The Applications of Blockchain in the Covert Communication

Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China Hangzhou Innovation Institute, Beihang University, Hangzhou 310052, China Shandong Provincial Key Laboratory of Computer Networks, Qilu University of Technology (Shandong Academy of Sciences), Jinan 250014, China School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China Institute of Network System and Security, Peng Cheng Laboratory, Shenzhen 518000, China Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology, Guilin 541004, China Shanghai Key Laboratory of Privacy-Preserving Computation, MatrixElements Technologies, Shanghai 201204, China


Introduction
With the flourishing development of the Internet and computer science, network users communicate more and more on the Internet. The increasingly frequent interactions attract universal attention to the safety problem of information on the network, especially for some important sensitive information. So there is an expectation that covert communication can be realized to protect the safety, integrity, and secrecy in the process of information exchange.
The design goal of covert communication is to hide the relationship and the actual information exchange between the sender and the receiver beneath the superficial phenomenon. Where there is covert communication, there usually exists a subliminal channel. In 1983, Simmons [1] put forward the concept of the covert channel when solving the prisoners' problem that two prisoners want to construct a covert channel to plan an escape in an apparently normal conversation. A covert channel refers to a secret channel established in the digital signature, authentication, and other cryptosystems based on the public key infrastructure. Except for the sender and the designated receiver, no one knows whether there exists covert information in the transmitted cryptographic data content.
Traditional covert communication is served by a centralized channel generally, which results in the vulnerability to the interface of environment and other factors in the process. By monitoring the network and measuring the traffic, a covert channel can be distinguished by the attacker. Once the covert channel is detected by the attacker, participants are under threat of being exposed. In addition, the centralized nodes and devices are too weak to survive the attack, and the worst case may lead to the paralysis of the communication system. Furthermore, the covert message is usually delivered directly to the receiver. It is sufficiently challenging to find a solution for group covert communication under the circumstance of the traditional method.
As a break of the mainstream mechanism that relies on the third parties in information and trade exchanges, the blockchain [2] is a new technique developing rapidly recently. The blockchain has the characteristics of decentralization, nontampering, nonforgery, openness, and security, which draw the attention of all professions and trades. Not only financial services but also almost every electronic services start exploring the benefits of using the blockchain in their infrastructure. With the entry of the blockchain, new protocols, new applications, and new solutions are published, such as smart contracts, proof of existing services, and covert channels.
For example, the facilities of Bitcoin like Mastercoin [3] and Colored Coins [4] are used in many projects to provide alternative currencies and other financial instruments such as stocks and bonds. All these applications profit from the ability of Bitcoin transactions where additional information can be embedded, so that many scholars manage to apply the blockchain to construct subliminal channels in the field of covert communication.
Compared with traditional covert communication, the applications of the blockchain in covert communication can be highly advantageous. To start with, nodes of a peerto-peer network in the blockchain flood transactions and blocks. The identity of the receiver will be kept hidden in this mode of communication because there has no specific destination. Under this circumstance, it is more likely to achieve group communication. For another thing, the popularity of Bitcoin continues to grow as shown in Figure 1, so are other cryptocurrencies in the blockchain. As of February 2022, more than 81 million people had created unique Bitcoin wallets on http://Blockchain.com which makes purchasing Bitcoin possible. A huge amount of members lead to tremendous transactions, which provides benefits for covert communication. Thirdly, the blockchain is free of any government or organizational control. Users can send transactions anywhere in the world without banking infrastructure or exchange fees, which fosters the applications of blockchain in covert communication.
1.1. Our Contributions. In this paper we make the following contributions: (i) We present researches about covert communication with and without blockchain. We concentrate on the blockchain-based covert communication and present some typical work in detail (ii) According to the secret hiding place, we divide the subliminal channels used in the covert communication schemes on the blockchain into four categories: Address Channel, Value Channel, DSA Channel, and Script Channel. Their definitions and how to embed a secret in each kind of channel are given in Section 5 (iii) We perform an analysis of the proposed channels from three aspects: capacity, concealment, and efficiency. The summary of the related works is analyzed and some suggestions for further research are given in the end Organization of This Paper. The remaining of this paper is structured as below. In Section 2, traditional covert communication schemes are briefly explained. In Section 3, we introduce the relevant background materials. The review of some typical schemes is presented in Section 4; then, we classify the existing schemes according to their hiding location and analyze them in Section 5. We discuss the weaknesses of existing protocols and some research directions in Section 6. Finally, we make a conclusion of this paper in Section 7.

