# Provably Secure Covert Communication on Blockchain

## Abstract

**:**

## 1. Introduction

#### Related Work

## 2. Preliminaries

#### 2.1. Notation

#### 2.2. Cryptographics Primitives

Algorithm 1 Pseudorandom Ciphertext Experiment | ||

1: | procedure$\mathsf{PRC}\_{\mathsf{EXP}}_{\mathsf{A}}^{\mathsf{SE}}$ (${1}^{s}$) | |

2: | $k\leftarrow \mathsf{Gen}\left({1}^{s}\right)$ | |

3: | $(m,S)\leftarrow {\mathsf{A}}_{1}^{{\mathsf{Enc}}_{k}}\left({1}^{s}\right)$ | ▹ S is internal state information of $\mathsf{A}$ |

4: | $b\leftarrow U(\{0,1\})$ | |

5: | if $b=1$ then | |

6: | $c\leftarrow \mathsf{Enc}(k,m)$ | ▹ Use the actual encryption |

7: | else | |

8: | $c\leftarrow U({\{0,1\}}^{|\mathsf{Enc}(k,m)|})$ | ▹ Use a random string |

9: | end if | |

10: | ${b}^{\prime}\leftarrow {\mathsf{A}}_{2}^{{\mathsf{Enc}}_{k}}(c,S)$ | |

11: | if $b={b}^{\prime}$ then | |

12: | return 1 | ▹ $\mathsf{A}$ guessed correctly |

13: | else | |

14: | return 0 | ▹ $\mathsf{A}$ did not guess correctly |

15: | end if | |

16: | end procedure |

#### 2.3. Steganography

**Definition**

**1.**

- 1.
- The embedding algorithm $\mathsf{Embed}$ takes as input a secret key $k\in {\{0,1\}}^{{n}_{k}}$, a hiddentext message $m\in {\{0,1\}}^{\ast}$ and a channel history $\mathcal{H}\in {\{0,1\}}^{\ast}\times \mathbb{R}$ and returns a stegotext message $c\in {\{0,1\}}^{\ast}$.
- 2.
- The extraction algorithm $\mathsf{Extract}$ takes as input a secret key $k\in {\{0,1\}}^{{n}_{k}}$ and a stegotext message $c\in {\{0,1\}}^{\ast}$ and outputs a hiddentext message $m\in {\{0,1\}}^{\ast}$.

**Definition**

**2.**

## 3. A Simplified Blockchain Model

**modeled as a random oracle**and two oracles $\mathsf{Read}$ and $\mathsf{Submit}$ that can be used to read and write data to the blockchain. We shall describe these components in detail below.

**Payee identities.**In order to join the systems, an individual i generates a private and public key pair $({s}_{k}^{\left(i\right)},{p}_{k}^{\left(i\right)})$ using a digital signature scheme $\Sigma $. When paying, individuals are represented by their public keys ${p}_{k}^{\left(i\right)}$.**Recipient addresses.**Payments to an individual i are sent to a one-time address ${a}^{\left(i\right)}\in {\{0,1\}}^{n}$ that the recipient can publish after hashing her public key: ${a}^{\left(i\right)}=H({p}_{k}^{\left(i\right)})$. Each payment address appears only once in a payment and a new private and public key pair $({s}_{k}^{\left(i\right)},{p}_{k}^{\left(i\right)})$ is generated to receive additional payments.**Money.**The blockchain records the amount of money ${\mu}^{\left(i\right)}$ that is associated to an address ${a}^{\left(i\right)}$ and, consequently, to a public key ${p}_{k}^{\left(i\right)}$.**Initial status of the blockchain.**The initial total amount of money is distributed among a finite set of L individuals represented by their addresses ${a}^{\left(1\right)},{a}^{\left(2\right)},\dots ,{a}^{\left(L\right)}$. An amount of money ${\mu}^{\left(i\right)}\ge 0$ is associated to each of these addresses and the initial status of the blockchain$${C}_{0}=\left(({a}^{\left(1\right)},{\mu}^{\left(1\right)}),({a}^{\left(2\right)},{\mu}^{\left(2\right)}),\dots ,({a}^{\left(L\right)},{\mu}^{\left(L\right)})\right)$$**Payments.**Let ${p}_{k}^{\left(i\right)}$ and ${p}_{k}^{\left(j\right)}$ be two distinct public keys. A valid payment P of amount μ from a user i to a user j is a tuple$$P=({p}_{k}^{\left(i\right)},{a}^{\left(j\right)},\mu ,t,\sigma ),$$$$\sigma =\mathsf{Sign}({s}_{k}^{\left(i\right)},({p}_{k}^{\left(i\right)},{a}^{\left(j\right)},\mu ,t)).$$**The ideal chain of blocks.**For the simplified ideal blockchain, all published payments are valid and are published in a tamper-proof chain C of payment blocks$$C=({C}_{0},{C}_{1},{C}_{2},\dots )$$

