MBCT: A Monero-Based Covert Transmission

Approach with On-chain Dynamic Session Key

Negotiation
Zhenshuai Yue, Haoran Zhu, Xiaolin Chang, Senior Member, IEEE, Jelena Mišić, Fellow, IEEE,
Vojislav B. Mišić, Senior Member, IEEE, Junchao Fan

Abstract—Traditional covert transmission (CT) approaches To solve the above issues, blockchain offers excellent
have been hindering CT application while blockchain channel support for CT thanks to its decentralization, flood
technology offers new avenue. Current blockchain-based CT broadcasting and identity anonymity features [5]. In particular,
approaches require off-chain negotiation of critical information the distributed architecture ensures that each full node retains
and often overlook the dynamic session keys updating, which a full copy of whole data, which prevents the blockchain from
increases the risk of message and key leakage. Additionally, in performance degradation due to single node failures. The
some approaches the covert transactions exhibit obvious flood broadcast improves the concealment of CT. The
characteristics that can be easily detected by third-parties. anonymous user identity in the blockchain avoids leakage of
Moreover, most approaches do not address the issue of
real network addresses. Moreover, the large number of
decreased reliability of message transmission in blockchain
attack scenarios. Bitcoin- and Ethereum-based approaches also
transactions circulating in the blockchain network provides an
have the issue of transaction linkability, which can be tackled by excellent information carrier for CT. A blockchain-based CT
Monero-based approaches because of the privacy protection has the following six major steps, shown in Fig. 1. ① The
mechanisms in Monero. However, Monero-based CT has the sender encodes covert messages. ② The sender embeds
problem of sender repudiation. encoded messages into a transaction TXc. ③ The sender
connects to blockchain network and broadcasts TXc to the
In this paper, we propose a novel Monero-Based CT approach blockchain network until TXc is shown on chain. The covert
(MBCT), which enables on-chain session key dynamically transactions and normal transactions should be
updating without off-chain negotiation. MBCT can assure non-
indistinguishable to third parties. ④ The receiver filters
repudiation of transmission participants, confidentiality of keys,
reliability of message transmission and less observable covert transaction TXc by traversing recent blocks. ⑤ The
characteristics. There are achieved by the three components in receiver extracts embedded covert message. ⑥ The receiver
MBCT, namely, a sender authentication method, a dynamically decodes covert messages.
on-chain session key updating method and a state feedback
method. We implement MBCT in Monero-0.18.1.0 and the TX Normal Transaction Encoded Message
experiment results demonstrate its high embedding capacity of TXc Covert Transaction
MBCT. block Block Message

Monero
Index Terms—Covert transmission, blockchain, Monero, Blockchain
dynamic session key block block block
Broadcast Traverse
I. INTRODUCTION Transaction Blocks
block header