Traditional Covert Communication
As an application of information hiding technology, covert communication adopts unconventional patterns to break through restrictions of a message and employs steganography or coding permutation as a carrier to transmit the message secretly. The blockchain appeared in the military field [5] for the first time. Images, audios, and videos are used to build subliminal channels to exchange military information while avoiding the enemy's monitoring. At the military communication conference in 2010, Hijaz and Frost [6] studied the potential of covert communication within an orthogonal frequency division multiplexing (OFDM) waveform and realized secret communication by inserting a covert narrowband signal in a new subcarrier location of OFDM signal. Harvey et al. [7] emphasized the special requirements of specific military local area networks and talked about how higher band millimeter-wave technology can help to achieve high data rate and concealment at the same time.
As the Internet develops, covert communication has been extended to many different fields in which cryptography is taken as a carrier. As public-key cryptography develops, many covert channels are proposed such as DSAbased [8], RSA-based [9,10], and ECDSA-based [11]. Nevertheless, due to the bandwidth limitation, only a little message can be embedded in these schemes. Hartl et al. [12] proved the existence of a broadband covert channel in the EdDSA signature scheme. In 2001, Rivest et al. [13] formalized the notion of a ring signature and proposed a provably secure ring signature scheme. In 2012, Dong et al. [14] proposed an anonymous covert channel based on RST (Rivest, Shamir, and Taumann) ring signature to keep the signer himself covert anonymous to the covert receiver. In 2019, Wang et al. [15] proposed covert channels in the codebased ring signature scheme in which the designated receiver did not need to know the private key of the signer.
Based on different data carriers, there are three fundamental kinds of covert channels [16] called covert timing channels (CTCs), covert storage channels (CSCs), and covert network channels (CNCs). CTCs mainly use time stamp, the transmission time interval of data packet [17], and 2 Wireless Communications and Mobile Computing transmission quantity of data packet in unit time [18] to realize information transmission. Easy to be affected by network delay and jitter, CTCs have weak robustness [19]. And CSCs employ system variables or attributes except for time such as image [20,21], protocol [22], and biological signal [23] to represent covert information. Different from CTCs, CSCs are not easy to be disturbed by the network environment and have better robustness, higher information embedding rate, and more types of carriers. CNCs include variations of CTCs, CSCs, and the properties of the network over which they operate [24,25].

Preliminaries
In this section, we briefly review covert communication channel and the blockchain technology.

Covert Communication Channel.
As a supplement to the traditional encryption technology, information hiding embeds information covertly into the media or carrier so as to transmit secret information without being noticed. At first, it only used static media like images as carriers to hide information. But in recent years, as communication technology and network media develop, the widespread adoption of information hiding in the field of communication has gradually developed into an emerging technology-covert communication channel. Unlike the traditional encryption technology to hide the content of the message itself, covert communication is aimed at hiding the existence of a covert message. The information is transmitted secretly and the redundant part of the carrier serves to insert the processed information into communication and media messages. The model of a traditional covert communication channel with an omniscient knowledge of the covert channel is shown in Figure 2.
It is obvious that the covert/overt sender and receiver may not be the same node. So there are some requirements of the established channel to be covert and undetectable by the adversary.
(i) Subsurface; a covert channel ought to be hidden under an overt channel whose operation is not controlled by the adversary. If the overt channel gets closed, the covert channel will no longer exist.
(ii) Nonintervention and reasonable: there exist overt users, while covert users are using the communication channel. So users in the overt channel cannot be bothered or suspected, which requires the establishment of the covert channel to bring no damage to the existing channel.
(iii) Undifferentiated: in the communication channel, the covert data is supposed to be the same as the overt data. It is expected that the observer is not able to find out the difference between covert data and legitimate overt data.
3.2. Blockchain. As a data structure, blockchain consists of many blocks linked in the order of time from back to front which contain transactions submitted to it. The blockchain is also a tamper-resistant unforgeable distributed and decentralized ledger that can store sequential data which can be verified in the system. The addition of a consensus mechanism turns the blockchain into a trusted network. Block can be regarded as a container that aggregates inner transactions' information, whose structure is shown in Figure 3. TX refers to a transaction. It is composed of a block header 3 Wireless Communications and Mobile Computing followed by a series of transactions, which form the main body of the block. It has the following advantages.
3.2.1. Transparency. The openness and transparency of cryptography technology and data guarantee the security of the blockchain system. Anybody is able to join the blockchain as he wishes. Users can better supervise the data in the system and prevent dishonesty, denial, and disputes from happening. Cryptography guarantees that the exchanged message keeps privacy.

Decentralization.
There are no intermediaries and trusted third parties in the blockchain. The recording, verification, restoration, and transmission of the blockchain data are all based on the distributed system architecture, rather than the traditional central structure. The whole network will not collapse due to the failure of several nodes or the attack on the central node, and the data will not be leaked due to the trust issues of the central node. So the blockchain has better fault tolerance and antiattack ability.

3.2.
3. Traceability. Blockchain shows up as chain-like blocks with a timestamp attached, thus adding the time dimension and making it traceable and verifiable. Each node can track the changes in assets and transaction behavior according to the input and output of the transaction, which ensures the authenticity of data.
3.2.4. Immutability. Due to the special linked structure of blockchain, adjacent blocks keep in touch by means of hash values. Besides, the Merkle tree of each block guarantees that the transaction information cannot be distorted. Once the value of Merkle root is modified, the nonce in that block header is no longer legitimate. If an attacker wants to modify values in an existing block, he will have to modify the corresponding values in the latter block until the end of the chain to meet the needs of validation, which requires such tremen-dous computing power that it cannot be achieved within the time limit of consensus mechanism.

Collective Maintenance.
A specific mechanism is adopted to make sure that all the nodes in the system take part in the validation procedure of data blocks during which a particular node is chosen through a consensus algorithm to append new blocks to the blockchain. All nodes jointly maintain the network while keeping their local ledger.
3.2.6. Anonymity. In the blockchain system, the addresses and accounts are generated by the user himself as long as they are legitimate. From an observer's point of view, the identity of the participants cannot be obtained directly from the transaction information.