- $\mathsf{Read}\left(i\right)$ on input the block number $i\in {\mathbb{N}}_{\ge 0}$ outputs the block ${C}_{i}$ from the chain $({C}_{0},{C}_{1},{C}_{2},\dots ,{C}_{i-1},{C}_{i},{C}_{i+1},\dots )$ if it has appeared already. If the last block that has appeared is ${C}_{{i}^{\prime}}$ where ${i}^{\prime}<i$, $\mathsf{Read}$ outputs ⊥ indicating error.
- $\mathsf{Submit}\left(P\right)$ on input a payment $P=({p}_{k}^{\left(i\right)},{a}^{\left(j\right)},\mu ,t,\sigma )$ verifies that the payment is valid and saves it to be published in the next block to appear. If the payment is invalid, it is discarded.

## 4. The Suggested $\mathsf{BLOCCE}$ Scheme

**Blo**ckchain

**C**overt

**C**hann

**e**l). We first give a general overview of the scheme. Then we describe the embedding and extraction procedures in detail. Finally, we show that embedding runs in expected polynomial time (exluding the time spent waiting for new blocks to appear on the chain) and that the method is reliable.

#### 4.1. General Overview of $\mathsf{BLOCCE}$

- Alice generates a number of private and public key pairs$$({s}_{k}^{\left(1\right)},{p}_{k}^{\left(1\right)}),({s}_{k}^{\left(1\right)},{p}_{k}^{\left(1\right)}),\dots ,({s}_{k}^{\left(n\right)},{p}_{k}^{\left(n\right)})$$
- Alice generates payments (of small amounts) from her own account to these addresses and, depending on the hiddentext message m, orders them such that the least significant bits (LSBs) of the payment addresses form m.
- Alice submits the payments in the correct order to the blockchain.
- Bob reads the blockchain for payments made by Alice and reads the hiddentext message from the LSBs of the payment addresses.

#### 4.2. Embedding Into the Blockchain

Algorithm 2 Embedding Algorithm | |

1: | procedure$\mathsf{Embed}$($(k,\lambda ),m,\mathcal{B}$) |

2: | $c\leftarrow \mathsf{Enc}(k,m)$ |

3: | Concatenate ${c}^{\prime}=\lambda \left|\right|c$ |

4: | Set $N=|{c}^{\prime}|$ |

5: | Interpret ${c}^{\prime}$ as a bit representation ${c}_{1}^{\prime}{c}_{2}^{\prime}\dots {c}_{N}^{\prime}\in {\{0,1\}}^{N}$ |

6: | $i=1$ |

7: | while $i\le N$ do |

8: | Generate unseen $({s}_{k},{p}_{k})\leftarrow {\mathsf{Gen}}_{\Sigma}\left({1}^{s}\right)$ |

9: | $a\leftarrow H({p}_{k}^{\left(i\right)})$ |

10: | Interpret a as a bit representation ${a}_{1}{a}_{2}\dots {a}_{n}\in {\{0,1\}}^{n}$ |

11: | if ${a}_{n}={c}_{i}^{\prime}$ then |

12: | $\mu \leftarrow {\mathcal{M}}_{\mathcal{H}}$ |

13: | Generate a unique identifier t for the payment |

14: | $\sigma \leftarrow \mathsf{Sign}({s}_{k}^{\left(A\right)},({p}_{k}^{\left(A\right)},a,\mu ,t))$ |