C OVERT transmission (CT) aims to provide a more

concealed channel to transmit data between sender and
receiver. CT data is usually hided in normal data flows in order TXc TX
TX
TX
TX
TX
TX
TXc
TXc
to avoid being perceived by third parties. It is widely used in Extract
Embed
various applications like satellite communication [1] , wireless Encoded Message Encoded Message
communication [2], and Internet of Things [3]. There are at
least the following three issues with traditional CT approaches:
1) Centralized facility dependence. The extensive utilization Encode
Decode
of TCP/IP protocol stack makes traditional approaches Message
Message
susceptible to potential malfunctions in central infrastructures. Sender Receiver
2) Channel detection. Traditional approaches are prone to
detection [4], which makes covert channels vulnerable to Fig. 1. Blockchain-based covert transmission
exposure and attacks. 3) Identity exposure. Due to the inherent
structure of the communication protocol, the network There are numerous CT approaches based on various public
information of both parties may be leaked to attackers. blockchains. But the CT approaches only for Bitcoin [6]-[13]
or only for Ethereum [14]-[17] or for both Bitcoin and
Ethereum [21]-[26] cannot achieve fully anonymous. It is due
 Zhenshuai Yue, Haoran Zhu, Xiaolin Chang and Junchao Fan are with the to that multiple transaction addresses can be associated with
School of Computer and Information Technology, Beijing Jiaotong
University, Beijing 100044, China (e-mail: {22120512,21112051, a same entity [28][29], leading to identity exposure as in
xlchang,23111144}@bjtu.edu.cn). traditional CT approaches. Monero [30] is another well-
 Jelena Mišić and Vojislav B. Mišić are with the Department of Computer known public blockchain that shields users’ identities through
Science, Toronto Metropolitan University, Toronto, ON M5B 2K3, Canada advanced privacy protection mechanisms like ring signature,
(e-mail: {jmisic,vmisic}@torontomu.ca).
stealth address and confidential transaction. The real address
and amount of a Monero transaction are concealed. These II. BACKGROUND AND RELATED WORK
mechanisms solve the issue of identity exposure. Existing This section first presents the background and then
Monero-based CT approaches embed messages into the introduces the related work about blockchain-based CT.
irrelevant public keys of ring signatures [18][20] and
transaction amounts [19]. Due to Monero’s anonymity, the A. Background
receiver cannot verify the identity of the sender, and the 1) Diffie-Hellman key exchange with elliptic curves
sender can also deny the communication behaviors. In An elementary shared secret exchange using the Elliptic
summary, the existing blockchain-based CT approaches Curve Diffie-Hellman (ECDH) exchange method between
cannot defend against the following five threats detailed in two parties, Alice and Bob, could proceed as follows.
Section II.B. Alice and Bob generate their own private-public key pairs
i) Information leakage of off-chain negotiation. ( k A , K A ) , ( k B , K B ) . In this process, the public keys KA and
ii) On-chain session key leakage. KB are openly shared, while each party securely maintains
iii) Malicious sender denial of transmission behavior. their own private key (i.e., kA and kB). To elaborate further,
iv) Integrity compromised by abnormal state.
the private key k is a random number selected within the
v) Channel exposure due to transaction characteristics and
range 0  k  l , where l is a sufficiently large number. The
associations
public key K is a coordinate point on the elliptic curve,
The above discussions motivate our work. In this paper, we calculated using the following equation.
explore to tackle the above issues by proposing a Monero- K = kG , (1)
Based CT approach (MBCT). MBCT can assure non- where G is the base point of the elliptic curve. This setup
repudiation of transmission participants, confidentiality of ensures that the public key can be easily derived from the
keys, reliability of message transmission and less observable private key. However, due to the elliptic curve discrete
characteristics. There are achieved by the three components logarithm problem (ECDLP), it is computationally infeasible
in MBCT, namely, a sender authentication method, a to reverse the process and determine the private key from the
dynamically on-chain session key updating method and a public key.
state feedback method. To the best of our knowledge, we are Equation (2) gives the detail of calculation for ECDH:
the first to propose a CT mechanism implementing on-chain S = k A K B = k A k B G = k B k AG = k B K A , (2)
dynamic session key updates without off-chain negotiation. where S is a coordinate point on the elliptic curve as a shared
The innovations of our approach are listed as follows. secret. This shared secret can be used to generate stealth
1) We propose a sender authentication method, which can address of Monero transaction. The security of the exchange
maintain the anonymity of sender while ensuring the non- is based on the ECDLP, which makes determining the shared
repudiation of sender. By embedding the sender’s digital secret from the public keys alone computationally prohibitive.
signature into the stealth addresses of Monero transactions, the 2) Stealth address of Monero transaction
receiver can authenticate the sender’s identity. During Monero blockchain [27] is designed to protect user privacy.
subsequent transmission process, the digital signature is used
As one of the privacy protection mechanisms of Monero,
in the process of generating masked amount, ensuring the
stealth address mechanism allows each Monero transaction to
sender’s non-repudiation. Since the embedded digital
signature is imperceptible and inaccessible to third parties, the generate a new public address for receiving funds. This means
sender’s anonymity is then maintained. that even though outside observers can see transaction records
on the public blockchain, they cannot associate the receiving
2) We propose a dynamically on-chain session key updating address in the transaction with any specific user or previous
method, which not only guarantees independency of each transaction.
session but also requires no off-chain negotiation, isolating To generate a stealth address for receiver, the sender first
off-chain risks. The on-chain session key changes based on the selects a 256-bit random number k r as transaction private key,
stealth address variations in each transaction, ensuring that
sessions are independent of each other and preventing a single and then uses the receiver’s public view key KBv to generate a
session key leak from affecting other sessions. shared secret S , as illustrated in Eq. (3):
3) We propose a state feedback method, in which the sender S = k r K Bv , (3)
can perceive the communication status covertly and resend and then the sender uses the receiver’s public spend key KBs
lost messages timely due to reasons such as blockchain to generate stealth address, as illustrated in Eq. (4):
attacks, maintaining the integrity of the communication. K = (S , t )G + KBs , (4)
We conduct a comprehensive analysis of our approach’s
security, concealment and embedding rate, and where K is the stealth address, is a cryptographic hash
experimentally test the embedding and extraction efficiency function and t is the non-change output index stored in the
and validate its stealthiness. The analysis and experiment transaction in plaintext.
results demonstrate that our approach is secure and stealthy, In the same way, the receiver calculates the shared secret S
featuring high embedding rate. due to ECDH key exchange as illustrated in Eq. (5):
The rest of this paper is organized as follows. We present S = k r KBv = k r kBr G = kBv k r G = kBv K r , (5)
the background and related work in Section II. System where k Bv is the private view key of the receiver and K r is
overview and a detailed description of MBCT is presented in
the public transaction key stored in the transaction in plaintext.
Section III. Security analysis and performance evaluation are
Then the receiver could generate the same stealth address as
described in Section IV. Section V provides the conclusion.
illustrated in (4). Therefore, the sender and receiver reach a
consensus on the same stealth address.
3) Masked amount of Monero transaction
 In Monero, the confidential transaction ensures the legality it could lead to the exposure of the associated session
of transactions while using masked amounts to hide the actual information.
amounts based on Pedersen Commitments and Range Proofs, 3) TH3: Malicious sender denial of transmission
thereby protecting transaction privacy. We focus on masked behavior. In Monero-based CT, due to Monero’s ring
amounts to align closely with our proposed approach, rather signature mechanism, the receiver cannot determine the
than on Pedersen Commitments and Range Proofs. sender’s real address from the transaction data, posing a
The sender first calculates a shared secret S as shown in risk of the sender denying the transmission activity.
Eq.(3). Then the masked amount of real amount a for non- 4) TH4: Integrity compromised by abnormal state.
change output index t is generated by Eq. (6): Although blockchain has a high reliability of message
h = a 8 (" amount ", ( S , t )) , (6) transmission, attacks on the blockchain may prevent
normal transactions from being propagated. If the
where h is the masked amount, “amount” is a string and  8
sender is unaware of the transaction loss and the
means to perform an XOR operation between the first eight receiver does not know whether the information has
bytes of each operand. Subsequently, after receiving the been received completely, the integrity of the
transaction, the receiver first calculate the same shared secret
communication is compromised.
S through (5) and then calculate the real amount by Eq. (7): 5) TH5: Channel exposure due to transaction
a = h 8 (" amount ", ( S , t )) . (7)
characteristics and associations. The receiver filters
Our approach utilizes stealth addresses to transmit covert transactions from numerous transactions using
information and leverages hiding amounts for anti-forgery and labels. As the number of transactions increases, an
conveying message sequences. adversary may expose the covert channel by statistically
4) Blockchain-Based CT analyzing transaction characteristics and associations.
In blockchain, each full node maintains a copy of the block To defend against these threats, MBCT at least needs to
data and achieves distributed consensus like Proof of Work meet the following security requirements (SRs). TABLE I
(PoW). This mechanism ensures that modifying data on the lists the correspondence between threats and security
blockchain requires more than 51% of the total network requirements.
hashing power, which grants the blockchain a high degree of TABLE I
reliability of message transmission. CORRESPONDENCE BETWEEN THREATS AND SECURITY REQUIREMENTS
Blockchain-based CT refers to covert transmission between
parties utilizing the characteristics of blockchain technology. TH1 TH2 TH3 TH4 TH5
SR1 √ √
There are commonly two kinds of blockchain-based covert
SR2 √
channels, including blockchain-based covert storage channels
SR3 √
(BCSC) and blockchain-based covert timing channels SR4 √
(BCTC). BCTC utilizes timing sequence characteristics to SR5 √
embed information, making it susceptible to network quality
interference, thus exhibiting poor reliability of message 1) SR1: Confidentiality of on-chain session key. To
transmission. BCSC employs storage fields on the blockchain ensure the confidentiality of CT, it is crucial to maintain
to embed covert information. The decentralized nature of the confidentiality of session keys, which involves two
blockchain ensures that this channel has higher reliability of main aspects. The first aspect is to avoid off-chain
message transmission. Our approach utilizes Monero BCSC negotiations and then effectively reduce the impact of
channel. off-chain attacks. The second aspect is to dynamically
B. Threat Model and Security Requirements update session keys on-chain, which can prevent the
In current blockchain-based CT approaches, there are leakage of all related sessions due to long-term key
exposure.
typically two phases: negotiation and transmission. In the
negotiation phase, the communicating parties usually use an 2) SR2: Non-repudiation of transmission parties.
off-chain channel to negotiate keys, filtering labels and other Transactions are stored on chain in plaintext during CT
necessary parameters. In the transmission phase, the sender based on Bitcoin and Ethereum. However, during the
processes the message using the pre-negotiated keys and process of CT based on Monero, additional measures
coding rules, and transmit it through carrier on blockchain; are required to ensure the transmission parties are