Types of Cryptocurrency.
On the basis of the openresource blockchain technology, any developer has the access to the original source code which contributes to the upper creation. It should be noted that cryptocurrencies such as Bitcoin are built on the blockchain rather than take the place of it. Blockchain is merely used as a way to record purchases, payment information, etc. As is shown in Figure 4, it is estimated by http://statista.com that there are more than 10000 transactions as of the writing.
Although cryptocurrencies are virtual currencies, they can be traded or invested like any other real currencies and are particularly independent of banks and governments. The "crypto" part in cryptocurrencies indicates complex cryptographic algorithms used to deal with the processing of digital currencies and their exchange across decentralized users. There is not one "best" cryptocurrency because each developer's design is focused on a certain point to solve an existed problem.
Here is an overview of some of the most popular digital coins and how each is being used. Table 1 provides the methods of signature used in mainstream cryptocurrencies and their pros and cons. The circulating supply of each cryptocurrency is updated on Feb. 28,2022. Type refers to whether the cryptocurrency is based on the UTXO model or not. The Signing Alg shows what kind of signing algorithm is adopted, and the elliptic curve used is shown in the column Curve.
Regarded as the first blockchain-based cryptocurrency launched by Satoshi in 2009, Bitcoin is the most popular and the biggest by market capitalization with the elimination of trusted third parties. Ether plays the role of the token on Ethereum to facilitate transactions. Designed on the basis of RippleNet, a digital payment platform, XRP was planned for financial institutions. In Litecoin, central processing  Figure 3: The structure of block. 4 Wireless Communications and Mobile Computing units (CPUs) can help the decoding process. Zeroknowledge proofs (zk-SNARKs) provide users in ZCash absolute privacy with no information leaked during validation. Taking advantage of the ring signature, Monero is able to hide the complete privacy of the sender. Unlike serving as a store of trading, Dash is devoted to becoming a real-life form of payment. In addition to payments, Lumens (XLM) can be used to fight spam.

Ethereum.
Forbes mentioned that Ethereum is the first generic blockchain platform that allows users to create and deploy their decentralized and trustless applications easily. It has created incredible opportunities in the FinTech space. This section will introduce what Ethereum is and the Whisper protocol therein. Ethereum is a decentralized application platform on the strength of blockchain technology. It allows users to establish and have distributed applications running on this platform in a decentralized manner. This means that applications running on Ethereum are available anywhere and anytime.
Compared with Bitcoin, Ethereum uses the account model rather than UTXO. This brings some advantages. Each transaction in Ethereum has only one input, one output, and one signature, thus saving much space and making it easier to understand. And the simple coding ability is required while there is no need to write complex scripts.
In the Whisper protocol, based on blockchain, Ethereum provides context both for the distributed applications (DAPP) and for the developers. In a DAPP where participants manage to reach an agreement, one-on-one communication between them is of great importance. That also accounts for the reason why Whisper takes a significant part under the circumstance of Ethereum [26]. Serving as the "decentralized communicate" component, Whisper works on a peer-to-peer framework with no server participating throughout the whole process and allows nodes to conceal the correlative information from unrelated parties while securely interacting with each other.
All the messages broadcast on the public network are routed according to the topic specified as shown in Figure 5 until they reach their destinations. Since there is a direct correspondence between every topic and the key to encrypt/decrypt data, that is to say, the covert message is encrypted with the public key of the recipient and is spread afterward. Nodes can apply for interested topics. Then, only messages with these topics will be received, the others will be abandoned.
The envelope acts as the basic data transfer unit in the Whisper protocol [27], whose structure is shown in Figure 6. There are two components in the envelope: enciphered data body and unencrypted metadata utilized for verification and data decryption in the envelope.
RLP (Recursive Length Prefix) encoding format is used while transmitting envelope.
(i) Version: 4 bytes at most (only 1 byte is being used now). During the transmission, if the envelope has a higher version than the node gets, it will not be decrypted and be forwarded only (v) AESNounce: 12-byte random digit, valid merely in symmetric encryption (vi) Data: encrypted data body, whose role is to store message. It mainly consists of two parts. One is payload where the genuine information is located and is often enciphered in advance. The other is padding used to lower the risk of information exposure through the length (vii) EnvNonce: 8-byte arbitrary data (for PoW calculation) (viii) PoW: The aim of exploiting PoW is to reduce the quantity of junk mails and lighten network loads The default rule to set data in version 5 is to keep the data length at multiples of 256 bytes. When obtaining an envelope whose topic is acknowledged, it will be decrypted by the appropriate key to gain the real information. Obviously, the identity of the sender in Whisper cannot be traced, let alone the location of the sender.
In the Whisper protocol, after each peer is connected successfully, two goroutines are generated to receive and broadcast messages.

Wireless Communications and Mobile
Computing smart contract has been applied in many fields such as identity management [28], IoT [29], and medical privacy [30].
The smart contract makes the blockchain-based applications more convenient and expandable. While the contract is written into the blockchain in a digital form, the written data cannot be deleted but can be added or altered as a result of the characteristics of the blockchain. The whole process is transparent and trackable to ensure historical traceability. Because the behavior will be permanently recorded, the interference of malicious behavior on the normal execution of the contract can be avoided to a great extent. With the influence of centralization factors avoided, the cost efficiency of smart contract improves a lot.

Review of Blockchain-Based Covert Communication Protocols
Due to the immutable chain structure and distributed storage schema, a secure channel can be offered by blockchain. It requires extremely high cost that nearly nobody can afford to alter or fabricate the historical blocks. Because the blockchain network is on the basis of the peer-to-peer network, no third-party provider is needed while establishing the communication channel and delivering messages on it, thus making the blockchain-based covert communication protocols invulnerable to any availability attacks.
We investigated a number of recent papers related to blockchain-based covert communication protocols. Here, we make brief illustrations of some typical schemes by supposing a scene in which Alice, the sender, tries to dispatch a message denoted by M secretly to Bob, the receiver. [31] provided an illustration of the method called BLOCCE = ðGen BLOCCE , Embed, ExtractÞ (Blockchain Covert Channel) in detail.

