Shadow Agent Protocol Overview

• Shadow Agent Protocol is an advanced covert communication protocol for the Internet of Agents, using generative steganography and refined synchronization to ensure undetectable data exchanges.
• It employs a three-phase process—handshake, iterative encoding, and reassembly—with encrypted key exchanges and robust error correction to maintain message integrity.
• SAP optimizes throughput and minimizes detection probability via dynamic fragment sizing and context-aware timing, effectively countering advanced traffic analysis techniques.

The Shadow Agent Protocol (SAP) is an advanced covert communication protocol tailored for secure exchanges within the Internet of Agents (IoA). Building on the Covert Communication Agent Protocol (Π₍CCAP₎) framework introduced in "Whispering Agents," SAP refines channel definitions, optimizes metrics for imperceptibility and throughput, and adapts the system for multi-agent environments and robust error handling. The principal objective of SAP is to render not only message contents but also the act of communication statistically undetectable, thwarting traffic analysis by even powerful LLM-based wardens (Huang et al., 4 Aug 2025).

1. Formal Model and Channel Taxonomy

SAP deploys covert communication across event-driven, multi-agent systems. The environment is defined as $E = (\mathcal{S}, Act, \delta)$, where $\mathcal{S}$ is the global state space, $Act$ is a finite set of action tuples, and $$\delta: \mathcal{S} \times Act \rightarrow \mathcal{S}$$ transitions states based on actions. The agent set is partitioned as $Ag = A_B \cup A_S \cup A_R$, with $A_B$ for benign agents, and $A_S$, $A_R$ denoting covert sender and receiver agents.

Atomic events are formalized as $e = (ag, act, t)$, with $ag \in Ag$, $t \in \mathbb{R}^+$ a timestamp, and $act = (a_{type}, a_{data})$, where $a_{type} \in \mathcal{A}_{type}$ and $a_{data}$ is an event data payload. Communication exploits three covert channel types: storage (bits encoded in $a_{data}$), timing (bits in $t$ or inter-event $\Delta t$), and behavioral (bits in the selection of $a_{type}$).

The communication scheme $$\Sigma_E = (\mathrm{KeyGen}, \mathrm{Encode}, \mathrm{Decode})$$ supports cryptographic key generation ($\mathrm{KeyGen}(1^\lambda) \rightarrow k$), secure encoding and decoding functions, and is evaluated with correctness, statistical imperceptibility (IND-STAT), intention imperceptibility (IND-INT), channel capacity $C$, error probability $\epsilon$, and detection probability $\delta$ (Huang et al., 4 Aug 2025).

2. Protocol Phases and Algorithmic Foundations

SAP operates in three main phases, adapting Π₍CCAP₎ with refined synchronization, header fragmentation, and generative steganography.

2.1 Unified Fragment Header

Each data fragment is prepended with a header containing:

Component	Bit Length	Purpose
Total-Data-Size	12	Payload sizing
Sequence-Number	6	Fragment ordering
FIN flag	1	Final fragment
Checksum	4	Error detection

Fragment 0 employs a 23-bit header, while subsequent fragments use a compact 11-bit header.

2.2 Phase 1—Handshake & Key Establishment

Agents hold certified key pairs $(sk, pk)$ and engage in ECDH exchanges to derive session keys ($k_S$, $k_R$) via $$k_S \leftarrow \mathrm{KDF}(\mathrm{ECDH}(sk_S, pk_R))$$. The sender initiates a benign “trigger” event, after which the receiver computes $b=f_{trigger}(k_R, t_1)$ to activate the covert channel if criteria are met.

2.3 Phase 2—Iterative Encoding (Sender)

The sender fragments the secret $M$, constructs headers, and encodes payloads using provably secure generative steganography ($\mathrm{GenStego}$) for the storage channel. The behavioral channel leverages a context-aware policy ($\Pi_A$), while the timing channel, via $\mathrm{SelectTime}$, ensures events fit natural timing distributions.

Pseudocode excerpt:

P ← M ∥ Hash(M) fragments ← Fragment(P) history ← ObserveHistory() for i in 0…N do H ← BuildHeader(i, |M|, SN=i, FIN=(i==N)) payload ← H ∥ fragments[i] a_data ← GenStego(k, payload, history) a_type ← SampleType(k, history) t_i ← SelectTime(k, history) e_i ← (self, (a_type,a_data), t_i) EmitEvent(e_i) history ← history ∥ e_i end for

2.4 Phase 3—Reassembly & Acknowledgement (Receiver)

The receiver parses events, verifies checksums, collects fragments, and reconstructs the payload $P'$. Successful decoding and authentication is confirmed if the hash matches. Implicit polling enables real-time acknowledgment via benign response events.