15: | $\mathsf{Submit}({p}_{k}^{\left(A\right)},a,\mu ,t,\sigma )$ |

16: | Wait for the blockchain to publish a new block |

17: | Update $\mathcal{H}$ |

18: | $i\leftarrow i+1$ |

19: | end if |

20: | end while |

21: | end procedure |

#### 4.3. Extraction

Algorithm 3 Extraction Algorithm | |

1: | procedure$\mathsf{Extract}$($(\lambda ,k),\mathcal{B}$) |

2: | $i=1$ |

3: | $j=1$ |

4: | while have not found $\lambda $ yet do ▹ Scan for $\lambda $ |

5: | $C=\mathsf{Read}\left(j\right)$ |

6: | if $C=\perp $ then |

7: | Wait until a block appears and read it: $C=\mathsf{Read}\left(j\right)$ |

8: | end if |

9: | for any payment $P\in C$ do |

10: | if P is from ${p}_{k}^{\left(A\right)}$ then |

11: | Extract address a from P and get the LSB ${a}_{n}$ |

12: | Scan if we have found the entire $\lambda \in {\{0,1\}}^{{n}_{\lambda}}$ |

13: | end if |

14: | end for |

15: | $j\leftarrow j+1$ |

16: | end while |

17: | $i=1$ ▹ Now reading the encrypted hidden message |

18: | while $i\le N-{n}_{\lambda}$ do |

19: | $C=\mathsf{Read}\left(j\right)$ |

20: | if $C=\perp $ then |

21: | Wait until a block appears and read it: $C=\mathsf{Read}\left(j\right)$ |

22: | end if |

23: | for any payment $P\in C$ do |

24: | if P is from ${p}_{k}^{\left(A\right)}$ then |

25: | Extract address a from P and get the LSB ${a}_{n}$ |

26: | ${c}_{i}\leftarrow {a}_{n}$ |

27: | $i\leftarrow i+1$ |

28: | end if |

29: | end for |

30: | $j\leftarrow j+1$ |

31: | end while |

32: | Compile $c={c}_{1}{c}_{2}\dots {c}_{N-{n}_{\lambda}}$ |

33: | $m\leftarrow \mathsf{Dec}(k,c)$ |

34: | output m |

35: | end procedure |

#### 4.4. Computational Complexity and Correctness

**Proposition**

**1.**

**Proof.**

**Proposition**

**2.**

**Proof.**

- The LSBs of the addresses of the payments Alice has made before transmitting $(\lambda ,c)$ accidentally form $\lambda $ that Bob misinterprets as the start of the hidden message.
- Alice has not submitted any message, but the LSBs of the addresses of her payments form $\lambda $.

## 5. Security

#### 5.1. Assumptions

**Alice**represents the transmitter of our scheme and is known through her (payee identity) public key ${p}_{k}^{\left(A\right)}$. She has agreed with the recipient Bob beforehand on a secret key $(\lambda ,k)\in {\{0,1\}}^{{n}_{\lambda}}\times {\{0,1\}}^{{n}_{k}}$ that is not known to anyone else. She attempts to send a confidential message m to Bob through the simplified ideal blockchain $\mathcal{B}$. Both Alice and Bob know the total amount of embedded bits N. Finally, Alice is aware of her “normal” distribution of payment amounts ${\mathcal{M}}_{\mathcal{H}}$ given her history of payments $\mathcal{H}$ and is able to sample from it.**Bob**represents the recipient of our scheme. He expects a confidential message from Alice through the blockchain, knows the public key ${p}_{k}^{\left(A\right)}$ of Alice, as well as the secret key $(\lambda ,k)$ and the total number of embedded bits N.**The adverary**attempts to detect the presence of covert communication on the blockchain. We assume that the adversary knows Alice and her public key ${p}_{k}^{\left(A\right)}$. The warden also has complete access to the blockchain $\mathcal{B}$ through the oracles $\mathsf{Read}$ and $\mathsf{Submit}$. The job of the adversary is to distinguish the secret communication payments from regular payments.

#### 5.2. Payment Indistinguishability

Algorithm 4 Payment Distinguishing Experiment | |

1: | procedure$\mathsf{PAY}\_\mathsf{DIST}\_{\mathsf{EXP}}_{\mathsf{A}}^{\mathsf{\Pi},\mathcal{B}}$(${1}^{s}$) |

2: | $({s}_{k},{p}_{k})\leftarrow {\mathsf{Gen}}_{\Sigma}\left({1}^{s}\right)$ |

3: | $(m,S)\leftarrow {\mathsf{A}}_{1}^{\mathsf{Read},\mathsf{Submit}}({p}_{k})$ ▹ S is internal state information of the adversary that can be passed to the second stage |

4: | $(\lambda ,k)\leftarrow {\mathsf{Gen}}_{\mathsf{\Pi}}\left({1}^{s}\right)$ |