BLOCCE. Partala
It is assumed that the latent message is of constant length and known to both Alice and Bob. Before transmission, a pretreatment of M, a symmetric encryption algorithm SE = ðGen SE , Enc, DecÞ whose secret key k is required. The protocol shown in Figure 7 proceeds as follows:  Step 2 (Embed): a small quantity of transfer transactions are generated by Alice from her individual account to the newly generated addresses in the previous step. In advance, according to the secret text c ′ ⟵ λjjc, c ⟵ Encðk, MÞ of the plaintext M and a random message start indicator λ, Alice orders these addresses to use the least significant bits (LSBs) of the payment addresses to make up c ′ . Note that both Alice and Bob know n λ (the length of λ) and jcj (the length of c) denoted by N = n λ + jcj, where N is the length of hidden text message c′.
Step 3: Alice submits payments to the blockchain in the correct order and for each block, there is a single payment from Alice, so that the message can be gathered properly.
Step 4 (Extract): after reading the blockchain and filtering out transactions made by Alice, Bob can concat the LSBs of the payment addresses to obtain the hidden text. The first n λ bits generates λ, while the next jcj generates ciphertext c. Eventually, the plaintext message M ⟵ Decðk, cÞ can be extracted.
This protocol is considered the first attempt to combine blockchain with covert communication. The size of data carried in each transaction is so small that it will not be used for real. Although it has extremely low efficiency, it contributes a lot to the following research.

V-BLOCCE.
Improving on the BLOCCE, Lejun et al. [32] proposed the V-BLOCCE, a covert communication method. In this method, the covert message is coded in the form of Base58 and the addresses including embedded data are generated by Vanitygen. Figure 8 shows the integrated procedure of the system.
Step 1: the message M is encrypted into a provisional cipher and then completed with the Base58 encoding to get the ultimate ciphertext.
Step 2: All the different characters appeared in the final ciphertext are stitched into a string which is provided for the Vanitygen software to generate Bitcoin addresses.
Step 3: Alice goes through these addresses looking for matches with the characters of ciphertext. If a match is found, the index of the character in the ciphertext and the index of the addresses are recorded as a tuple in a list. In this way, the information is embedded with the index list generated. Then, the addresses are sorted in order of their hash value and the index lists are encrypted to be filled in the OP_RETURN field.
Step 4: Bob scans the transactions sent by Alice for the transaction information. Next, he picks up the order of the address used and the index information from OP_RETURN which are used to determine every character and its location to restore the ciphertext. It is decoded by Base58 and then decrypted to acquire the real message M.
Based on the protocol in Subsection 4.1, it improves the efficiency of data entry into special transactions. Furthermore, it leads the attention of researchers to the script field in the transaction, which brings more potential application to this domain.

DLchain.
Tian et al. [33] proposed a new blockchain covert channel construction scheme implemented with dynamic labels which are generated on the basis of the distribution of a large amount of real transaction data to guarantee its dynamic and variety. Here, the OP_RETURN script is chosen to carry labels whose fixed length is 23. The scheme process is shown in Figure 9.
Step 1: dynamic labels are produced by both sides in the communication at the same time. So the receiver is able to recognize specific transactions coming from the sender.
Step 2: a prenegotiated key is employed to encrypt the message. Then, the encrypted messages take the place of the private key required in signature generation. At last, the sender signs two transactions with the particular private-key and packages the agreed label into them.
Step 3: after verification, the transactions spread through peer-to-peer connections online and the corresponding record is kept by the blockchain.
Step 4: in the light of the negotiated dynamic label, transactions with information hidden can be identified and filtered.
Step 5: the receiver extracts the secret message.
Taking the DGA algorithm Banjori [34] as a reference, the dynamic label generation algorithm is designed after analyzing the universal distribution of the OP_RETURN scripts in the practical transaction data statistically to make the label indiscernible.
This protocol focuses its attention on the verification phase. It is perceived that many special transactions with the covert message are attached to a fixed label so that receiver can make a distinguishment. This protocol puts forward a dynamic label generation algorithm which is frontline at that time.

Whispers on Ethereum: Blockchain-Based Covert Data
Embedding Schemes. Liu et al. [35] used the VALUE field of a transaction in the Ethereum system to construct a one-bit embedding (OBE) scheme and an HMAC-based multiple-bit embedding (HMAC-based MBE) scheme. Furthermore, a Hash-based multiple-bit embedding (Hashbased MBE) scheme is proposed to enhance the covertness. The hidden message in all the proposed schemes is stored directly in the VALUE field.
Liu et al. [36] proposed a novel Monero-based covert communication system which provided higher security to fend off Eclipse attacks [37] and node crawling attacks [38]. The covert data is converted to decimal and then takes the place of the amount field in the transfer transaction. At the same time, the application of Stealth Address implements the anonymity of the receiver, while the application of the ring signature guarantees the privacy of the sender.
In these three schemes mentioned before, the AES encryption scheme is used to encrypt secret data M before it is embedded into the transactions which is defined as c = rjjAES k 1 ðrÞ ⊕ M. Here, c is the cipher text, k 1 is the encryption key and even if the same message M is encrypted for multiple times, the ciphertext will not be the same thanks to the random number r; thus, the chosen plaintext attack can be resisted.
4.4.1. The OBE Scheme. Transactions are constructed for each bit by filling in the VALUE field when traversing the ciphertext c bit-by-bit as is shown in Figure 10. There are two intervals V 0 , V 1 representing the result of the HMAC. For every bit in c, if the bit c½i is 0, calculate a number VALUE to meet the demand that its HMAC result HMACðk 2 , VALUEÞ is in the set V 0 . k 2 is the HMAC key. And when the bit c½i is 1, then calculate a number VALUE whose HMAC result HMACðk 2 , VALUE Þ stays in the interval V 1 . In this scheme, only one bit is loaded in a transaction, which means the embedding rate is 1 bpt (bit per transaction).
Since the OBE scheme has low efficiency in the aspect of the embedding rate, a multiple-bit embedding scheme is further proposed as shown in Figures 11 and 12. 4.4.2. The HMAC-Based MBE Scheme. The first bit of the VALUE of the transaction is supposed to be 1. Then, we traverse the ciphertext c, for each bit c½i, we select a number from 0 to 15 to make the HMAC result in the corresponding interval similarly to the OBE scheme. In this way, every 4 bits generated to represent 1 bit of the ciphertext will be placed in order together with the first bit 1 in the VALUE field of the constructed transaction.

