1. Introduction
Covert communication [1] is a method of hiding information, a process in which the sender transmits a covert message over a public channel through a carrier and the receiver receives the message, making it difficult for a third party to notice or detect the existence of the communication. In traditional covert communication, images [2], videos [3], files [4] , etc. are often used as carriers. Although they have a high embedding rate, the content of the communication is susceptible to problems such as eavesdropping. Blockchain technology is characterized by decentralization and anonymity. The choice of blockchain as a carrier for covert communications helps to compensate for some of the deficiencies that exist in traditional covert communications, but it is also necessary to consider the security and privacy challenges specific to blockchain.
Blockchain covert communication refers to the use of covert communication technology for secure and hidden messaging within the framework of blockchain technology. In this scenario, both communicators utilize a certain carrier of the blockchain to communicate while keeping their communication activities hidden from outside observers. Although this provides an additional layer of security for communication, however, the main challenge in blockchain covert communication is the balance between covertness and embedding rate. Concealment requires that communication activities are not readily detectable, while the embedding rate relates to the ability to embed information in the communication vector. In blockchain covert communication, potential vectors include transaction amounts [5], storage fields [6], transaction addresses [7], protocols [8], etc. in blockchain transactions. However, blockchain transaction amount as one of the carriers has some problems, such as low embedding rate, large transaction amount, and easy detection. The number of embedded messages increases as the transaction amount becomes larger, but a high transaction amount also increases the risk of being easily detected.
Therefore, this paper designs a scheme to realize covert communication based on digital currency transaction amount matrix decomposition method. First, the information to be transmitted is encrypted to form a ciphertext, and then the ciphertext is sliced and transformed into a large amount matrix. Next, two small transaction amount matrices are obtained by decomposing the large amount matrix. Finally, we skillfully utilize the amounts in these two small matrices as transmission carriers to transmit the information. This scheme not only improves the embedding rate and reduces the consumption of transaction amounts, but also has certain resistance to detection.
Our contribution can be summarized as follows.
• In this paper, we design a novel matrix decomposition method, which actually represents the large amount matrix by two small amount matrices. The method reduces the amount consumption and improves the embedding rate. And the method makes the distribution of the length of the amount in the decomposition matrix on the range 𝑑 in this method, which makes the scheme resistant to detection.
• The set of transaction sender addresses and the set of transaction receiver addresses are generated by sharing Key off-chain. And the positions of the elements in the small amount matrix are represented by the interaction between the addresses.
• Finally, this paper demonstrates the feasibility of the novel matrix decomposition method and analyzes the resistance to detection and embedding rate of this scheme by experiments.
The rest of the paper is organized as follows. In Section 2, the research work related to blockchain covert communication, common matrix decomposition methods and the matrix decomposition method designed in this paper are introduced. Section 3 details the scheme design for implementing covert communication based on the matrix decomposition method of digital currency transaction amounts. In Section 4, we first compare and analyze the matrix decomposition method from four aspects, then we analyze the resistance to detection and embedding rate of this scheme, and finally we compare and analyze the performance with other schemes. The last section concludes the whole paper.
2. Related Work
In recent years, with the development of metaverse [9], research on blockchain carriers [10][11] for covert communication as its underlying technology is increasing.
Partala J.[12] first proposed the blockchain covert communication scheme (BLOCCE), which transmits messages embedded in the least significant bit (LSB) of an address. Zhang L et al.[13] proposes the method of covert communication (V_BLOCCE), which is a scheme that realizes covert communication by embedding covert information into addresses through the Vanitygen generate special address tool. Zhang L et al.[14] proposed a scheme to utilize fields in the whisper [15] protocol for covert message transfer in an Ethereum environment. Tian J et al.[16] proposed a blockchain covert communication scheme based on dynamic labels (DLchain), which is to store the dynamic labels in the OP_RETURN field, and the covert messages are embedded in the signatures of multiple transactions respectively for covert transmission. Gao F et al.[17] proposed a scheme which is based on Kleptography [18] algorithm to embed the covert information into signatures for covert information transmission.
There are problems such as changing the structure of the transaction in the above schemes. In the current scheme, the transaction structure is easily changed, so the researchers propose a covert communication scheme with the transaction amount of the digital currency. Liu S et al. [19] proposed three embedding approaches for building blockchain covert communication in Ethereum using the Value field of a transaction [20], which are One-Bit Embedding scheme (OBE), HMAC-based Multi-Bit Embedding scheme (HMAC-based MBE), and Hash-based Multi-Bit Embedding scheme (Hash-based MBE). Luo X et al.[21] propose a novel covert communication scheme based on Bitcoin transactions (NCCM), which involves embedding messages onto the interactions between Bitcoin transaction amounts and addresses for covert transmission. Akbari I et al.[22] proposed a combination of transaction and image steganography (TISCC), where off-chain steganography is done via images and on-chain smart contracts are invoked to transmit the steganographic information in the transaction field in Ethereum. However, the problems of large transaction amounts, low embedding rates and easy detection in schemes that use the transaction amounts of digital currencies as carriers for covert communication have not been properly addressed.
