbf{s}}\left[{\mathcal{B}}_i\right]$ is used as side information at inference; this effect is mitigated by operating the public link at a sufficiently reliable SNR and by training with teacher forcing.

4.6. Stealth–Reliability Trade-Off at Fixed SNR

We characterize the explicit stealth–reliability trade-off controlled by the embedding budget. Specifically, fixing the operating condition to $\mathrm{SNR}=20$ dB and the block length at $K=8$, we sweep the perturbation amplitude (${\alpha }_{\mathrm{total}}$) and evaluate both covert reliability and detectability against the sequence-aware warden (TM-2).

Figure 8 reveals a clear frontier for the $K=8$ case at 20 dB against TM-2. As ${\alpha }_{\mathrm{total}}$ increases, the covert BER decreases rapidly, indicating that a larger residual budget provides a stronger decoding margin under hardware-induced self-interference. At the same time, the TM-2 warden’s AUC increases monotonically, suggesting that larger residuals leave more exploitable statistical evidence for detection. Notably, the AUC growth is gradual compared with the BER improvement, producing a practical knee region where reliability becomes usable while detectability remains controlled. This confirms that ${\alpha }_{\mathrm{total}}$ serves as an interpretable operating knob for selecting a deployment point according to the desired security–reliability balance. Together with the monotone K-sweep trends (Figure 3, Figure 4, Figure 5, Figure 6 and Figure 7), this budget sweep highlights that K and ${\alpha }_{\mathrm{total}}$ provide complementary controls: K shapes spreading/processing gain and per symbol pressure, while ${\alpha }_{\mathrm{total}}$ directly controls the residual magnitude under a fixed block structure.

4.7. Robustness to Hardware-Impairment Drift

In practice, transmitter impairments can drift over time due to aging, temperature, or other environmental changes. To assess robustness to such mismatch, we keep all trained models fixed and evaluate ResDiff under perturbed impairment parameters at inference time. We focus on a representative operating point ($\mathrm{SNR}=15$ dB, $K=8$, and ${\alpha }_{\mathrm{total}}=0.50$) and report the covert BER, together with the warden’s AUC, under both TM-1 and TM-2. We consider three drift scenarios. Nominalmatches the training impairments. Mild Drift increases the I/Q phase mismatch by $1^{\circ }$ and increases the PA AM/AM and AM/PM distortion strengths by 5% relative to the nominal setting. Severe Drift increases the phase mismatch by $3^{\circ }$ and increases both PA distortion terms by 10%.

Table 2. Robustness to impairment drift with fixed trained models at $\mathrm{SNR}=15$ dB ($K=8$, ${\alpha }_{\mathrm{total}}=0.50$).

Scenario	Covert BER	TM-1 AUC	TM-2 AUC
Nominal	0.0022	0.6060	0.7142
Mild Drift	0.0026	0.6138	0.7195
Severe Drift	0.0036	0.6049	0.7268

summarizes the results. Overall, performance degrades only slightly: covert BER rises from $2.2\times {10}^{-3}$ to $3.6\times {10}^{-3}$. Stealthiness remains stable, with TM-1 AUC staying within 0.6049–0.6138 and TM-2 AUC within 0.7142–0.7268. We do not observe a clear monotonic trend in AUC with increasing drift; the fluctuations are small and remain within a narrow band across the tested settings.

4.8. Discussion: Sensitivity to Warden Mismatch

Our AUC results adopt a standard but idealized assumption: Willie can train a detector using labeled data that is representative of the deployment conditions. In practice, perfect alignment is unlikely, and several forms of mismatch may arise. SNR mismatch: Stage II is trained on $\mathrm{SNR}\in [10,15]$ dB, whereas our evaluation reports curves over 0–20 dB without re-training; thus, the lowest and highest SNR points effectively test out-of-range operation. Impairment drift: transmitter hardware characteristics can change over time; Table 2 indicates that the considered I/Q and PA perturbations lead to only a small BER increase and cause limited AUC variation across the tested drift levels. Detector mismatch: To reduce dependence on a single warden design, we report both TM-1 and TM-2. Channel–model mismatch is another practical factor; while we adopt an AWGN channel and have already evaluated a wide SNR range without re-training, real deployments may involve fading, phase rotation, or non-Gaussian interference. These effects can be addressed by domain randomization over channel/impairment parameters during Stage II training and, when feasible, lightweight calibration of Stage II while keeping the diffusion prior fixed. Nevertheless, a more comprehensive study over broader detector families and mismatch ranges remains an important direction beyond the present scope.

5. Conclusions

This work addresses the vulnerability of physical-layer covert communication to learned wardens that exploit specific RF hardware impairments. We demonstrated that conventional embedding strategies induce detectable distributional drift when facing non-ideal front-end characteristics such as PA nonlinearity. To overcome this, we proposed ResDiff, a hardware-aware framework that leverages a symbol-conditional diffusion prior to synthesize on-manifold anchors, coupled with a variance-adaptive residual embedder. By spreading covert information across symbol blocks, ResDiff achieves significant processing gain while constraining per-symbol perturbations within the legitimate statistical envelope. Experimental results validate that ResDiff establishes a robust stealth–reliability trade-off: increasing the block length (K) consistently suppresses detectability against learned wardens while enhancing covert reliability, with minimal impact on public-link fidelity. Future research will extend this generative approach to fading channels, time-varying hardware drift, and experimental validation on SDR platforms.