accountable, preventing them from denying the
the receiver filters and extracts the information using pre-
negotiated filtering labels and keys. There are five types of communication behavior.
threats (THs) concerning negotiation and transmission: 3) SR3: Reliability of message transmission under
1) TH1: Information leakage of off-chain negotiation. blockchain attack. CT needs to ensure reliable
Before on-chain transmission, attackers might target the message transmission to maintain its availability, which
is mainly reflected in two aspects. Firstly, the
off-chain channel to obtain critical negotiation
parameters through network attacks such as sniffing, immutability of the blockchain provides inherent
phishing, and man-in-middle attacks. If negotiation reliability. Secondly, the transmission approach needs
information is leaked, subsequent on-chain covert to offer additional reliability in the event of an attack on
communication cannot proceed as usual. the blockchain.
2) TH2: On-chain session key leakage. To ensure 4) SR4: Unlinkability of covert transactions. To prevent
an adversary from associating other covert transactions
message confidentiality, messages are encrypted prior
to transmission. If the encryption key remains through one leaked covert transaction, it is necessary to
unchanged for an extended period and is compromised, ensure unlinkability between covert transactions. This
includes both direct links, where an adversary can
directly connect one covert transaction to another, and
 indirect links, where connections are made through offering a large operational space, and serving as one of the
normal transactions associated with a covert one. carriers for implementing CT. A. I. Basuki et al. [14] utilized
5) SR5: Obscurity of covert transactions. On-chain image steganography to embed information into images, then
transmission needs to be stealthy, ensuring that third transmit the image URL and other relevant data through
parties cannot distinguish between covert transactions Ethereum. This method requires filtering based on a pre-
and normal transactions, thereby reducing the risk of negotiated destination address and periodically replacing the
adversaries taking further aggressive actions. steganographic image with a normal image to protect against
malicious attacks. However, this approach relies on external
C. Related Work
carriers and imposes strict restrictions on the access time for
We have investigated the approaches for CT based on recipients. Liu et al. [15] proposed a CT method based on the
blockchain, and categorize them according to the type of Ethereum Whisper protocol, pre-negotiating AES encryption
blockchain, including Bitcoin, Ethereum, Monero, and those keys and mapping binary bits to transaction amounts within
applicable to both Bitcoin and Ethereum. the Hash-based Message Authentication Code (HMAC)
1) Bitcoin-based CT value range of the key, which had a low embedding rate. In
Bitcoin is the earliest public blockchain and is also the first addition, this method does not describe an effective filtering
to be used in research on blockchain-based CT. Partala et al. method, and the irrelevant transactions would potentially
[6] first proposed a bitcoin-based covert communication impact the information extraction process.
approach BLOCCE and systematically proved its correctness Similarly, Zhang et al. [16] have also proposed a CT method
and security. The sender embeds covert information into the based on the Whisper protocol. Before communication, they
last bit (LSB) of bitcoin address and the receiver filters covert negotiate topic-key pairs according to the protocol, and then
transaction by pre-negotiated input address. Although the low use the payload in the letter body for information
embedding rate of this approach results in low engineering transmission. However, this method differs from using
application value, it creates a precedent for subsequent transactions for transmission, as it requires the sender to
research on blockchain-based CT. Tian et al. [7] proposed a spend additional time and resources to compute the PoW for
CT method DLchain with dynamic label. The sender and the message.
receiver pre-negotiate encryption keys to encrypt message Based on smart contracts, Zhang et al. [17] proposed a CT
before inserting it. The receiver uses a random factor twice to method, mapping the voting options of a voting contract with
extract message, leading to privacy leaks and arouse the bid amounts of a bidding contract to ciphertexts. This
suspicion from third parties. Wang et al. [8] proposed a CT method needs negotiate encryption keys and voting addresses
method that matches message sequences with address with the risk of information leakage. This allows only limited
characters and records important parameters in a file sent to information to be transmitted during a single interaction with
the recipient. This method requires prior negotiation of DES the smart contract, requiring frequent interactions.
keys, and the security and concealment of the file 3) Monero-based CT
transmission are not guaranteed. Wang et al. [9] combined Monero, an emerging public blockchain in recent years,
transaction addresses to generate labels in the form of a label employs various privacy protection mechanisms to enhance
tree, avoiding the use of static labels. Despite this, they need the anonymity of transactions, meeting the concealment
to negotiate in advance to generate the ancestor secret key for requirements of CT. Guo et al. [18] proposed a Monero-based
the label tree, and if this key is leaked, it would lead to the transmission method, encrypting messages by pre-negotiated
exposure of the communication. Luo et al. [10] used the keys and embedding the ciphertext into the last bit of ring
bitcoin address interaction matrix and transaction amount to signature unrelated public keys. Although theoretically the
embed hidden information, and used a negotiated address embedding rate increases with the number of transaction
sequence to filter covert transactions. But this method may inputs, large number of inputs of one transaction are
involve address reuse issues in transaction creation. Zhang et uncommon in the network. Liu et al. [19] proposed a Monero-
al. [11] proposed a derivate matrix-based covert based CT method that considered the impact of blockchain
communication method, in which the sender and receiver attacks on the reliability of message transmission, reducing
need to pre-share mapping rules and all private keys. Both the the impact of eclipse attacks and crawler attacks on
above methods require using a large number addresses for communication. But since the information is directly encoded
transactions due to low embedding rate when transmitting into the transaction amounts based on pre-negotiated message
messages, leading to address reuse, which is vulnerable to length, the embedding rate is not high. As the message length
statistical analysis. Based on hash chains and Elliptic Curve in a single transaction increases, the associated costs also rise
Digital Signature Algorithm (ECDSA) chains, Cao et al. [12] significantly. Su et al. [20] stored files in the interplanetary
proposed a CT method suitable for Bitcoin. The file system (IPFS) and then transmitted the hashes of files via
communicating parties need to negotiate the key off-chain, the Monero blockchain. The above three Monero-based CT
then use this key to generate public keys for transactions. approaches, due to the obfuscation of the sender’s public key
Unlike the methods mentioned above that use transaction by ring signatures, cannot prevent the issue of the sender
creation for transmitting information, Zhu et al. [13] achieved denying the communication action.
CT by encoding the transaction hashes sequence in the inv 4) CT applicable to both Bitcoin and Ethereum
and getdata messages between Bitcoin nodes. The premise of There are also some CT methods applicable to both Bitcoin
this method is that both parties need to negotiate information and Ethereum. Gao et al. [21] proposed a method for CT
such as IP addresses, encoding rules, and embedding using Kleptography, which offers high levels of concealment.
locations. However, this method needs pre-negotiate keys and requires
2) Ethereum-based CT two identical input addresses to retrieve the covert messages.
Ethereum features a unique smart contract mechanism that With long-term use, this feature could be easily identified
allows for storing and executing code on the blockchain, through statistical analysis. Zhang et al. [22] proposed a CT
method with dynamic label, embedding message segments transaction associations, and some of these transactions [6]-
into storage fields of transactions. The communication [8][10][14][17][21][22][24] display distinct characteristics,
participants need negotiate encryption keys, label keys and further increasing the risk of exposure. To mitigate the threats
obfuscation parameters in advance and the receiver filters to the security of CTs, we have implemented a novel CT
transactions by customized data field, such as OP_RETURN approach with dynamic key updates, participant non-
of Bitcoin and Input of Ethereum. But most normal repudiation, and feedback on the status of communication,
transactions do not add extra data to the custom field, which without off-chain negotiations and observable characteristics.
could raise suspicions among adversaries. Liu et al. [23] also TABLE II summarizes these works in terms of security
proposed a communication method with dynamic labels, requirements defined in Section II.B.
where the message authentication code generated from pre-
negotiated block height and keys serves as the private key to III. SYSTEM OVERVIEW AND MBCT APPROACH
generate the recipient’s address. This method allows only two This section first gives an overview of system and then
bits of information to be embedded per address, resulting in a describes the details of MBCT approach. The symbol
low embedding rate. Zhang et al. [24] proposed a group definition is summarized in TABLE III.
covert communication method, which achieves group A. System Overview
transmission by dividing interaction addresses through pre-
negotiated keys and an address pool. Chen et al. [25] The system comprises three key entities, namely the sender,
proposed an unobservable blockchain-based covert channel, receiver and Monero blockchain.
encoding messages as private keys, and filtering covert  Sender. The sender connects to the blockchain network by
transactions by their signature and amounts, and conducted a running a full node or a simplified payment verification
detailed analysis of its concealment. However, the approach (SPV) node. During the process of building transactions,
still requires the pre-share keys off-chain and carries a risk of the sender embeds message into transactions and then
information leakage. In response to the challenge of securely broadcasts them to the blockchain network.
transmitting a master key, Zhang et al. [26] introduced a novel  Receiver. The receiver can run a blockchain node or call
method for CT. This method embeds covert information into the service of the online node through Remote Procedure
STC mappings while using secret sharing to transmit the Call (RPC). He filters covert transaction by traversing
master key, without discussing how the receiver can filter recent blocks. After obtaining covert transaction, he will
covert transactions from the numerous transactions on the extract message embedded by the sender from the
blockchain. The embedding rate is low for the above two transaction fields.
methods and needs to be further improved.
Based on the threat model described in Section II.B, all the  Monero Blockchain. Each time a sender creates and
above works [6]-[26] need off-chain negotiation and ignore broadcasts a covert transaction, the miner nodes in the
the potential leakage of static on-chain session keys. Some blockchain will package it into a new block after verifying
works [18]-[20] based on Monero cannot prevent malicious the validity of the transaction. Eventually the transaction
senders from denying transmission actions. Most studies [6]- will be permanently stored on the chain. The sender and
[18][20]-[26] have not explored mechanisms to maintain the receiver transmit message via Monero Blockchain due to
reliability of message transmission under blockchain attacks. its advanced cryptographic techniques. The distributed
All work based on Bitcoin [6]-[13], Ethereum [14]-[17] and nature of blockchain makes it with a high degree of
those applicable to both Bitcoin and Ethereum approaches reliability of message transmission, but when it is attacked,
[21]-[26] could be exposed due to statistical analysis of the transactions may get lost and reliability may decrease.