The Hash-Based MBE Scheme.
Apart from the covert data, the obfuscation data in this scheme is introduced to confuse the attacker. Before constructing the covert channel, a mixed hash root indicating the index of significant bits in the VALUE field of each transaction needs to be known to both the sender and the recipient. Valid ciphertext is divided into bits which are sequentially stored in the location of bit "1" in the binary representation of the mixed hash. Note that the second bit of VALUE and the first bit of the mixed hash should align. Moreover, the mixed hash of the first embedded transaction hashs from the mixed hash root while the mixed hash of the latter transaction hashs from that of the former transaction.
This protocol uses VALUE field in the transaction, which makes the embedding rate related to the length of value. Nevertheless, the requirements for special value in the special transaction may arise suspicion which needs be considered in the future work.   Figure 13 founded on the Whisper protocol which is applicable to Ethereum. In the architecture of Whisper network, envelope which consists of enciphered data and unencrypted data is the basic form of data transmission. Each envelope contains a topic introduced to scan for the target envelopes, and there is a one-to-one mapping between each topic and a encrypt/ decrypt key. The protocol proceeds as follows: Step 1: before transmission, each node participating in the covert communication needs to interact with Whisper to obtain the topic and key. Next, the secret message M will be encrypted to C to ensure its concealment.
Step 2: Alice sets the value of payload and padding to establish the envelope which is encrypted with the key obtained in step 1. The payload is either generated randomly or provided by Alice. For each bit of C, Alice compares it with each bit of the payload working as a carrier. If the match is successful, Alice will take down the indexes of the carrier and corresponding encrypted message.
Alice replaces the matched bits in C with * and repeats the former step until the message has only * or the payload does not contain any message characters. In the meanwhile, two index arrays are generated and stitched together as the first part of the padding P 1 . Then, Alice sets a splitter R as the second part and a random redundant field P 2 as the last part of the padding. And P 1 , R, P 2 are spliced into the padding.
Step 3: some attributes like TTL are packaged with the topic of the envelope set to construct the envelope.
Step 4: with the widespread of envelope, Bob is able to find out the particular envelope with the negotiated topic and obtains the payload and padding. After obtaining pad-ding field, P 1 can be gained by deleting R and P 2 and then be decrypted to obtain the index arrays, according to which the ciphertext C can be restored and then decrypted to the original message M.
This protocol takes advantage of Whisper protocol in Ethereum which is unique to other blockchain platforms. Focusing on the specific characteristics of current blockchain products provides innovation and alternative to the further research.

CCBRSN. Wang and Su [40] proposed a system called Covert Communication based on Bitcoin Regtest Self-built Network (CCBRSN), which takes blockchain as a covert communication channel.
The secret message is embedded into the blockchain's addresses in transmission. DES and Base58 are used to encrypt and code the secret message before embedding the encrypted message into a group of addresses which is employed to conduct a ciphertext-embedded transaction. As is shown in Figure 14, the system works as follows: Step 1: Alice uses DES to encrypt the secret message M whose encryption key k is prenegotiated to get the result DES k ðMÞ. Then, Base58 is called to encode DES k ðMÞ into Base58ðbÞ.
Step 2: Alice uses ECDSA while generating a private/ public key pair ðsk ð1Þ , pk ð1Þ Þ. Then, pk ð1Þ needs to be computed using SHA256 hash, RIPEMD160 hash, and Base58 step by step to produce a corresponding address a ð1Þ .
Step 3: for every bit of a ð1Þ , Alice matches it with each bit of Base58ðbÞ. If succeed, Alice will record corresponding indexes of a ð1Þ as set a and indexes of Base58ðbÞ as set M which meet the equality that a ð1Þ ½set a k = Base58ðbÞ½set M k (k means an arbitrary but the same place in the set).
Step 4: with the corresponding bits in Base58ðbÞ replaced by * , Base58ðbÞ is consequently transformed into Base58ðb1Þ . Then, Alice continues to repeat the same procedure for Base58ðb1Þ until every bit in Base58ðb1Þ is replaced.
Step 5: a transaction whose output addresses are a ð1Þ , a ð2Þ , ⋯, a ðnÞ is submitted to the blockchain. And the earlier the address is generated, the more the transaction fee will be set to define the sequence. Then, the sets fset M g n , fset a g n and transaction ID TxID are packed into a file File for the following extraction.