5: | $b\leftarrow U(\{0,1\})$ |

6: | if $b=1$ then ▹ Actual message is sent to the blockchain |

7: | $\mathsf{Embed}((\lambda ,k),m,\mathcal{B})$ |

8: | else ▹ Random payments are sent to the blockchain |

9: | ${n}_{\lambda}\leftarrow \left|\lambda \right|$ |

10: | $N\leftarrow |\mathsf{Enc}(k,m)|+{n}_{\lambda}$ ▹ $\mathsf{Enc}$ is the encryption scheme used by $\mathsf{\Pi}$ |

11: | Generate N random addresses ${a}_{i}$ for $i\in \{1,2,\dots ,N\}$ |

12: | Simulate $\mathsf{Embed}$ to generate payments to ${a}_{i}$ |

13: | Submit payments to blockchain one-by-one as $\mathsf{Embed}$ does |

14: | end if |

15: | ${b}^{\prime}\leftarrow {\mathsf{A}}_{2}^{\mathsf{Read},\mathsf{Submit}}({p}_{k},S)$ |

16: | if $b={b}^{\prime}$ then |

17: | return 1 ▹ $\mathsf{A}$ guessed correctly |

18: | else |

19: | return 0 ▹ $\mathsf{A}$ did not guess correctly |

20: | end if |

21: | end procedure |

**Definition**

**3.**

**Definition**

**4.**

**Definition**

**5.**

#### 5.3. Security Proof of $\mathsf{BLOCCE}$

**Proposition**

**3.**

**Proof.**

Algorithm 5 First Stage of the Adversary ${\mathsf{A}}^{\prime}$ | |

1: | procedure${\mathsf{A}\prime}_{1}^{{\mathsf{Enc}}_{k}}$(${1}^{s}$) |

2: | Initialize a blockchain $\mathcal{B}$ |

3: | $({s}_{k},{p}_{k})\leftarrow {\mathsf{Gen}}_{\Sigma}\left({1}^{s}\right)$ |

4: | $(m,S)\leftarrow {\mathsf{A}}_{1}^{\mathsf{Read},\mathsf{Submit}}\left({p}_{k}\right)$ ▹ Answers the queries according to the specification of $\mathcal{B}$ |

5: | ${S}^{\prime}\leftarrow $ state and internal information of $\mathcal{B}$ |

6: | output $(m,(S,{S}^{\prime},{p}_{k},{s}_{k}))$ |

7: | end procedure |

Algorithm 6 Second Stage of the Adversary ${\mathsf{A}}^{\prime}$ | |

1: | procedure${\mathsf{A}\prime}_{2}^{{\mathsf{Enc}}_{k}}$($c,(S,{S}^{\prime},{p}_{k},{s}_{k})$) |

2: | Initialize a blockchain $\mathcal{B}$ according to the state ${S}^{\prime}$ |

3: | $(\lambda ,k)\leftarrow {\mathsf{Gen}}_{\mathsf{BLOCCE}}\left({1}^{s}\right)$ |

4: | Embed $\lambda \left|\right|c$ into $\mathcal{B}$ by simulating $\mathsf{Embed}$ |

5: | ${b}^{\prime}\leftarrow {\mathsf{A}}_{2}^{\mathsf{Read},\mathsf{Submit}}({p}_{k},S)$ |

6: | output ${b}^{\prime}$ |

7: | end procedure |

- Suppose first that $D=1$ and ${\mathsf{A}}^{\prime}$ was given the correct $c\leftarrow \mathsf{Enc}(k,m)$. Then ${\mathsf{A}}^{\prime}$ embeds $\lambda \left|\right|c$ into the blockchain which follows the payment distinguishing experiment for $\mathsf{A}$ for the case $b=1$. Since ${\mathsf{A}}_{2}^{\prime}$ outputs the same bit ${b}^{\prime}$ as ${\mathsf{A}}_{2}$ we have$$Pr\left[{\mathsf{A}}^{\prime}\mathrm{succeeds}\mathrm{in}\mathsf{PRC}\_\mathsf{EXP}|D=1\right]=Pr\left[\mathsf{A}\mathrm{succeeds}|D=1\right].$$
- Suppose now that $D=0$ and c is a uniformly random string. By the description of ${\mathsf{Gen}}_{\mathsf{BLOCCE}}$, $\lambda $ is also uniformly random, meaning that a uniformly random string $\lambda \left|\right|c$ gets embedded into the blockchain. By the description of the payment distinguishing experiment, this is equal to the case $b=0$ and$$Pr\left[{\mathsf{A}}^{\prime}\mathrm{succeeds}\mathrm{in}\mathsf{PRC}\_\mathsf{EXP}|D=0\right]=Pr\left[\mathsf{A}\mathrm{succeeds}|D=0\right].$$