TABLE II
COMPARISON OF EXISTING BLOCKCHAIN-BASED CT APPROACH

Blockchain Security Requirements

Ref. Filter Field
Bitcoin Ethereum Monero SR1 SR2 SR3 SR4 SR5
[6] 2018 √ Input address √
[7] 2019 √ OP_RETURN √
[8] 2020 √ Parameter file √
[9] 2023 √ Output address √ √
[10] 2022 √ Address pool √
[11] 2023 √ Address matrix √ √
[12] 2022 √ Output address √ √
[13] 2023 √ Control information √ √ √
[14] 2019 √ Destination address √
[15] 2020 √ - √
[16] 2021 √ Topic of letter √ √
[17] 2022 √ Voting address √
[18]2021 √ √ √
[19] 2022 √ One-time address √ √ √
[20] 2023 √ √ √
[21] 2020 √ √ Input address √
[22] 2023 √ √ Customized data field √
[23] 2023 √ √ Output address √ √
[24] 2022 √ √ Address pool √
[25] 2024 √ √ Signature and amounts √ √
[26] 2024 √ √ - √
Ours √ One-time address √ √ √ √ √
 TABLE III
We refer to the transactions mentioned above as
transmission transactions (TransTxs). Since only Alice
NOTATIONS and Bob can calculate the stealth address, only they can
Symbol Definition identify the TransTx and extract message along with its
K Av , k Av Monero view public-private key pair of sender
sequence correctly.
K As , k As Monero spend public-private key pair of sender (3) Feedback Stage: This stage is designed to provide
K v
, k v
Monero view public-private key pair of receiver feedback on communication status and prevent
B B
information loss. After receiving all messages or in case
K Bs , k Bs Monero spend public-private key pair of receiver
of missing a message segment in a single communication,
Kr , kr Monero transaction public-private key pair Bob embeds a digital signature generated from his secrete
K iori Original stealth address of i-th non-change output view key to the stealth addresses and embeds the missing
K inew New stealth address of i-th non-change output segment sequence to the amount field of the Monero
G Base point of the elliptic curve in Monero
transaction intended to be sent to Alice. We call this kind
of transaction as feedback transaction (FbTx). Then Alice
Cryptographic hash function
r, s identifies the FbTx and decides whether to resend
EdDSA signature
messages based on whether any messages are missing.
m Message
c Ciphertext of message C. Method Design
a Real transaction amount
1) Sender Authentication Method
h Masked transaction amount
t
This method is implemented during the authentication stage,
Non-change output index of Monero transaction
mss Missing message sequence
embedding the sender’s digital signature into the stealth
sfa, sft, sff Special fields of AuthTx, TransTx and FbTx addresses of one Monero transaction. The digital signature is
Sign EdDSA signature generation function generated by the sender using the private view key as the
Enc AES encryption function
private key and the hash value of the public transaction key
GenAmount Amount generation function of the current transaction as the message. The digital
|| Operator to concatenate two strings signature algorithm employs Edwards-curve Digital
8 Operator to perform an XOR operation between Signature Algorithm (EdDSA), which produces a 64-byte
the first eight bytes of each operand signature, double the size of the stealth address.
B. MBCT Approach Overview Firstly, Alice chooses a 256-bit random factor k r as private
We utilize Alice and Bob as the sender and receiver transaction key, calculates and stores K r as illustrated in (1).
respectively to presents an overview of our approach. Alice Then, Alice calculates hash of K r through cryptographic
and Bob use Monero blockchain to achieve the entire hash function and generates digital signature ( r , s ) of 64
communication process.
bytes. Subsequently, Alice generates two stealth addresses of
The whole covert communication is split into three stages, 32 bytes with Bob’s public keys as shown in (3) and (4), and
authentication stage, transmission stage and feedback stage. then performs an XOR operation with each half of the digital
For each stage, we present an embedding method to reach the signature separately to generate two new stealth addresses.
goal of this stage. Since the extraction algorithm is the inverse Finally, Alice verifies whether these two new addresses are
process of embedding, we only make a comprehensive valid. If so, Alice will create an AuthTx with these two new
description of embedding algorithms as illustrated in Section stealth addresses. Otherwise, the above process will be
III. C. repeated until the stealth address is valid. We denote the
A normal assumption is made that Alice and Bob both stealth addresses with embedded signature as a special field
possess each other’s public keys, K Av , K As , KBv , KBv since of AuthTx. The generation process of the special field for
these keys are published on the Monero blockchain. AuthTx is described in Algorithm 1. All stealth addresses in
the algorithm are non-change output addresses, and output
(1) Authentication Stage: This stage is designed to initial the addresses of change are not involved in this method.
entire transmission process, serving for Bob to verify the
identity of Alice. Alice firstly generates a digital signature 2) Dynamically On-chain Session Key Updating Method
using her secrete view key and embeds it into the stealth In transmission stage, to avoid information leakage through
address of current transaction. This is referred to as the off-chain negotiation, the sender uses this method to
authentication transaction (AuthTx). Then, Bob identifies dynamically update session keys on-chain. This method
the AuthTx by traversing recent transactions, extracts the leverages a Diffie-Hellman key exchange within the stealth
digital signature and validates it for the subsequent address. It uses the stealth address and the receiver’s public
transmission. key to generate a hash value. Since the hash can be considered
(2) Transmission Stage: This stage is designed for the secure randomly distributed, we use this hash as the encryption key
and orderly transmission of messages. Firstly, Alice splits for the message. The encrypted ciphertext is then XORed
messages into several parts to fit the length of the with the original one-time address. This ensures that even if
transaction carriers. For each segments, a one-time session an attacker manages to associate the TransTx with the public
key is generated from a stealth address of each transaction, keys of the communicating parties, he cannot extract any
encrypting message to incorporate it into the stealth plaintext information from the transaction.
address field. Then, she generates corresponding
transaction amounts based on the embedded message When the message length exceeds 32 bytes, the length of a
sequence, using the specified amounts encoding method. stealth address, it is necessary to segment the message. To
ensure that the receiver can confirm the complete receipt of addresses and masked amounts as a special field of FbTx.
the message and accurately reassemble the message sequence, The generation process of the special field for FbTx is
we design an amount encoding method to embed message described in Algorithm 3.
sequences as shown in Fig. 3. To avoid generating
transactions with large amounts, we use the last ten decimal IV. SECURITY ANALYSIS AND PERFORMANCE EVALUATION
places of the Monero amount, measured in atomic units called This section presents a security analysis and evaluates our
piconero, for encoding. The first digit serves as a flag; a flag approach in terms of concealment, embedding rate and
of one signifies that the message segment is not the final one, efficiency, and concludes with a comparative analysis against
whereas a flag of zero indicates the final segment. The middle related works.
six digits are populated with random numbers, and the final
Alice Monero Blockchain Bob
three digits represent the message sequence, filled from the
end to the beginning.
Alice first divides message m into n segments of 32 bytes AuthTx(r , s ) AuthTx(r , s )
Authentication
each, padding the final segment if less than 32 bytes with Stage
random characters. Based on amount encoding method of our
TransTx1 (m1 , (r , s )) TransTx1 (m1 , (r , s ))
method, which is shown in Fig. 3, Alice generates transaction
amounts corresponding to the message sequence. Monero