Wireless Communications and Mobile Computing
Step 6: to protect the content of File, DES encryption is applied with a negotiated key before encrypting File into e ncFile.
Step 7: having received the encFile, Bob first decrypts it into File to obtain fset M g n , fset a g n and TxID. And then, he finds the transaction in line with the TxID, gets the output addresses, and restores the ciphertext according to the correspondence.
Step 8: finally, after decoding with Base58 and decrypting with DES, Bob transforms the ciphertext into plaintext, so-called the secret message M.
With essential data for encryption/decryption recorded in an extra file and encoded data recorded in the addresses, this protocol achieves the cooperation between online transactions and offline transfers. However, when there are a lot of online transactions and offline files delivered to the receiver, it may lead to a mismatch.

A Covert Communication Model Realized by Using
Smart Contracts. Zhang et al. [41] proposed a covert communication model combined with smart contracts to covertly transfer information under the blockchain circumstance. The parameters in the contract are used to carry the secret message, and the covert communication is completed by calling the smart contract.
Supposing that the secret message is encoded in ASCII format after the negotiation between Alice and Bob, a number ranging from 0 to 95 can represent any one of the 95 characters from 32nd to the 126th in the ASCII table. Take the biding contract as an example, the protocol shown in Figure 15 proceeds as follows: Step 1: before communication, Alice and Bob need to reach a consensus on the effective price range interaction where quotations can be made. When bidding, the two decimal places are regarded as a carrier considering the number of characters used is 95.
Step 2: an actual price and the corresponding address of each bid are generated. Alice invokes the keccak(), a unidirectional cryptographic algorithm to produce an encrypted price of the bid with covert information embedded. Furthermore, the quoted price is exchanged between participants in enciphered form thus improving the tamper-proof ability when bidding.
Step 3: in the quotation announcement period, Alice provides both the special bids and the normal bids to the contract for comparison. If the bid matches the range, it is considered effective in the communication and will be used to restore the covert information.
Step 4: Bob extracts a price sequence from all the effective bids and selects all the prices within the valid price range. The number after the decimal point of the selected prices will be converted into a character according to the mapping relationship mentioned above. Then, the characters are ordered from low to high according to the number before the decimal point to generate the covert information.
Rather than common transfer transactions, this protocol makes use of smart contract where there are more application scenarios. Since the parameters of a customized contract are more flexible, this protocol provides better secrecy.

MRCC: A Practical Covert Channel over Monero.
Guo et al. [42] proposed a practical and secure covert channel with no labels employed.
Before constructing a covert channel, both the sender and receiver have to reach an agreement on the data transfer algorithm and the necessary key information, including a public-key encryption scheme PKE = ðGen, Enc, DecÞ, a related key pair ðPK e , SK e Þ to encrypt/decrypt the message, and Bob's address ðA, BÞ. In the interest of brevity, let us suppose that both M and its corresponding ciphertext under PKE are of n-bit length. The protocol shown in Figure 16 proceeds as follows: Step 1: the plaintext M is encrypted by PK e , and C is the ciphertext.
Step 2: Alice establishes a particular transaction tx = ðP K½n, OTA, v, σÞ which has the same format of common transactions. In the constructed transaction tx, PK½n is a public key set whose hash values' the least valid bits make up C, OTA is an one-time address of Bob, and σ is a significant ring signature generated by Alice's spending key.

Wireless Communications and Mobile Computing
Step 4: while going through all of Monero's blockchain, Bob recognizes tx from the general transactions with the help of his tracking key.
Step 5: as PK½n can be extracted from tx easily, Bob needs to pick up the least significant bit of each public key's hash value to reconstruct C. After the decryption of C using SK e , the real message M will be the output.
This protocol pays attention to the technical characteristics of the blockchain platform, which makes the application of blockchain in the covert communication more customized than other protocols. However, there are some weaknesses that random value in elliptic curve (ed25519 in this protocol) cannot be replaced by any 256-bit number completely due to the range. So more details should be considered when pursuing research.

Comparison and Analysis
In this section, we will give some requirements for the blockchain-based covert communication channel and analysis based on the embedding position of the covert message.
There are some needs for the message embedding.
(i) Message Processing: in different kinds of protocols, the covert information is transformed into different forms depending on the way it splits. And for the concealment of the information, it is usually encrypted into ciphertext before transmission.
(ii) Indistinguishability: here, indistinguishability is defined from two aspects. On the one hand, indistinguishability in behavior is necessary. All the network behavior that happened during the phase of covert communication between the sender and receiver proceeds on the basis of universal blockchain protocols. So it is supposed to be indistinguishable from the behavior of ordinary blockchain users. On the other hand, the content and form of the blocks with a message are required to be indistinguishable. So that the malicious user observing the network will not have the ability to perceive hidden messages until the recognition method is known.
(iii) Compatible: the proposed covert communication system must be compatible with the existing public blockchains. It is not hard to figure out that the concealment of special transactions keeps improving with increasing normal transactions in a blockchain. Therefore, scenarios best suited for concealed data transmission are usually public blockchain. It is a must for the covert communication mechanism to be compatible with popular public blockchains without modifying their protocols The comparison is shown in Table 2 and Table 3. It is assumed that there are 4 inputs in a Bytecoin transaction and 10 public keys in its ring signature.