Matrix decomposition [23] is to split a matrix into the product of multiple matrices. Therefore, it is able to decompose a large-amount matrix into two small-amount matrices, effectively solving the problems of too large transaction amounts and low embedding rates. The methods of matrix decomposition include Triangular Decomposition [24], Full Rank Decomposition [25], QR Decomposition [26], and SVD (Singular Value) Decomposition [27]. However, the matrices obtained from these decompositions are usually uncontrollable and may have non-positive integers, random lengths, etc., which do not meet the requirements of this paper's scheme for setting the transaction amount. Therefore, in this paper, a novel matrix decomposition method is designed, which is able to decompose a large amount (integer) matrix into the product of two small amount (integer) matrices, i.e., MatrixNumber = Matrixa × Matrixb, as shown in (1) and (2). In this equation, the diagonal of MatrixNumber, and the elements in the Matrixa and Matrixb matrices represent the transaction amount. The matrix decomposition method designed in this scheme can effectively control the length of the elements in the decomposed small amount matrix, thus solving the problem of easy detection.
MatrixNumber = Matrixa × Matrixb (1)
\(\begin{align}\left(\begin{array}{ccc}\text { Number }_{0} & \cdots & * \\ \vdots & \ddots & \vdots \\ * & \cdots & \text { Number }_{n}\end{array}\right)=\left(\begin{array}{cc}a_{00} & a_{01} \\ \vdots & \vdots \\ a_{n 0} & a_{n 1}\end{array}\right) \times\left(\begin{array}{ccc}b_{00} & \cdots & b_{0 n} \\ b_{10} & \cdots & b_{1 n}\end{array}\right)\end{align}\) (2)
3. Scheme Design for Covert Communication Based on Matrix Decomposition Method of Digital Currency Transaction Amount
In this scheme, the sender Alice sends a message 𝑀 to the receiver Bob, and Bob receives the message 𝑀. It needs to go through three stages, which are message encryption, message transmission, and message restoration. As shown in Fig. 1.
Fig. 1. Framework of the scheme based on the matrix decomposition method of digital currency transaction amounts to achieve covert communication
Message encryption stage: Firstly, the message 𝑀 is encrypted and padded to generate 𝑀𝐶. Secondly, 𝑀𝐶 is binary encoded to obtain 𝑀𝐵. Thirdly, 𝑀𝐵 is cut, and the individual parts of the cut are converted to decimal numbers. Finally, the decimal numbers of each part are formed into a matrix MatrixNumber , which is decomposed into two transaction amount matrices Matrixa and Matrixb.
Message transmission stage: Firstly, the set of transaction addresses generated by the pre-shared Key chain off the chain. Secondly, each column of matrix Matrixa consists of one transaction and each row of matrix Matrixb consists of one transaction. The transaction utilizes the interaction of the addresses. Finally, these transactions are published to the Bitcoin transaction network.
Message reduction stage: Firstly, generate the transaction address set according to the pre-shared Key off the chain, and extract the transactions. Secondly, the transaction amounts of these transactions are arranged separately to get two matrices Matrixa and Matrixb, which are multiplied to get MatrixNumber. Thirdly, the elements Number on the diagonal of matrix MatrixNumber are extracted and converted to binary code in turn to form 𝑀𝐵 , which is decoded to get ciphertext 𝑀𝐶. Finally, the message 𝑀 is obtained by decrypting the ciphertext 𝑀𝐶.
3.1 Message encryption stage
The message encryption stage includes the padding of the ciphertext, the cutting of the ciphertext, and the matrix decomposition.
3.1.1 Ciphertext padding and cutting
Ciphertext padding and cutting includes scheme design and algorithm design.
The design of ciphertext padding and cutting consists of padding the ciphertext 𝑀𝐶 and cutting of ciphertext 𝑀𝐵. The purpose is to determine the size Cpad to be padded for 𝑀𝐶 and the slice size BcutCount for 𝑀𝐵.
The ciphertext 𝑀𝐶 is padded to make it easier to cut 𝑀𝐵,that is, the ciphertext 𝑀𝐶 is padded to a certain length and encoded as 𝑀𝐵 to make it easier to cut. Due to the cut of 𝑀𝐵, the last cut part will have less than the BcutCount bit binary length, it is difficult to decompose and needs to be padded to get 𝑀𝐶. The padding length is calculated as Cpad according to (3).
Cpad = (BcutCount/8 ) − Ccount%(BcutCount/8) (3)
The cut of the ciphertext 𝑀𝐵 is the size of the slice to be obtained (BcutCount). Firstly, the range [min, max] is determined by the transaction amount length range 𝑑, according to (4) and (5). Secondly, max and min are converted to binary numbers respectively, and their bit numbers Bmax and Bmin are calculated according to (6) and (7). Thirdly, the number of bits in the slice must be a multiple of 8, since the conversion of a cipher character to binary requires 8 bits of binary to be represented. In order to make the embedding rate as large as possible within the specified range, the number of bits in the slice must be as large as possible, so BcutCount takes the maximum value, as shown in (8). Finally, in order to distribute the length of the transaction amount of the matrix decomposition in the most appropriate range, the range of values [Numbermin, Numbermax] of the elements in the matrix MatrixNumber is determined according to (9) and (10).