···
···
Transmission
utilizes cryptographic hash function to generate masked Stage TransTxn (mn , (r , s )) TransTxn (mn , (r , s ))
amount as shown in (6). In addition, our protocol incorporates
digital signatures as hash function factors, rendering third
FbTx(mms, (rB , sB )) FbTx(mms, (rB , sB ))
parties unable to compute the actual message sequence. Then Feedback
for each segmentation, Alice computes one-time session key Stage
derived from a combination of stealth address and Bob’s
public keys through cryptographic hash function, which
produces outputs that are evenly distributed across the entire Fig. 2. Overview of Three Stages
range of possible values. Specifically, the private transaction
key r guarantees the randomness of session key.
Subsequently, Alice uses one-time session key to encrypt
decimal amount random sequence
message segments and perform XOR operation between (piconero) decimal number number
ciphertexts and original stealth addresses, constructing new All zero
stealth addresses as outputs of TransTx with the generated
transaction amount attached. We denote the new stealth 0 0
addresses and masked amounts as a special field of TransTx. Most Significant Least Significant
The generation process of the special field for TransTx is 0 End Flag
Digit Digit
described in Algorithm 1. 1 Non-end Flag
3) State Feedback Method
In order to mitigate the impact of decreased reliability of Fig. 3. Amount Encoding Method
message transmission due to lost transactions, we design a
state feedback method that allows receivers to inform senders
about the receipt of message segments. If a blockchain attack Algorithm 1 Generation Special Field of AuthTx
prevents the sender’s transaction, which contains the message, INPUT: Random factor k r , Private view key of Alice k Av , Public view
from reaching the receiver, the receiver will feedback on the
key of Bob K Bv , Public spend key of Bob K Bs
missing message sequence. If all messages are received, the
receiver will return feedback indicating a normal state to the OUTPUT: Special field of AuthTx sfa
sender. If the sender does not receive feedback after an 1. Compute K r = k r G
extended period, he will detect the anomaly and implement 2. Compute (r , s ) = Sign( ( K r ), k Av )
remedial measures. In addition, the feedback provider 3. Initalize special field of AuthTx sfa = {}
embeds their digital signature in the transaction to ensure the 4. for 0  i  1 do:
traceability of the feedback. 5. Compute Kiori = (k r K Bv , i )G + K Bs
This method is designed to enable receiver to provide 6. if i == 0 then
feedback on the communication status. After Bob receives a 7. Compute K inew = r  K iori
TransTx with the transaction amount end flag indicating 0, he 8. endif
will assemble all extracted message segments and send 9. else
feedback to Alice through a Monero transaction on whether 10. Compute K inew = s  K iori
any messages are missing. Bob embeds his digital signature 11. endelse
into stealth address of Monero transactions. Additionally, as 12. sfa.append( K inew )
showing in Fig. 3, Bob inserts the missing message sequence 13. endfor
number in the FbTx amount field. After receiving FbTx, Alice 14. Output sfa
determines whether to resend the message based on the
amount field of the FbTx. We denote the new stealth
 To ensure the confidentiality of session key, our proposed
Algorithm 2 Generation Special fields of TransTx approach includes the following two considerations, which
INPUT: Message m , Public view key of Bob K Bv , Public spend key of will be discussed separately.
Bob K Bs , Digital signature of Alice (r, s) Firstly, our approach does not require off-chain pre-
OUTPUT: Special fields of TransTx sft
negotiation of critical parameters of message transmission,
1. Divide message m into 32 bytes chuncks m = {m1 , m2 ,..., mn }
such as master keys, encryption keys, etc. This allows the
communicating parties to use publicly available wallet
2. Initalize special field of AuthTx sft = {}
addresses for direct communication, reducing the impact of
3. for mi in m do: off-chain network attacks on covert transmissions.
4. Get amount ai based on amount encoding method Secondly, our approach can dynamically update session
ai = GenAmount (i) keys on-chain to encrypt messages, avoiding the risk of
5. Choose a random factor kir compromising associated sessions due to the leakage of long-
6. Compute public transaction key K ir = kir G
term session keys. We demonstrate the confidentiality of the
session keys and message through an assumption and specific
7. Initialize output index t as 0 or 1 as non-change out index
8. Compute masked amount with digital signature of Alice scenarios.
hi = ai 8 (" amount ", (kir K Bv , t ), (r , s )) Assumption: We assume there exists an attacker who
knows all the public keys denoted in Table I and can associate
9. Compute original stealth address K iori = (kir K Bv , t )G + K Bs
a covert transaction containing messages with the public keys
10. Compute one-time session key ki = ( K iori || K Bv || K Bs ) of both parties.
11. Compute ci = Enc(mi , ki ) There are two scenarios in which the attacker can compute
12. Compute Kinew = Kiori  ci the dynamic key k , ultimately gaining access to the plaintext
13. Get transaction special field sfti = {hi , K inew } information.
14. endfor Scenario 1. In this scenario, in order to get K ori by KBv , K r
15. Combine sft = {sft1 , sft2 ,..., sftn } and KBs , based on the one-way and anti-collision property of
16. Output sft hash functions, the attacker need to compute the shared secret
Algorithm 3 Generation Special fileds of FbTx S shown in (5). Due to the difficulty of ECDLP, given G and
INPUT: Random factor k r , Private view key of Alice k Bv , Public view public keys, it is infeasible to compute S without knowing
key of Bob K Av , Public spend key of Bob K As , Missing message
the private keys, since the attacker would have to solve the
ECDLP to find private keys.
sequence mms
OUTPUT: Special field of FbTx sff Scenario 2. In this scenario, the attacker tries to extract
1. Compute K = k G
r r original stealth address K ori and ciphertext C from new
2. Compute (r , s) = Sign( ( K R ), k Bv ) stealth address K new . Let AdvAxor (s) denote the advantage of
3. Initialize special field of FbTx sff = {} attacker A in separating 256-bit K ori and ciphertext C
4. for 0  i  1 do: from 256-bit K new , where the security parameter s = 256 .
5. Compute K iori = (rK Bv , i )G + K As This advantage can be defined as the difference between the
6. if i == 0 then probability of the attacker successfully separating two strings
7. Compute K inew = r  K iori and the probability of a random guess, shown in Eq. (8):
8. endif 1
9. else AdvAxor (s) = Pr[ A( K new ) − ( K ori , C )] −
, (8)
10. Compute K inew = s  K iori
2s
11. endelse
where K new = K ori  C . Ideally, the attacker has no better
12. sff.append( K inew ) chance than random guessing, i.e., Pr[ A( K new ) = ( K ori , C)] is
13. endfor 1
14. if mms  0 then close to , making AdvAxor (s) close to zero, indicating
2256
15. Get amount a based on amount encoding method
that the advantage is negligible.
a = GenAmount(mms)
Based on the discussion above, our approach can avoid off-
16. Initialize output index t as 0 or 1 as non-change out index
17. Compute hiding amount with digital signature of Bob
chain negotiations and ensures the confidentiality of
h0 = a 8 (" amount ", (k0r K Bv , t ), ( r , s)) dynamically updated session keys. Therefore, our approach
satisfies SR1.
18. sff.append( h0 )
2) SR2: Non-repudiation of transmission parties
19. endif
Our approach ensures that while Monero transactions
20. Get transaction sepecial field sff = {K 0new , K1new , h0 }
remain anonymous to third parties, the non-repudiation
21. Output sff between the transmission parties still exists.
Firstly, during the authentication stage, the sender needs to
A. Security Analysis
embed their digital signature into the Monero transaction for
We now conduct a security analysis of the approach we the receiver, allowing the receiver to verify the validity of the
proposed based on the SRs outlined in Section II.B. signature. Secondly, during the transmission stage, the sender
1) SR1: Confidentiality of on-chain session key uses their signature in the process of generating masked
amounts, ensuring that only the parties in possession of this
signature can correctly extract the message sequence. Finally, 1
our approach enables the receiver to embed their digital 0.9
signature into the FbTx during the feedback stage, preventing
0.8
the receiver from denying the communication behavior.