Address Channel.
Address Channel is a method using the address field of the blockchain when achieving covert communication. A Bitcoin transaction is a data structure consisting of inputs and outputs in which information of a fund flows from the initial place (inputs) to its destination (outputs). The inputs and outputs of the transaction have nothing to do with accounts or identity. They can be understood as a certain amount of Bitcoins with secret information locked. Only their owner or someone who knows the secret can unlock them. Transactions have multiple data fields as is shown in Table 4.
Blockchain address generation goes through a series of algorithms such as ECDSA, SHA-256, and RIPEMD-160, which means the generated address is random in some way under meeting standards. So as long as the addresses that occurred in the blockchain are legitimate, the addressbased covert message will not be censored.
Partala [31] proposed an ideal covert communication protocol based on the blockchain. The protocol used a symmetric encryption scheme to deal with the covert message, attached a random tag to it, converted each character in it into an 8 bits binary number, and then embedded it into the generated address bit-by-bit. There are as many addresses needed as the bits of the processed information, which results in low efficiency.
Lejun et al. [32] chose Base58 rather than binarization to encode the message which directly increases the embedding bytes. With Vanitygen generating addresses which can be reused in information embedding and the OP_RETURN field utilized to save the index lists, the efficiency of information transmission increased greatly.
Wang and Su [40] encrypted and encoded plaintext, then embedded it into Bitcoin's output address. With these addresses as a carrier of the covert message, special transactions were constructed to transmit information. However, due to the size limit of the transaction, the message could be too large to be embedded. Meanwhile, the file for decryption is a necessity for restoration and is very important to the receiver, which requires an extrasecure transmission tunnel in the offline transfer.  The covert message is embedded in the address interaction relationship combined with the transaction amount. This embedding method decreases the quantity of transactions while increasing the embedding capacity of a single transaction. Besides, a recycled transaction index matrix of address is designed to save the intracorporeal relationship, thus making the address reused.
Minaei et al. [44] proposed R3C3 using the Insight API. It is widely acknowledged that the addresses in the Zcash are of two types: shielded address and unshielded address, the transactions fall into two kinds: minting transaction which creates new coins and pouring transaction which transfers the value of one coin to some new coins. Shielded outputs of a pouring transaction are tuples of the form ðrt, sn old , co m new 1 , ct 1 , com new 2 , ct 2 , h, vk * , σ * , π pour Þ, in which rt, sn old , and com new i are used to complete the zero-knowledge proof π pour , ct i is used to reconstruct the coin. But since the receiver is in alliance with the sender, ct i can be reused to carry encrypted data whose portion constitutes 584 bytes.
Cao et al. [51] put forward a chain-based data embedding scheme. Rather than using one address once in the transaction, the proposed scheme uses the derivation from input address to output address to denote 0 or 1. In this way, one bit of binary data is embedded into a transaction.
With low transport volumes, Address Channel is favored when transferring short covert messages. Since each transaction is recorded according to the time sequence, there is no need to worry mess up covert transactions which makes Address Channel suitable for interactive communication.

Value Channel.
Value Channel is a method using the VALUE field of the blockchain when achieving covert communication. It is noted that the VALUE field can be the amount of transfer, the parameters of the smart contract, or other flexible values.
In the Ethereum, its editable fields are described in Table 5 concerning the summary in [35]. Compared with the address field and the input field, the VALUE field is much more flexible. Whatever the value is, it complies with the specifications. So it can be used to store covert messages.
Liu et al. [35] proposed an OBE scheme and two MBE schemes, all of which take advantage of the VALUE field in transactions to construct a subliminal communication channel in Ethereum for the first time. Although the chosen location of the embedded message is exquisite, there lacks a method to recognize special transactions. The receiver has to consider all the transactions delivered from the sender as special transactions, which is bound to increase the processing burden of the receiver.
The smart contract is regarded as a covert communication carrier worth considering due to its diversity, redundancy, and programmability of data. The parameters submitted when calling a contract can be treated as a value.
Zhang et al. [41] proposed the scheme which first encrypted and encoded the data to be transferred in the form of ASCII. To call the smart contract, parameters need to be constructed accordingly. Besides, redundant parameters can be set to enhance the concealment of secret information and to defend against malicious attacks. When using hexadecimal as the format of information and containing eight prices in the bidding contract for each transaction, the loading capacity of a single transaction is 4 bytes.
Basuki et al. [45] proposed the joint use of image steganography and smart contract calling in the Ethereum to achieve a natural transactional model and high volume covert communication. The picture-based steganography is used to supply the scheme with a large storage capacity. By contrast, only the instruction manual is required to be recorded in the transactional steganography to retrieve the stegano-image, thus decreasing the amount of transactions. A smart contract for sensor gateways serves as the experimental platform in the proposed scheme. Pretending as one of the gateways, the sender will update sensor data regularly to the blockchain.

12
Wireless Communications and Mobile Computing Compared with Address Channel, there is more flexibility in Value Channel. Value Channel is suitable for all blockchain platforms. But long communication which draws attackers' attention is not available, because the value of the special transaction is so intentionally designed that it may be exposed by statistical analysis.