\(\begin{align}\max =\underbrace{999 \ldots 999}_{d} \times \underbrace{999 \ldots 999}_{d}+\underbrace{999 \ldots 999}_{d} \times \underbrace{999 \ldots 999}_{d}\end{align}\) (4)
\(\begin{align}\min =\underbrace{100 \ldots 000}_{d} \times \underbrace{100 \ldots 000}_{d}+\underbrace{100 \ldots 000}_{d} \times \underbrace{100 \ldots 000}_{d}\end{align}\) (5)
Bmax = BinaryCount(max) (6)
Bmin = BinaryCount(min) (7)
BcutCount = Max({BcutCount |Bmin < BcutCount < Bmax}
∩ {BcutCount |BcutCount%8 = 0}) (8)
\(\begin{align}\text {Number}_{\max }=\text {Binary2decimal}(\underbrace{111 \ldots 111}_{B_{\text {cut Count }}})\end{align}\) (9)
\(\begin{align}\text {Number}_{\min }=\text {Binary2decimal}(\underbrace{100 \ldots 100}_{B_{\text {cut Count }}})\end{align}\) (10)
According to the analysis of the transaction amount length from the experiments in Section 4.2, it is most appropriate to set the transaction amount length 𝑑 between 5 and 8. The above equation results in Bmax = 55, Bmin = 28 and BcutCount is taken as 48 bits for 𝑑 ∈ [5,8]. Numbermax=281474976710655, Numbermin =140737488355328.
In the ciphertext padding and cutting algorithm, firstly, after getting the message 𝑀 and then encrypt 𝑀. As a result of cutting 𝑀𝐵, the last partial binary is less than 48, making it difficult to continue the decomposition, so padding is required to obtain 𝑀𝐶. Secondly, binary encoding of 𝑀𝐶 to get 𝑀𝐵. Finally, cut 𝑀𝐵 to convert each part of the cut to decimal number, get matrix MatrixNumber . The ciphertext padding and cutting algorithm is shown in Algorithm 1.
Algorithm 1: Ciphertext padding and cutting algorithm
As in Fig. 2, Alice sends the message 𝑀(“This is a secure channel for sending messages”), encrypted padding is performed, and then binary encoding is performed to obtain 𝑀𝐵=“01010100011010000.....”. Finally, a cut is performed and each part is decimal converted to {Number0, Number1, ⋯ , Number𝑛}.
3.1.2 Novel matrix decomposition method
This section introduces the design of novel matrix decomposition methods and algorithm design, respectively.
The purpose of the matrix decomposition method designed in this scheme is to decompose the large amount (integer) matrix MatrixNumber into two small amount matrices Matrixa, Matrixb, as shown in (1) and (2). The core concept is to decompose the diagonal element Numberi of the large amount (integer) matrix MatrixNumber into a composite number or two composite numbers (amount ∈ 𝑁). As shown in Corollary 1.
Corollary 1: Every natural number greater than 11 is the sum of two composite numbers [28] (a composite number is a number of natural numbers that is divisible by other numbers (except 0) in addition to 1 and itself).
1)If 𝑛 = 3𝑘(𝑘 ≥ 4),then
𝑛 = 3𝑘 = 6 + 3(𝑘 − 2);
2)If 𝑛 = 3𝑘 + 1(𝑘 ≥ 4),then
𝑛 = 3𝑘 + 1 = 4 + 3(𝑘 − 1);
3)If 𝑛 = 3𝑘 + 2(𝑘 ≥ 4),then
𝑛 = 3𝑘 + 2 = 8 + 3(𝑘 − 2);
In any case, n can be expressed as the sum of two composite numbers.
Therefore, large amounts (integers) can be decomposed into one composite (the other composite is 0) or two composites, as shown in (11).
{Numberi|Numberi = 𝑎𝑖0 × 𝑏0𝑖 + 𝑎𝑖1 × 𝑏1𝑖, 𝑎𝑖0 ∈ 𝑁, 𝑎𝑖1 ∈ 𝑁, 𝑏0𝑖 ∈ 𝑁, 𝑏1𝑖 ∈ 𝑁} (11)
A natural number greater than 11 can be decomposed into two composite numbers, then the large amount (integer) matrix MatrixNumber can be decomposed into two integer matrices Matrixa, Matrixb, as shown in Corollary 2.
Corollary 2: The large amount (integer) matrix matrix MatrixNumber can be decomposed into two integer matrices Matrixa, Matrixb.
1)If the factorization of Numberi can be represented by a composite number, that is, Numberi = 𝑎𝑖0 × 𝑏0𝑖, 𝑎𝑖1=0, 𝑏1𝑖=0.
\(\begin{align}a_{i 0}=\prod_{j=0}^{k} \text {FactorNumber}_{j}, b_{0 i}=\prod_{j=k+1}^{m}\text {FactorNumber}_{j}\end{align}\)
\(\begin{align}\text {Number}_{i}=\left(\begin{array}{ll}a_{i 0} & 0\end{array}\right) \times\binom{ b_{0 i}}{0}\end{align}\)
where 𝑘 allows the length of 𝑎𝑖0 and 𝑏0𝑖 to be distributed in a prescribed range,and FactorNumberj denotes a factor of Numberi.
2) If Numberi factorization can be represented by two composite numbers, that is, Numberi = 𝑅1 + 𝑅2 = 𝑎𝑖0 × 𝑏0𝑖 + 𝑎𝑖1 × 𝑏1𝑖.