p-value
Therefore, the communication parties’ actions are 0.7
accountable throughout the entire CT process, making it 0.6
impossible to deny transmission behaviors. Thus, our A1 A2 T
0.5
approach meets SR2. 1 101 201 301 401 501 601 701 801 901 1001
3) SR3: Reliability of message transmission under Experiment Number
blockchain attack (a) Stealth Address
The distributed nature of blockchain enhances the
reliability of message transmission for blockchain-based CT. 1
However, when the blockchain is under attack, such as 0.9
0.8
eclipse attack, the transactions may be lost and not properly

p-value
0.7
received by the intended receiver. Our approach offers
0.6
mitigation measures for this scenario, addressing both the
0.5
sender’s and receiver’s perspectives. 0.4
Firstly, the sender embeds message sequence and end flag 1 101 201 301 401 501 601 701 801 901
in the masked amount when sending messages. This allows Experiment Number
the receiver to assemble the complete message based the (b) Masked Amount
message sequence and end flag, thereby determining if the Fig. 6. KS Test for Special Fields
message is complete.
1200
0.00004 N1 vs N2 N1 vs A1 N1 vs A2 N1 vs T T A N
1000
Time Cost (ms)

0.00003 800
KL

0.00002 600
0.00001 400
0 200
Group1 Group2 Group3 Group4 Group5 0
1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52
(a) Stealth Address
Transaction Number
0.0002
Divergence

0.00015 N1 vs N2 N1 vs T (a) Embedding Time Cost

KL

0.0001 20 T A
Time Cost (ms)

0.00005 15
0 10
Group1 Group2 Group3 Group4 Group5 5
(b) Masked amount 0
1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49
Fig. 4. KLD Experiments for Special Fields Transaction Number
1
(b) Extraction Time Cost
0.8 A1 A2 T N1
0.6 Fig. 7. Time Cost for Embedding and Extraction
CDF

0.4 TABLE V
0.2
AVERAGE TIME COST IN CREATION AND EXTRACTION PROCESS
0
0 1 2 3 4 5 6 7 8 9 a b c d e f
Hexadecimal characters A T N

(a) Stealth Address Average_creation (ms) 639.10 352.56 339.74

1 Average_extraction (ms) 4.82 3.50 -

T N1
0.8
0.6
Secondly, upon receiving the whole message, the receiver
CDF

0.4
assesses its completeness. after the assessment, the receiver
0.2
sends a FbTx to the sender to inform the current
0
0 1 2 3 4 5 6 7 8 9 a b c d e f communication status. Upon receiving FbTx, the sender
Hexdecimal characters decides whether to resend any message fragments. If the
(b) Masked Amount
sender receives no FbTx after several new blocks, he will
check their node’s status and take remedial measures.
Fig. 5. CDF Experiments for Special Fields
Our approach considers the reliability of message
transmission from both the sender’s and receiver’s
perspectives when under blockchain attacks, satisfying SR3.
 TABLE IV
EXPERIMENTAL TRANSACTIONS ON MONERO STAGENET

Block Time Cost

Transaction Type ID Transaction Hash
Height (ms)
1 1589147 a6e3910d40e53148464be53fb94a92a2550aaf98c4f3623a815c675964674de0 519
2 057ed40813ecfc3537000d44109e087369f501f0ebac7c33f625e2eeea85fc4a 402
3 1589148 e5e1acf144f4baac6ba293c3c229bcd68582c80fe83fa036571ecfa4b51dd8f8 493
Normal 4 8f634d3f74122b2cff7187a4f2fe491881931af097e920fc632f83665ed4fe7e 449
Transaction … … … …
48 b74ce6d0271183b939508848aa254563054eb4ef7fcc2a37ea403b8e9cf87b0d 268
49 1589176 a6ea59202b847e9cf2b23459c5d39e66a115258b4bafb64f25bab5856a7311c4 297
50 e3955bdbc23e2530c25bb405e90d398b926cc706ac4e4aa8648574bf93b75be2 322
1 1589042 2af16c992981f9ed7c9321e04bbce9250af1325176cb5ccb1e6f961adabf9c2b 1211
2 dc92de546d337f0d04afe5b0367ab2b3a656d55a5248a7c9827293ae7ab40308 678
3 1589047 3362ac43a559437977f14be2e01e25a40a6ba48127ee938f3eaa1424874f6a4e 655
Authentication 4 3b9329b936dcde4825f0ef9e574790ce5bac526c030decedc0866dd269da60b9 901
Transaction … … …
48 1589077 124a2a9786eb00fdefa9d03f7f2a4ca922d6b4dd12d2756cbf58d6eba455e042 572
49 d685a9b6d7ab10b477fd9f995287cb584f87b89b7801fee93da5f730aa375c12 710
1589080
50 70b908cd02562035bd89ee6c7303fadd21d6a603c73256ccf9f60ddc0b2073b6 596
1 1589094 764e7b8ec1cbe3f057fdece54c2d70bfafa46fd2ecb099d56e2a5a3cf90c8a31 594
2 1589095 5ce93659549015badbb8b5ab3c666793f5b3ee98039f2e9fee3277aaf9398741 528
3 b376d9bd70f042223ed533bf8f5a1fdb69106e7c0670daeb55514c288ff7b0ae 443
1589096
Transmission 4 bb09756d54b1206c70c3edd6221ec28469d59d2d34a25cb4cd209c526585c140 489
Transaction … … … …
48 74947780de112c551652ef5fd8812ce7eb8aaf751cd6788d83a53dd5d09b4288 274
49 1589111 7cce5df0f9f1a0fc4d6ff28438d11736ad1231923453e76c635efdd315d11b65 278
50 eb602d27f7211b07496eccb8f53dc57b3b9bbb173d816758868e4b5e8cb4e812 264