## 6. Discussion and Future Work

## 7. Conclusions

## Funding

## Conflicts of Interest

## References

- Nakamoto, S. Bitcoin: A Peer-to-Peer Electronic Cash System. 2008. Available online: https://bitcoin.org/bitcoin.pdf (accessed on 12 February 2018).
- Wood, G. Ethereum: A Secure Decentralized Transaction Ledger. 2014. Available online: http://gavwood.com/paper.pdf (accessed on 13 February 2018).
- Christidis, K.; Devetsikiotis, M. Blockchains and Smart Contracts for the Internet of Things. IEEE Access
**2016**, 4, 2292–2303. [Google Scholar] [CrossRef] - Mettler, M. Blockchain technology in healthcare: The revolution starts here. In Proceedings of the 2016 IEEE 18th International Conference on e-Health Networking, Applications and Services (Healthcom), Munich, Germany, 14–16 September 2016; pp. 1–3. [Google Scholar]
- Azaria, A.; Ekblaw, A.; Vieira, T.; Lippman, A. MedRec: Using Blockchain for Medical Data Access and Permission Management. In Proceedings of the 2016 2nd International Conference on Open and Big Data (OBD), Vienna, Austria, 22–24 August 2016; pp. 25–30. [Google Scholar]
- Matzutt, R.; Hiller, J.; Henze, M.; Ziegeldorf, J.H.; Müllmann, D.; Hohlfeld, O.; Wehrle, K. A Quantitative Analysis of the Impact of Arbitrary Blockchain Content on Bitcoin. In Proceedings of the 22nd International Conference on Financial Cryptography and Data Security (FC), Santa Barbara, 26 February–2 March 2018; Springer: Berlin, Germany, 2018. [Google Scholar]
- Matzutt, R.; Henze, M.; Ziegeldorf, J.H.; Hiller, J.; Wehrle, K. Thwarting Unwanted Blockchain Content Insertion. In Proceedings of the 2018 IEEE International Conference on Cloud Engineering (IC2E), Orlando, FL, USA, 17–20 April 2018; pp. 364–370. [Google Scholar]
- Barber, S.; Boyen, X.; Shi, E.; Uzun, E. Bitter to Better—How to Make Bitcoin a Better Currency. In Financial Cryptography and Data Security; Keromytis, A.D., Ed.; Springer: Berlin, Germany, 2012; pp. 399–414. [Google Scholar]
- Miers, I.; Garman, C.; Green, M.; Rubin, A.D. Zerocoin: Anonymous Distributed E-Cash from Bitcoin. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 19–22 May 2013; pp. 397–411. [Google Scholar]
- Sasson, E.B.; Chiesa, A.; Garman, C.; Green, M.; Miers, I.; Tromer, E.; Virza, M. Zerocash: Decentralized Anonymous Payments from Bitcoin. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 18–21 May 2014; pp. 459–474. [Google Scholar]
- Heilman, E.; Baldimtsi, F.; Goldberg, S. Blindly Signed Contracts: Anonymous On-Blockchain and Off-Blockchain Bitcoin Transactions. In Financial Cryptography and Data Security; Clark, J., Meiklejohn, S., Ryan, P.Y., Wallach, D., Brenner, M., Rohloff, K., Eds.; Springer: Berlin, Germany, 2016; pp. 43–60. [Google Scholar]
- Zyskind, G.; Nathan, O.; Pentland, A. Decentralizing Privacy: Using Blockchain to Protect Personal Data. In Proceedings of the 2015 IEEE Security and Privacy Workshops, San Jose, CA, USA, 21–22 May 2015; pp. 180–184. [Google Scholar]
- Aitzhan, N.Z.; Svetinovic, D. Security and Privacy in Decentralized Energy Trading through Multi-signatures, Blockchain and Anonymous Messaging Streams. IEEE Trans. Dependable Secur. Comput.
**2016**. [Google Scholar] [CrossRef] - Shafagh, H.; Burkhalter, L.; Hithnawi, A.; Duquennoy, S. Towards Blockchain-based Auditable Storage and Sharing of IoT Data. In Proceedings of the 2017 on Cloud Computing Security Workshop, CCSW ’17, Dallas, TX, USA, 3 November 2017; ACM: New York, NY, USA, 2017; pp. 45–50. [Google Scholar][Green Version]
- Bhowmik, D.; Feng, T. The multimedia blockchain: A distributed and tamper-proof media transaction framework. In Proceedings of the 2017 22nd International Conference on Digital Signal Processing (DSP), London, UK, 23–25 August 2017; pp. 1–5. [Google Scholar]
- Goldwasser, S.; Micali, S.; Rivest, R.L. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput.
**1988**, 17, 281–308. [Google Scholar] [CrossRef] - Möller, B. A Public-Key Encryption Scheme with Pseudo-random Ciphertexts. In Computer Security–ESORICS 2004; Samarati, P., Ryan, P., Gollmann, D., Molva, R., Eds.; Springer: Berlin, Germany, 2004; pp. 335–351. [Google Scholar]
- Katz, J.; Lindell, Y. Introduction to Modern Cryptography; Chapman & Hall/CRC: Boca Raton, FL, USA, 2007. [Google Scholar]
- Hopper, N.J.; Langford, J.; von Ahn, L. Provably Secure Steganography. In Advances in Cryptology—CRYPTO 2002; Yung, M., Ed.; Springer: Berlin, Germany, 2002; pp. 77–92. [Google Scholar]
- Dedić, N.; Itkis, G.; Reyzin, L.; Russell, S. Upper and Lower Bounds on Black-Box Steganography. J. Cryptol.
**2009**, 22, 365–394. [Google Scholar] [CrossRef] - Micali, S. ALGORAND: The Efficient and Democratic Ledger. ArXiv, 2016; arXiv:1607.01341. [Google Scholar]
- Backes, M.; Cachin, C. Public-Key Steganography with Active Attacks. In Theory of Cryptography; Kilian, J., Ed.; Springer: Berlin, Germany, 2005; pp. 210–226. [Google Scholar]
- Ron, D.; Shamir, A. Quantitative Analysis of the Full Bitcoin Transaction Graph. In Financial Cryptography and Data Security; Sadeghi, A.R., Ed.; Springer: Berlin, Germany, 2013; pp. 6–24. [Google Scholar]
- Bos, J.W.; Halderman, J.A.; Heninger, N.; Moore, J.; Naehrig, M.; Wustrow, E. Elliptic Curve Cryptography in Practice. In Financial Cryptography and Data Security; Christin, N., Safavi-Naini, R., Eds.; Springer: Berlin, Germany, 2014; pp. 157–175. [Google Scholar]
- Fleder, M.; Kester, M.S.; Pillai, S. Bitcoin Transaction Graph Analysis. ArXiv, 2015; arXiv:1502.01657. [Google Scholar]