\(\begin{align}a_{i 0}=\prod_{j=0}^{k 1} \text {R1 factor}_{j}, b_{0 i}=\prod_{j=k 1+1}^{l} {\text {R1 factor}}_{j}\end{align}\)
\(\begin{align}a_{i 1}=\prod_{j=0}^{k 2} {\text{R2 factor}}_{j}, b_{1 i}=\prod_{j=k 2+1}^{\mathrm{h}} {\text{R2 factor}}_{j}\end{align}\)
\(\begin{align}\text{Number}_{i}=\left(\begin{array}{ll}a_{i 0} & a_{i 1}\end{array}\right) \times\binom{ b_{0 i}}{b_{1 i}}\end{align}\)
where 𝑘1 and 𝑘2 are such that the length distributions of 𝑎𝑖0,𝑏0𝑖 and 𝑎𝑖1,𝑏1𝑖 are in a prescribed range, respectively, and 𝑅1factorj denotes the factor of 𝑅1 and 𝑅2factorj denotes the factor of 𝑅2.
Therefore, the large amount (integer) matrix MatrixNumber can be decomposed into two integer matrices Matrixa, Matrixb, as shown in (1) and (2).
In the novel matrix decomposition algorithm, after obtaining the matrix MatrixNumber, the matrix is decomposed into two transaction amount matrices Matrixa and Matrixb. The decomposition algorithm is shown in Algorithm 2
Algorithm 2: Novel matrix decomposition algorithm
In this algorithm, Numberi(𝑖 = 0 … 𝑛) in matrix MatrixNumber is factorized into a set of factors FactorNumberi(𝑖 = 0, … , 𝑚 − 1) . In turn, we judge whether the largest factor FactorNumber𝑚−1 in the factorization of each number Numberi(𝑖 = 0 … 𝑛) is within the normal range of transaction amounts [MinAmount, MaxAmount], and there are three situations
If FactorNumber𝑚−1 is within the normal range of transaction amount, that is, FactorNumber𝑚−1 ∈ [MinAmount, MaxAmount]. Then 𝑎0 = FactorNumber𝑚−1, 𝑎1 = 0, 𝑏0 = ∏𝑚−2𝑗=0 FactorNumberj , 𝑏1 = 0. As shown in Algorithm 3.
Algorithm 3: LargeNumberDecomposition1 algorithm
If FactorNumber𝑚−1 is less than the minimum amount, that is, FactorNumber𝑚−1 < MinAmount . then factor in FactorNumber[𝑚] , multiply, and get 𝑏0 ∈ [MinAmount, MaxAmount], then record it, 𝑎0 = Number/𝑏0, as shown in Algorithm 4.
Algorithm 4: LargeNumberDecomposition2 algorithm
If FactorNumber𝑚−1 is greater than the maximum transaction amount, that is, FactorNumber𝑚−1 > MaxAmount . Therefore, FactorNumber𝑚−1 needs to be decomposed, as shown in Algorithm 5. Firstly, use A to record the product of factors other than the largest factorization, that is, 𝐴 ← ∏𝑚−2𝑗=0 FactorNumberj . Then decompose FactorNumber𝑚−1 into two numbers 𝑅1 = FactorNumber𝑚−1/2 and 𝑅2 = FactorNumber𝑚−1 − 𝑅1. Secondly, factorize these two numbers 𝑅1, 𝑅2 respectively, and the factor sets are 𝑅1factorl, 𝑅2factorh, with 𝑏0 and 𝑏1 to record 𝐴, that is, 𝑏0 = 𝐴, 𝑏1 = 𝐴. Thirdly, multiply the numbers from 𝑅1factorl factor set with 𝑏0 so that 𝑏0 > MinAmount, multiply the numbers from 𝑅2factorh factor set with 𝑏1 > MinAmount, and then calculate 𝑎0 , 𝑎1 , that is, 𝑎0 = (𝑅1 × 𝐴)/ 𝑏0 , 𝑎1 = (𝑅2 × 𝐴)/ 𝑏1 . Finally, determine whether 𝑎0, 𝑎1, 𝑏0, 𝑏1 all satisfy the transaction amount range, if so will get 𝑎0, 𝑎1, 𝑏0, 𝑏1. otherwise will be randomly regenerated (that is, 𝑅1 ← 𝑅1 + Random(sqrt(𝑅1))), and then decomposed until 𝑎0, 𝑎1, 𝑏0, 𝑏1 satisfy the transaction amount range.
Algorithm 5: LargeNumberDecomposition3 algorithm
In the novel matrix decomposition algorithm 2, the number Numberi(𝑖 = 0, … , 𝑛) in the matrix is finally decomposed into the sum of two composite numbers, as shown in (12)-(15).
Number0 = 𝑎00 × 𝑏00 + 𝑎01 × 𝑏10 (12)
Number1 = 𝑎10 × 𝑏01 + 𝑎11 × 𝑏11 (13)
Numbern = 𝑎𝑛0 × 𝑏0𝑛 + 𝑎𝑛1 × 𝑏1𝑛 (14)
\(\begin{align}\begin{aligned}\left(\begin{array}{ccc}\text { Number } & \cdots & * \\ \vdots & \ddots & \vdots \\ * & \cdots & \text { Number }_{n}\end{array}\right) & =\left(\begin{array}{cc}a_{00} & a_{01} \\ \vdots & \vdots \\ a_{n 0} & a_{n 1}\end{array}\right) \times\left(\begin{array}{ccc}b_{00} & \cdots & b_{0 n} \\ b_{10} & \cdots & b_{1 n}\end{array}\right) \\ & =\left(\begin{array}{cccc}a_{00} \times b_{00}+a_{01} \times b_{10} & \cdots & * \\ \vdots & \ddots & \vdots \\ * & \cdots & a_{n 0} \times b_{0 n}+a_{n 1} \times b_{1 n}\end{array}\right)\end{aligned}\end{align}\) (15)
The set of Number obtained by cutting in Fig. 2 is decomposed into the amount matrix Matrixa and Matrixb by using matrix decomposition algorithm, as shown in Fig. 3 Matrix decomposition example figure.