4) SR4: Unlinkability of covert transactions

B. Performance Evaluation
Covert transactions should be unlinkable to mitigate the risk
of statistical analysis due to increased transaction frequency. We implemented our approach on Monero==0.18.1.0,
Unlinkability includes two aspects: one is that covert running in an Ubuntu 22.04 virtual machine hosted on a PC
transactions cannot be directly linked to each other, and the with Windows 11 operating system, equipped with an Intel i9-
other is that covert transactions should not be linkable 13900HX processor and 32 GB memory.
through normal transactions. To conduct our experiments, we wrote configuration files
In our approach, unlike Bitcoin and Ethereum, the ring for both the Monero node and wallet, deploying them to the
signature mechanism and stealth address feature of Monero Ubuntu 22.04 virtual machine, connecting the Monero full
prevent third parties from obtaining the true public keys of node to the Monero stagenet for experimental purposes.
the communicating parties from transaction data. Thanks to the low mining difficulty on stagenet, we were able
Consequently, there is no direct or indirect link between to use CPU mining to obtain spendable Monero coins.
covert transactions, fulfilling SR4. Additionally, we developed a message handler to
5) SR5: Obscurity of covert transactions automatically handle messages and encode transaction
Our approach allows the receiver to filter covert amounts, which is used to automate requests to the Monero
transactions using Monero stealth addresses without any wallet RPC interface and collect experimental data.
obvious features, while ensuring that third parties cannot
distinguish between special and normal transactions. 1) Concealment
For the original stealth address and masked amount, they In our approach, we transmit digital signature and message
can be considered as a series of uniformly distributed segments by generating special stealth address of Monero
transactions. In addition, transaction amount fields are used to
hexadecimal strings. In our approach, we modify the stealth
cover real amount, which are generated according to message
addresses and masked amount in Monero transactions to
sequences or missing message orders. The concealment of
embed messages. Firstly, the new stealth address is calculated covert transactions is defined by their indistinguishability
by K new = K ori  C , where C is the ciphertext encrypted between ordinary and special fields. To comprehensively
with AES and can be also regarded as randomly distributed. assess the indistinguishability, we employ three statistical
This does not alter the randomness of stealth address. methods: Kullback-Leibler Divergence (KLD), Cumulative
Secondly, the modified masked amount is generated by Distribution Function (CDF), and Kolmogorov-Smirnov Test
cryptographic hash function and is uniformly distributed as (KS Test) [13][15][22][25]. In these three types of
well. Therefore, special fields and normal fields are experiments, we constructed a large number of transactions to
statistically indistinguishable, ensuring the stealthiness of evaluate concealment. Since the evaluation only requires data
communication and thus our approach satisfies SR5. The of special and normal fields, these transactions were not
experiments of indistinguishability between special and broadcast to the Monero network. This did not affect the
normal transactions are provided in Section IV.0. correctness of experiment results.
KLD is a statistical measure used to quantify the difference
between two probability distributions. When two random
distributions are the same, their KLD is zero. As the difference Based on the three types of experiments described above, the
between the two distributions increases, their relative entropy results indicate that the modified stealth address and masked
also increases. Eq. (9) gives the calculation of KLD, where amount fields in our approach cannot be distinguished from
P ( x ) and Q ( x ) represent the probability of event x in the the original fields, demonstrating the concealment of our
two probability distributions, respectively. approach.