Digital
Signature Algorithm (DSA) Channel. DSA Channel is a method using the signature field of the blockchain when achieving covert communication. It is easy to find out that all the mainstream blockchain cryptocurrencies use original cryptographic primitives, for instance, digital signatures and noninteractive zero-knowledge proofs, so  Alsalami and Zhang [47] demonstrated how to embed covert messages in any subsistent public blockchain where there is enough redundant data. Covert information is embedded in the signatures of the transaction and then broadcast over the blockchain. To isolate and recognize transactions equipped with stegano-text, the receiver has to scan every new transaction appended to the blockchain. If desired transactions are detected, a secret message will be extracted. Otherwise, the receiver keeps searching.
Alsalami and Zhang [49] designed and implemented the first practical covert broadcast communication system which combines steganographic technique with Boneh et al. [52] broadcast encryption scheme. In the CryptoNote protocol, the random numbers in the ring signature are uncontrolled random group elements that can be employed. Considering that the highest significant bit of the random value is not uniformly distributed on 0 and 1, only the least 252 bits of the random number are used to embed covert messages to ensure indistinguishability.
Recabarren and Carbunar [46] introduced a Bitcoinbased framework, called Tithonus, which provides a censorship-resistant communication mechanism. Rather than employing a blockchain consensus mechanism of low speed and high expense, Tithonus makes use of the peerto-peer gossip protocol in the blockchain as a straightforward agent to exchange covert messages. The encrypted information is embedded in the elliptic curve point generation procedure.
Ali et al. [53] proposed ZombieCoin 2.0 and validated Brenner's discussion [54] that the blockchain technology can be applied to the transmission of C&C instructions secretly. The C&C instruction within 32 bytes can be embedded in the 32-byte ECDSA private key. After the prototype implementation of ZombieCoin 2.0, Ali et al. deployed and controlled the Bitcoin network successfully.
Frkat et al. [43] presented ChanChannels which is a hidden botnet communication in which covert message is injected into the classical Elliptic Curve Digital Signature Algorithm (ECDSA) commonly used in the blockchain. In order to insert a covert message, the randomness in the signature is substituted with the hidden message. Using broadband secret channels, the proposed method could be distributed over multiple blockchains instead of a specific blockchain.
DSA Channel is for use in all scenarios where participants have the capabilities to sign and verify the customized signature. DSA Channel is preferred in the scenario relating to confidential information because outside users can only see on the face of it.

Script Channel.
Script Channel is a method of calling other scripts when achieving covert communication. Bitcoin client calls a verifying script to distinguish transactions. A scriptPubkey is written into UTXO which simultaneously contains a scriptSig written in the same scripting language as the previous script. When a Bitcoin transaction is verified, the scriptSig in each input will be executed at the same time with the corresponding sigPubkey (without mutual interference), so as to check whether the transaction meets the applicable condition.
In the 0.9 version of the Bitcoin client, OP_RETURN operator has been used to compromise a situation that the blockchain is utilized to store data irrelevant to Bitcoin payment. OP_RETURN script allows developers to append nontransactional data of 40 bytes to the output of the transaction and create a remarkable nontransaction output with no need for storage in the UTXO set. The outputs of OP_ RETURN are logged on the blockchain, which increases both the disk space consumption and the size of the blockchain. However, since they are not stored in UTXO, they will  (ii) Inefficient screening: in most cases, the receiver needs to scan all the received transactions and execute a recognition algorithm for special transactions, which leads to low efficiency (iii) Vaporization of covertness. It is out of disputes that covert message stays hidden after the communication at first. But as time goes by, attackers can collect transactions sufficient enough to analyze, which increases the risk of exposure A satisfactory covert communication protocol is supposed to hide its existence as much as possible while protecting the identities of participants in the communication at the same time especially when it has been detected. As is detailed below, some research directions are recommended in future work.
6.1. One-to-Many Solution. Construct an efficient scheme for one-to-many covert communication, that is, the sender can distribute the same secret message imperceptibly at the same time to many receivers whose communication keys are different. Current covert communication mainly allows people to be in touch one-to-one with the session key negotiated. If there requires one-to-many covert communication, it is more convenient to construct a special multikey protocol rather than embed the same message multiple times for each receiver; then, the receiver can extract the message with their own key. The existence of such a multikey covert communication scheme can be verified in future work.

Temporariness within Time Slice.
Due to the immutability of blockchain, once the covert message is embedded and submitted, the probability of altering or withdrawing it is extremely low. Besides, the integrity guarantees are not supported by any centralized party, but by the consensus of the entire network. The embedding of covert messages is too fragile to stay undetected forever. Once the embedding is detected, the hidden message is supposed not to be extracted successfully. It is inevitable to consider the revocation and variation of covert communication by introducing an effective time slice. Considering that blockchain includes timestamp which provides a temporal feature by nature, how to embed a covert message into blockchain temporarily will become a trend of future work. The existence of such a scheme can be verified in further research for the future.
6.3. Key Compromise Impersonation Resilience. In cryptography, key disclosure is a serious problem. Once the commu-nication key is leaked, the attackers may be able to forge a fake message sent to the legal receiver which disturbs the peace of the covert communication system. However, keyevolution and key-insulated schemes have been put forward to solve the problem mentioned above. Therefore, how to construct a provably secure antikey-disclosure scheme will be the following step of this paper.

Conclusion
In this paper, we provide an in-depth review of the applications of blockchain in the covert communication. In recent decades, blockchain technology has attracted a lot of interest in various applications, such as the Internet of Things, identity management, and covert communication. Covert communication uses information hiding techniques to embed secret messages into information carriers during the transmission, which protects the privacy of the secret message. With the underlying technology of cryptocurrencies in blockchain, there are a growing number of researches about covert communication on the blockchain. We investigate these schemes and classify them into certain types according to the hiding position. We also present the difference and comparisons among these types. With the analysis of current protocols, we aim to put forward some new schemes with higher capacity, lower cost, and better efficiency in the future work. With the same underlying architecture of blockchain, analyzing the applications of blockchain in the covert communication contributes to the following research.

Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare no conflicts of interest.