Fig. 2. Example figure of ciphertext padding and cutting
Fig. 3. Matrix decomposition example
3.2 Message transmission stage
In the message transmission stage, it is the posting of the transaction to the Bitcoin transaction network. Firstly, the design of the transaction address generation and the design of the interactions for each transaction, secondly, the transactions are carried out based on the transaction amounts in the two transaction matrices, and finally, these transactions are posted to the Bitcoin transaction network.
3.2.1 Transaction address generation design
With the pre-shared Key off the chain, we generate the sender's address set Saddr and receiver's address set DAddr for each transaction. Then, through DAddr, we further generate the receiver address set DAddr′ , DAddr′′ and DAddr′′′ for each transaction. These addresses form a chain relationship with each other, which can be seen in Fig. 4.
Fig. 4. Address chain relationship
Firstly, we generate the sender address set Saddr for these four transactions and the DAddr address set in the first transaction using Key chaining, as detailed in Algorithm 6. Subsequently, through the DAddr set, we derive the DAddr′ , DAddr′′, DAddr′′′ address set (DAddr → DAddr′ → DAddr′′ → DAddr′′′), with the specific address derivation relation addrsk(𝑖+1) ← addrsk(𝑖) ∗ 𝐺 ∗ 𝑇 , as detailed in Algorithm 7. The primary purpose of Algorithm 6 and Algorithm 7 is to provide for the receiver to locate the transaction and the interaction of the transaction amount between addresses in order to efficiently perform subsequent processing.
Algorithm 6: Saddr and DAddr address sets generation algorithm
Algorithm 7: DAddr∗ address sets generation algorithm
3.2.2 Design of transaction amount and address interaction
According to the transaction amount matrix Matrixa , Matrixb and address generation relationship, the corresponding amount is used as the transaction amount for each transaction. The first column in Matrixa represents the transactions in Transaction0, where the relationship is (\(\begin{align}S a d d r_{0} \xrightarrow{a_{i 0}} D A d d r_{i}\end{align}\)), and the second column represents the transactions in Transaction1, where the relationship is (\(\begin{align}S a d d r_{1} \xrightarrow{a_{i 1}} D A d d r_{i}^{\prime}\end{align}\)).The first row in Matrixb represents the transactions in Transaction2, where the relationship is (\(\begin{align}\mathrm{Saddr}_{2} \xrightarrow{b_{0 i}} D A d d r_{i}{ }^{\prime \prime}\end{align}\)), and the second row represents the transactions in Transaction3, where the relationship is (\(\begin{align}\mathrm{Saddr}_{3} \xrightarrow{b_{1 i}} D A d d r_{i}^{\prime \prime \prime}\end{align}\)). The transaction address interaction is shown in Fig. 5. Finally post these four transactions to the Bitcoin transaction network.
Fig. 5. Transaction Address Interaction Relationship
According to the transaction matrix Matrixa , Matrixb obtained from Fig. 3, its transaction matrix is assigned to 4 transactions as shown in Fig. 6. Because the unit of numbers in Matrixa , Matrixb is Satoshi and the unit in Bitcoin transaction network is BTC, 1BTC=108Satoshi, the size of transaction matrix Matrixa, Matrixb is reduced by 108 times.
Fig. 6. Examples of transactions
3.3 Message reduction stage
The receiver can derive the receiver address set Saddr for each transaction by using the pre-shared Key off-chain and using the address set generation algorithm. Find these 4 transactions and get the transaction amount matrix Matrixa, Matrixb, then MatrixNumber = Matrixa × Matrixb. The algorithm of reducing message is shown in Algorithm 8.
Algorithm 8: Reduction message algorithm
Firstly, determine the transaction according to the address in Saddr , determine the transaction, and then extract the transaction amount from each transaction to form the matrices Matrixa , Matrixb . Secondly, the two matrices are multiplied to obtain the matrix MatrixNumber. Thirdly, the diagonal numbers in this matrix will be converted, filled and connected in order to finally get the binary code 𝑀𝐵. Finally, decode it to get 𝑀𝐶, remove the padding character ′ ∗ ′ from 𝑀𝐶, and then decrypt it to get the message 𝑀.
4. Experiments and Analysis
In this section, firstly, different matrix decomposition methods are compared and analyzed in four aspects, secondly, the scheme is analyzed in terms of resistance to detection, thirdly, the embedding rate comparison is analyzed, and finally, the performance of this scheme is compared with other schemes. The experimental environment for this article: Windows 11, CPU is AMD Ryzen 7 5800H with Radeon Graphics, main frequency is 3.20GHz, 16G RAM.
4.1 Comparative analysis of different matrix decomposition methods
In this subsection, the feasibility of the matrix decomposition method of this scheme is compared and analyzed from four aspects.