P( x) 2) Embedding Rate
DKL ( P || Q) =  x P( x) log (9) The embedding rate refers to the amount of information that
Q( x ) can be carried in one covert transaction. Each 256-bit message
We first use KLD to evaluate the normal fields and special is encrypted with a dynamic session key to generate a 256-bit
fields embedded with message and signature. We conduct ciphertext, which is then embedded into a 256-bit stealth
KLD experiments between normal and special fields of address. Therefore, each TransTx is capable of transmitting a
AuthTx, TransTx and normal transactions, including stealth 256-bit message.
addresses and masked amounts. Due to the similarities in the
processing procedures of FbTx and AuthTx, the specific 3) Efficiency
experiments for FbTx are omitted. In detail, we generated To evaluate the efficiency of our approach, we constructed
50,000 AuthTx, TransTx, and normal transactions initially, and broadcast covert transactions, and extracted digital
each divided into five groups. For AuthTx, we recorded the signatures and messages through querying transaction hashes.
stealth addresses of two non-change outputs, named A1 and After sending an embedding request, the Monero client
A2. For TransTx and normal transactions, we saved the stealth constructs and broadcasts transactions with embedded digital
addresses and masked amounts of one non-change output, signature or messages, and returns a response upon successful
named T and N1. To be clearer, we additionally generated broadcast. After sending an extraction request, the Monero
10,000 standard stealth addresses and masked amounts named client queries the transaction details using the transaction hash,
N2. This helps identify any anomalies in statistical analysis extracts the digital signature of messages, and returns a
and verify the significance of the results. Then, we calculate response upon successful extraction. We define the time
the frequency distribution of hexadecimal characters for A1, consumption as the difference between the response
A2 and N1, and compare it with the character frequency timestamp and request timestamp.
distribution of N2 to compute the KLD. Firstly, we created 50 instances each of normal transactions,
Fig. 4 shows the result of KLD of stealth addresses and AuthTx, and TransTx, recording the corresponding times Tcost
masked amounts, which reveals that the KLD is uniformly at as N, A, and T respectively, as shown in Fig. 7. (a). Secondly,
the order 5e-10 and 4e-10 separately, and there is essentially we extracted digital signature and message from the 50
no difference in KLD between the five groups. Small and AuthTx and TransTx instances, respectively. The time
similar KLD across groups indicate that the data distributions consumed for these processes is also denoted as A and T, as
are nearly identical. Therefore, the stealth addresses between illustrated in Fig. 7. (b). We list some of these broadcasted
AuthTx, TransTx, and normal transactions and the masked transaction hashes and corresponding blocks in TABLE IV,
amounts between TransTx and normal transactions are
which can be found in Monero stagenet explorer online. The
indistinguishable.
average time cost is presented in TABLE V. Combining Fig.
Subsequently, we conduct CDF experiment to compare 7 and TABLE V, it is evident that AuthTx require the most
character frequency between standard and special fields. CDF time due to the need for two non-change outputs, while
represents the probability that a random variable takes on a TransTx and normal transactions involve one non-change
value less than or equal to a specific number. As what we have output each. Furthermore, the construction and broadcast
done in KLD, we collect character frequency in stealth time for TransTx is about 12.82ms longer compared to a
addresses and masked amounts of AuthTx, TransTx and normal transaction, which is within an acceptable range. For
normal transactions. For stealth addresses, we calculate CDFs the extraction process, the time required to extract signatures
of A1, A2, T and N1. For masked amounts, we calculate CDFs and information is very short, demonstrating high extraction
of T and N1. The result is showed in Fig. 5, in which the CDFs
efficiency.
for all groups appear to increase linearly, suggesting that the
4) Comparison
frequency distribution of hexadecimal characters is uniform
across the normal and special fields for each group. The CDF Our approach aims to provide a high embedding rate CT
of each group is nearly identical at the same character position, channel with no observable characteristics, which could
demonstrating the consistency of character distribution. dynamically update session key without any off-chain
negotiation.
KS Test is designed to compare two samples to determine if
they are drawn from the same distribution. We perform a KS TABLE VI shows a comparison of various CT methods.
Test on four sets of data previously depicted, including those BLOCCE embeds covert information into the last digit of
with stealth addresses and masked amounts to evaluate Bitcoin address. Although it has provable security, its
indistinguishability. For each set, we conduct 1000 samples, practical value is limited due to a low embedding rate. MRCC
with each sample consisting of 500 instances. We calculated can embed 11 bits per input in a Monero transaction, and this
p-values for the character frequency comparison between capacity increases with the number of inputs. But in the
normal and special fields, and the result are displayed in Fig. Monero network, transactions with a large number of inputs
6. It shows that almost all p-values appear to fall between 0.6 are uncommon. Additionally, there exists a risk of sender
and 0.8, which is higher than the significance level of 0.05, denial of communication behavior in this method. Both
suggesting that for most of the samples, there is no statistical DLchain, RDSAC, as well as our method, have an embedding
difference between the normal and special fields. rate of 256 bits per transaction, but the first two require off-
chain negotiation of encryption keys, while our approach dose
not. Moreover, due to the anonymity features of Monero, the [12] H. Cao et al., “Chain-Based Covert Data Embedding Schemes in
public keys of both parties do not appear in plaintext within Blockchain,” IEEE Internet of Things Journal, vol. 9, no. 16, pp.
14699-14707, 15 Aug.15, 2022.
the Monero network, which grants our system a higher level [13] L. Zhu, Q. Liu, Z. Chen, C. Zhang, F. Gao and Z. Yang, “A Novel
of concealment compared to other systems. Covert Timing Channel Based on Bitcoin Messages,” IEEE
TABLE VI Transactions on Computers, vol. 72, no. 10, pp. 2913-2924, Oct. 2023.
[14] A. I. Basuki and D. Rosiyadi, “Joint transaction-image steganography
COMPARISON OF DIFFERENT CT APPROACH for high capacity covert communication,” in Proc. Int. Conf. Comput.
Control Informat. Appl., pp. 41-46, 2019.
Embedding Dynamic Observable Off-chain [15] S. Liu et al., “Whispers on Ethereum: Blockchain-based covert data
Approach
Rate (bit/tx) Session Key characteristic Negotiation embedding schemes,” in Proc. 2nd ACM Int. Symp. Blockchain
BLOCCE [6] 1 No Yes Yes Secure Crit. Infrastruct., pp. 171-179, Oct. 2020.
DLchain [7] 256 No Yes Yes [16] L. Zhang, Z. Zhang, Z. Jin, Y. Su and Z. Wang, “An approach of
MRCC [18] 11 r No No Yes covert communication based on the Ethereum whisper protocol in
RDSAC [25] 256 No No Yes blockchain,” International Journal of Intelligent Systems., vol. 36, no.
Ours 256 Yes No No 2, pp. 962-996, Feb. 2021.
[17] L. Zhang, Z. Zhang, W. Wang, Z. Jin, Y. Su and H. Chen, “Research
V. CONCLUSION on a Covert Communication Model Realized by Using Smart
Contracts in Blockchain Environment,” IEEE Systems Journal, vol.
In this paper, we propose a novel CT approach named as 16, no. 2, pp. 2822-2833, June 2022.
MBCT, which updates session key on-chain dynamically [18] Z. Guo, L. Shi, M. Xu and H. Yin, “MRCC: A Practical Covert
without off-chain negotiation. We first present a threat model Channel Over Monero With Provable Security,” IEEE Access, vol. 9,
and security requirements for blockchain-based CT. Then, pp. 31816-31825, 2021.
MBCT is detailed and we make security analysis to validate [19] L. Liu, L. Liu, B. Li, Y. Zhong, S. Liao and L. Zhang, “MSCCS: A
Monero-based security-enhanced covert communication system,”
that MBCT can meet the requirements. Finally, we implement Computer Networks., vol. 205, Mar. 2022.
MBCT in Monero-0.18.1.0 and the experiment results [20] W. Su and L. Ma, “A Blockchain-based Covert Document
demonstrate its high embedding capacity. Communication System Model,” in 2023 8th International
Conference on Computer and Communication Systems, Guangzhou,
REFERENCES China, 2023, pp. 445-450.
[21] F. Gao, L. Zhu, K. Gai, C. Zhang and S. Liu, “Achieving a covert
[1] K. Lu, H. Liu, L. Zeng, J. Wang, Z. Zhang and J. An, “Applications
channel over an open blockchain network,” IEEE Network., vol. 34,
and prospects of artificial intelligence in covert satellite
no. 2, pp. 6-13, Mar. 2020.
communication: a review,” Science China Information Sciences, 2023,
[22] C. Zhang, L. Zhu, C. Xu and R. Lu, “EBDL: Effective blockchain-
66(2): 121301.
based covert storage channel with dynamic labels,” Journal of
[2] X. Chen et al., “Covert Communications: A Comprehensive Survey,”
Network and Computer Applications, 2023, 210: 103541.
IEEE Communications Surveys & Tutorials, vol. 25, no. 2, pp. 1173-
[23] J. Liu et al., “DLCCB: A Dynamic Labeling Based Covert
1198, Secondquarter 2023.
Communication Method on Blockchain,” in 2023 International
[3] J. An, B. Kang, Q. Ouyang, J. Pan and N. Ye, “Covert
Wireless Communications and Mobile Computing, Marrakesh,
Communications Meet 6G NTN: A Comprehensive Enabler for
Morocco, 2023, pp. 168-173.
Safety-Critical IoT,” IEEE Network, early access, doi:
[24] P. Zhang, Q. Cheng, M. Zhang and X. Luo, “A Group Covert
10.1109/MNET.2024.3379864.
Communication Method of Digital Currency Based on Blockchain
[4] P. Yang, Y. Li and Y. Zang, “Detecting DNS covert channels using
Technology,” IEEE Transactions on Network Science and
stacking model,” China Communications, 2020, 17(10): 183-194.
Engineering, vol. 9, no. 6, pp. 4266-4276, 1 Nov.-Dec. 2022.
[5] Z. Chen et al., “Blockchain Meets Covert Communication: A Survey,”
[25] Z. Chen, L. Zhu, P. Jiang, C. Zhang, F. Gao and F. Guo, “Exploring
IEEE Communications Surveys & Tutorials, vol. 24, no. 4, pp. 2163-
Unobservable Blockchain-based Covert Channel for Censorship-
2192, Fourthquarter 2022.
Resistant Systems,” IEEE Transactions on Information Forensics and
[6] Partala J, “Provably secure covert communication on blockchain,”
Security, 2024.
Cryptography, 2018, 2(3): 18.
[26] P. Zhang, Q. Cheng, M. Zhang and X. Luo, “A Blockchain-Based
[7] J. Tian, G. Gou, C. Liu, Y. Chen, G. Xiong and Z. Li, “DLchain: A
Secure Covert Communication Method via Shamir Threshold and
covert channel over blockchain based on dynamic labels,” in Proc. of
STC Mapping,” IEEE Transactions on Dependable and Secure
International Conference on Information and Communications
Computing, early access, doi: 10.1109/TDSC.2024.3353570.
Security, pp. 814-830, 2019.
[27] Alonso K M, “Zero to monero,” Zero to monero, 2020.
[8] W. Wang and C. Su, “CCBRSN: A system with high embedding
[28] G. Kappos, H. Yousaf, M. Maller and S. Meiklejohn, “An empirical
capacity for covert communication in Bitcoin,” in Proc. of
analysis of anonymity in Zcash,” in Proc. 27th USENIX Conf.
International Conference on ICT Systems Security and Privacy
Security Symp., pp. 463-477, 2018.
Protection, pp. 324-337, 2020.
[29] F. Liu et al., “Bitcoin Address Clustering Based on Change Address
[9] Z. Wang et al., “A covert channel over blockchain based on label tree
Improvement,” IEEE Transactions on Computational Social Systems,
without long waiting times,” Computer Networks, vol. 232, Aug. 2023.
early access, doi: 10.1109/TCSS.2023.3239031.
[10] X. Luo, P. Zhang, M. Zhang, H. Li and Q. Cheng, “A Novel Covert
[30] A. Mansourabady, F. Tabe, A. H. Rasekh and A. Ghermezian, “A
Communication Method Based on Bitcoin Transaction,” IEEE
Study on Hybrid Deep Learning Approaches for “Monero”
Transactions on Industrial Informatics, vol. 18, no. 4, pp. 2830-2839,
Cryptocurrency Price Prediction,” in 2024 20th CSI International
April 2022.
Symposium on Artificial Intelligence and Signal Processing (AISP),
[11] X. Zhang, X. Zhang, X. Zhang, W. Sun, R. Meng and X. Sun, “A
Babol, Iran, Islamic Republic of, 2024, pp. 1-6.
derivative matrix-based covert communication method in blockchain,”
Computer Systems Science and Engineering, vol. 146, no. 1, pp. 225-
239, 2023.