Pseudocode excerpt:

fragments_map ← {} for each event e in T from sender do if f_covert(k, e.t) == 1 then payload ← GenStego⁻¹(k, e.a_data) (H, f) ← ParseHeader(payload) if VerifyCS(H) then fragments_map[H.SN] ← f if H contains TDS then total_size ← H.TDS end if end if end for P' ← Reassemble(fragments_map, total_size) (M',h') ← ParsePayload(P') if Hash(M')==h' then status←SUCCESS else status←FAILURE end t_ack ← SelectTime(k, T, policy=status) EmitBenignResponseAt(t_ack)

3. Synchronization, Stealth, and Privacy Mechanisms

SAP utilizes trigger functions ($f_{trigger}$) for unpredictable activation and maintains aligned event histories ($T_{<i}$) for contextual encoding. Implicit polling through timed benign responses serves dual purpose: acknowledgment and stealth. The protocol’s generative steganography ensures $a_{data}$ is statistically indistinguishable from benign agent data distributions (IND-STAT), while context-aware type and timing selection guarantee semantic and temporal naturalness (IND-INT).

Traffic analysis resilience is achieved by bounding communication traces within $\pm\sigma$ of natural traffic volumes and inter-arrival times, limiting detection probability to random guessing $(\delta \approx 0.5)$.

4. Security and Robustness Guarantees

The threat model assumes an omnipresent, passive polynomial-time warden (W), capable of LLM-based steganalysis and traffic decomposition, but unable to violate ECDH or PRF security. Adversarial knowledge extends to protocol algorithms (Π_A, GenStego) minus session keys.

Error correction integrates CRC-4 checksums, fragment sequence numbers, and end-to-end integrity via payload hashes. Timeout and retransmission logic address packet loss, while adaptive timing modulates event scheduling under noisy conditions.

A plausible implication is that the error probability ($\epsilon$) remains negligible under practical deployment, owing to robust fragment verification and reassembly strategies.

5. Empirical Performance and Metrics

Performance assessment utilizes metrics such as Bits-Per-Round (BPR), Effective Bits-Per-Round (EBPR), latency ($\Delta t$ averages), and robustness (decode success rate). Experimental protocols employed Discop and Differential steganography algorithms, agent models including Llama3-3B and Qwen2-7B, and payload sizes of 512 and 1024 bits. The evaluation combined steganalysis using fine-tuned BERT classifiers and GPT-4o for semantic judgment.

Metric	Value (mean ± std)	Context
EBPR	60–90 bits/round	Effective payload throughput
BPR	75–110 bits/round	Raw channel throughput
Robustness	100% message recovery	Across 48 configurations
Steganalysis AUC	0.503	Near random-guess detection
Precision	~0.25	Warden detection
GPT-4o Suspicion	≤1.17/5	Low perceived unnaturalness
Coherence	≥4.8/5	High event trace plausibility

The detection probability ($\delta$) and error probability ($\epsilon$) approach theoretical minima, indicating imperceptible and reliable covert transfer (Huang et al., 4 Aug 2025).

6. Adaptation and Best Practices for Sensitive IoA Environments

Key SAP adaptations over Π₍CCAP₎ include support for:

• Multi-party sessions via group ECDH or tree-based DH key exchanges.
• Enhanced error correction through Reed–Solomon codes for higher resilience.
• Dynamic fragment sizing to adapt header overhead based on channel traffic.
• Tunable stealth-throughput tradeoff parameter $\alpha \in [0,1]$ offering $C(\alpha) = \alpha C_{max}$ and near-zero $\delta(\alpha)$ for small $\alpha$.

Best practices recommend session key rotation, monitoring and auto-tuning of timing and behavioral policies, bounding payloads per session to mitigate anomaly risk, and maintenance of audit logs with embedded dummy events to further flatten timing profiles. This suggests operational protocols may dynamically reconfigure according to environment noise, agent density, and target detection thresholds.

By systematically applying these formal constructs, algorithms, and operational guidelines, SAP delivers end-to-end communication with provable guarantees (IND-STAT, IND-INT), high throughput, and robust privacy, consistent with the foundational methodology specified in "Whispering Agents" (Huang et al., 4 Aug 2025).