4.1.1 Comparative analysis of the correctness of different matrix decomposition methods
To verify the correctness of the matrix decomposition method is to decompose the matrix MatrixNumber by using the matrix decomposition method, and verify whether the result of the decomposition conforms to the prescribed length range 𝑑. where the elements of matrix MatrixNumber appear in the range [Numbermax, Numbermin], and it is derived in Section 3.1. Numbermax = 281474976710655, Numbermin = 140737488355328.
In this range [Numbermax, Numbermin], some numbers are randomly selected to form matrices MatrixNumber of different orders, the matrices MatrixNumber are decomposed using different matrix decomposition methods, and the decomposed matrices are observed. The Triangular decomposition method decomposes a matrix into a lower triangular matrix (L) and an upper triangular matrix (U), whose decomposed matrix has elements whose lengths are not in the range of 𝑑 and which also contain decimals. Therefore, the result of the decomposition is “False”. The Full-Rank decomposition method decomposes a matrix into two matrices, and the lengths of the elements of the decomposed matrix do not match the length range. Therefore, the result of the decomposition is “False”. The QR decomposition method decomposes a matrix into an orthogonal matrix (Q) and an upper triangular matrix (R), and the lengths of the elements of the decomposed matrix do not match the length range. Therefore, the result of the decomposition is “False”. The Singular Value decomposition method (SVD) decomposes a matrix into column orthogonal matrices (U), diagonal matrices (Σ), and the transpose 𝑉𝑇 of a positive definite matrix, and the lengths of the elements in the decomposed matrix do not fit into the length range. Therefore, the result of the decomposition is “False”. The matrix decomposition method of this program decomposes the matrix into two matrices, and the lengths of the elements in the matrix after its decomposition are in the length range. Therefore, the result of the decomposition is “Ture”. The results of the various matrix decomposition methods are shown in Table 1. If the result of the decomposition matches the number of its prescribed length, then it is “Ture”, otherwise it is “False”.
Table 1. Comparison of the correctness of different matrix decomposition methods
In Table 1, it can be seen that the results of Triangular decomposition, Full Rank decomposition, QR decomposition and SVD (singular value) decomposition for matrices of this range are not able to satisfy the prescribed length of compliance. The matrix decomposition method designed in this scheme can satisfy that the decomposition results conform to the prescribed length. Therefore, the matrix decomposition method of this scheme is feasible.
4.1.2 Comparative analysis of transaction amount consumption of different matrix decomposition methods
Comparative analysis of transaction amount consumption for different matrix decomposition methods is to analyze the elements in the matrix after decomposing the amount matrices MatrixNumber produced by messages of different lengths using various matrix decomposition methods. Where transaction amount consumption is the sum of the elements in the decomposed matrix. The methods compared include Triangular matrix decomposition, Full Rank matrix decomposition, QR matrix decomposition, SVD matrix decomposition and traditional methods.
Through simulation experiments, the sum of the elements of the matrices produced by different methods for messages of different lengths is recorded. The different length information is manipulated to make the conversion to an amount matrix MatrixNumber . Various library functions for matrix decomposition in the compiler and the matrix decomposition method of this scheme are called to perform the decomposition and the sum of the elements in the resulting matrix after the decomposition is recorded. As the transaction amount cannot be negative, Triangular matrix decomposition, Full Rank matrix decomposition, QR matrix decomposition and SVD matrix decomposition will produce negative numbers, so it is necessary to process the absolute value of the elements in the factorized matrix before summing. And in the comparative analysis, the traditional method is added for comparison, where the traditional method is to transmit the covert message directly in amounts without matrix decomposition. Therefore, the traditional method records the sum of the numbers in the matrix to be decomposed. To avoid experimental contingency, we conducted 1000 experiments on the amounts generated by messages of different lengths, and the results were averaged and recorded. The results of the amount consumption comparison are shown in Fig. 7.
Fig. 7. Different matrix decomposition of transaction amount consumption
In Fig. 7, the matrix decomposition method of this scheme consumes much less amount at different lengths than the other methods. The matrix decomposition method of this scheme increases the consumption of transaction amount slowly as the length of message increases. The traditional and Full Rank decomposition methods consume similar amounts of transactions for different message lengths. The traditional method is to trade directly with amounts without decomposing the matrix, and what is recorded is the sum of the elements in the matrix to be decomposed. Although the Full Rank decomposition method decomposes the matrix, the decomposed matrix is almost the same as the decomposed one. This results in Full Rank decomposition methods that require similar amounts of consumption as traditional methods. Therefore, the matrix decomposition method of this scheme greatly reduces the consumption of the amount.
4.1.3 Comparative analysis of decomposition efficiency of different matrix decomposition methods
The matrix decomposition efficiency is the time taken to factorize a matrix. This section is to decompose matrices of different orders and record the time required for different methods of matrix decomposition respectively. The random numbers are drawn from the range [Numbermax, Numbermin] to form matrices MatrixNumber of different orders. And call various library functions for matrix decomposition in the compiler and the matrix decomposition method of this scheme to perform the decomposition and record the time consumed. Meanwhile, in order to avoid the contingency of the experiment, each order matrix is randomly generated 1000 times, and then the average value is recorded. The experimental results are shown in Fig. 8.