**Figure 1.**A simplified overview of the suggested method. Alice submits payments to the blockchain such that the LSBs of the addresses form the message m. Bob can read the message bits from those addresses and form m. In the actual method, encryption is also used and the start of the message is indicated.

Variable | Explanation |
---|---|

H | hash function |

$({s}_{k},{p}_{k})$ | private and public key pair for the digital signature scheme |

$({s}_{k}^{\left(A\right)},{p}_{k}^{\left(A\right)})$ | Alice’s keypair |

k | secret key for symmetric encryption |

$\lambda $ | message start indicator |

${n}_{\lambda}$ | length of $\lambda $ |

m | hiddentext message |

c | $c\leftarrow \mathsf{Enc}(k,m)$ |

${c}^{\prime}$ | concatenation ${c}^{\prime}=\lambda \left|\right|c$ |

N | total number of embedded bits $N=|{c}^{\prime}|$ |

$a,{a}^{\left(i\right)}$ | address computed by hashing a public key |

$\mathcal{H}$ | the history of payments Alice has made through the blockchain |

${\mathcal{M}}_{\mathcal{H}}$ | distribution on the amount of money in Alice’s payment conditioned on the history of payments $\mathcal{H}$ |

$\mu $ | payment amount |

t | unique payment identifier |

$\sigma $ | digital signature |

$C,{C}_{i}$ | block in the blockchain |

P | payment |

${L}_{A}$ | total number of payments made by Alice |

© 2018 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Partala, J. Provably Secure Covert Communication on Blockchain. *Cryptography* **2018**, *2*, 18.
https://doi.org/10.3390/cryptography2030018

**AMA Style**

Partala J. Provably Secure Covert Communication on Blockchain. *Cryptography*. 2018; 2(3):18.
https://doi.org/10.3390/cryptography2030018

**Chicago/Turabian Style**

Partala, Juha. 2018. "Provably Secure Covert Communication on Blockchain" *Cryptography* 2, no. 3: 18.
https://doi.org/10.3390/cryptography2030018