Fig. 8. Comparison of decomposition efficiency of different matrix decomposition methods
In Fig. 8, it can be seen that the time required to decompose the matrix in this scheme is the most consumed. The reason is that since the matrix decomposition method of this scheme decomposes each element on the diagonal of the matrix into one composite number or two composite numbers, its decomposition process and verification process will be more time consuming. And the other matrix decomposition methods are decomposing the matrix directly without the limitation of length and decimals, which makes the other matrix decomposition methods more efficient. In Fig. 8, although the efficiency of the matrix decomposition method of this scheme is much lower than other matrix decomposition methods, the matrix decomposition method of this scheme takes only 883.9698482ms, less than 1s, for a matrix of order 100. And it can be seen from Fig. 7 that the amount consumed by other matrix decomposition methods is much higher than the amount consumed by the present scheme. Therefore, the matrix decomposition method of the present scheme is desirable.
4.1.4 Comparative analysis of embedding rate of different matrix decomposition methods
The embedding ratio is the ratio between the length of a message and the number of transactions required to transmit a message of that length. The comparative analysis of embedding rate for different matrix decomposition methods is to analyze the comparison of embedding rate produced by different lengths of messages using different matrix decomposition methods. Firstly, encrypt and encode the messages of different lengths to be processed to obtain the large amount matrix MatrixNumber . Secondly, the large amount matrix is decomposed by calling various library functions for matrix decomposition in the compiler and the matrix decomposition method of this scheme, and the number of non-zero elements in the decomposed matrix, which is the number of transactions needed, is recorded. To avoid the contingency of the experiment, messages of different lengths are randomly generated 1000 times and decomposed. Finally, the number of non-zero elements in the matrix generated after decomposition by different matrix decomposition methods is counted, averaged and recorded. The experiments are compared and analyzed as shown in Fig. 9.
Fig. 9. Comparison of embedding rates of different matrix decomposition methods
In Fig. 9, the embedding rate of this scheme is lower than other matrix decomposition methods. The Triangular decomposition method and the Full Rank decomposition method appear to overlap in Fig. 9, which is due to the large elements in the decomposed matrix. The Triangular decomposition method decomposes the matrix into an upper triangular matrix and a lower triangular matrix, which are all non-zero elements. The Full Rank Decomposition method decomposes the matrix into two matrices, the first matrix with all non-zero elements and the second matrix with all non-zero elements on the diagonal only. As a result, it leads to equal sum of non-zero elements in the matrix after the Triangular decomposition method and the Full rank decomposition method. Although the other matrix decomposition methods have high embedding rates, it can be seen from Table 1 that the other matrix decomposition methods cannot effectively control the elements in the decomposed matrix, and there are problems such as fractional and minus numbers in the decomposed matrix. Therefore, the matrix decomposition method of this scheme is the most suitable one to be chosen.
4.2 Resistance to detection
The transaction has problems such as easy detection if it contains attributes such as special transaction amounts (e.g., specially large, specially small) [29][30]. Since the covert communication carrier in the design of this scheme is the transaction amount, it is important to control the transaction amount so that the transaction carrying the information has some resistance to detection. In order to avoid that this scheme will generate special transaction amounts, statistical analysis of the amount lengths in real transaction networks and analysis of the frequency of transaction amounts are needed to obtain the range of amount lengths 𝑑 designed in this scheme.
Firstly, the statistical analysis of the amount lengths in the real transaction network is performed to determine the real range of transaction amount lengths. Since this scheme is implemented on the Bitcoin transaction network, we crawled the latest transaction blocks (769473-771632) from the Bitcoin transaction network for statistical analysis, and crawled a total of 15535697 transaction amounts. Crawl the transaction amount in the transaction block in Satoshi units (1BTC=108Satoshi) and count the number of occurrences of the length of each transaction amount. As shown in Fig. 10.
Fig. 10. Distribution of transaction amount length
Secondly, to further determine the range of lengths 𝑑, the frequency of amounts in each length was counted. We refer to the detection resistance experiments in the literature [21], whose experiments determine the transaction amount length from the perspective of fluctuations through the transaction amount and make the NCCM scheme resistant to detection. In order to avoid the impact of special transaction amounts on the statistical experiment of transaction amount frequency, and also to ensure the number of experimental data sets. The crawled amount dataset is first arranged in positive order, the small amount data in the first 5% of the sorted amount dataset and the large amount data in the last 5% are deleted, and the frequency statistics are analyzed for the middle 90% of the data. Where the middle 90% of the data, the range of the amount length can be calculated as [4,8] according to Fig. 10. Then, we verify that the amounts are uniformly distributed in each length, and Fig. 11 shows the frequency distribution of transaction amounts. The frequency statistics for the amount range [0,1.0E+8], with 2.0E+7 as the step size, are shown in Fig. 11 (a). Although the amount of the range [0,2.0E+7] accounts for 95.352%, the amount of the interval [2.0E+7, 1.0E+8] is more uniform. In order to verify whether the amount data of length 8 are uniformly distributed, that is, to verify whether the amounts in the range [1.0E+7,1.0E+8] are uniformly distributed, this experiment performs a frequency analysis for the range [0,2.0E+7], as shown in Fig. 11 (b). In Fig. 11 (b), the range [1.0E+7,2.0E+7] accounts for 3.811% of the range [0,2.0E+7], therefore, the amount length is 8 when the amount of the range [1.0E+7,1.0E+8]. The frequency distribution of this range is more uniform and the length can be 8. In Fig. 11 (b), the frequency of the amount range [0,2.0E+6] is 79.985%, and the amount of the interval [2.0E+6,1.0E+7] is uniformly distributed. To verify whether the amounts of length 7 are evenly distributed, that is, to verify whether the amounts of the range [1.0E+7,1.0E+8] are uniformly distributed, this experiment performs frequency statistics for the amount range [0,2.0E+6] with 2.0E+5 as the step size, as shown in Fig. 11 (c). It can be seen from Fig. 11 (b) and Fig. 11 (c) that the length is 7 when the data of the range [1.0E+6,1.0E+7]. The frequency distribution of this range is uniform and does not fluctuate much, therefore, the length can also be 7. For the amount range [0, 2.0E+5], frequency statistics were performed with 2.0E+4 as the step size, as shown in Fig. 11 (d). For the amount range [0, 2.0E+4], frequency statistics are performed with 2.0E+3 as the step size, as shown in Fig. 11 (e). Since the statistical range [0,8.0E+3] has a frequency of 0, this range is combined together in Fig. 11 (e). From Fig. 11 (c), Fig. 11 (d) and Fig. 11 (e), it can be seen that the frequency of each range is more uniform when the length is 5 and 6, so the length can be 5 or 6. From Fig. 11 (e), it can be seen that in the range [0,1.0E+4] only the range [8.0E+3,1.0E+4] has a frequency, and when the length is lower than 5, that is, the range [0, 1.0E+4], the data will be distributed in the first 5% of the small amount data with some specificity. Therefore, the length can be 5, but not lower than 5.
Fig. 11. Frequency distribution of transaction amount
Finally, in the method of designing matrix decomposition, the length of the amount of the decomposed amount matrix is controlled to be 5-8 (𝑑 ∈[5,8]), so that the amount carrying covert messages has some resistance to detection.
4.3 Comparative analysis of embedding rate
The comparative embedding rate analysis is a comparative embedding rate analysis of this scheme with several amount-based covert communication schemes. To simulate the embedding rate of this scheme, this section continues to imitate the embedding rate experiment of this scheme in Section 4.1.4. The messages are processed into large amount matrices MatrixNumber, which are decomposed using the matrix decomposition method designed in this scheme, and the number of non-zero elements in the decomposed matrix, which is the number of transactions required, is recorded. In the literature [19], the embedding rate of HMAC-based MBE scheme is 14.07 bit/t (average) and the embedding rate of Hash-MBE scheme is 28.12 bit/t (average) . The embedding rate comparison is shown in Fig. 12.
Fig. 12. Comparative analysis of embedding rate
From Fig. 12, it can be seen that the number of transactions required increases with the increase in the length of the binary encoded form ciphertext 𝑀𝐵. And the embedding rate of the scheme proposed in this paper fluctuates only slightly, and the average value of the embedding rate of the scheme can be calculated as 15.02 bit/t. At the same time, the proposed scheme is higher than HMAC-based MBE scheme and lower than Hash- MBE scheme compared with other schemes.
4.4 Performance comparison with other schemes
The performance comparison is done from two aspects with other schemes and its comparison is shown in Table 2. Firstly, this paper compares with other schemes in terms of embedding rate. The BLOCCE scheme[12] is to convert the information to binary embedded in the transaction address of each transaction with an embedding rate of 1 bit/t. The HMAC-based MBE scheme[19] is to embed the information onto the Value field of the Ethereum with an embedding rate of 14.07 bit/t. The Hash-based MBE scheme further improves on the HMAC-based MBE scheme by increasing the embedding rate, which is 28.12 bit/t. TISCC[22] on the chain is to embed the information is to the relevant field of the Ethereum transaction and call the smart contract to transmission the information with an embedding rate of 29 bit/t. In the scheme of this paper, the information is embedded to the transaction amount using a novel matrix decomposition method with an embedding rate of 15.02 bit/t. Finally, in terms of transmission efficiency, we compare how many transactions are required to complete the transmission of the message “This is a secret message” by different schemes. The BLOCCE scheme requires 192 transactions as each bit is embedded on each address. HMAC-based MBE and Hash-based MBE can calculate the number of transactions based on their embedding rates, which are 14 transactions and 7 transactions, respectively. NCCM[21] is a transmission of information embedded in transaction amounts and interaction relationships, and the number of transactions required is 16 transactions. This scheme is experimentally simulated to require 12 transactions.
Table 2. Performance comparison with other schemes
5. Conclusion
In this paper, we propose a covert communication scheme based on the matrix decomposition method of digital currency transaction amount, which effectively alleviates the problems of low embedding rate, large transaction amount and easy detection. The scheme employs a novel matrix decomposition method to improve the embedding rate and give the scheme some resistance to detection. However, the scheme may lead to greater amount consumption compared to schemes that do not involve amounts as carriers. Compared to the scheme designed with amounts as carriers, the scheme successfully reduces the consumption of transaction amounts and further improves the anti-detectability by skillfully distributing the decomposed transaction amount matrix elements in the most appropriate length range. The experimental results show that the scheme achieves an embedding rate of 15.02 bit/t within the optimal length range [5, 8]. Therefore, not only the embedding rate and the reduced transaction amount consumption are improved, but also the resistance to detection. In the future, we can apply the scheme in this paper to covert communication scenarios with numbers. For example, in financial transactions, covert communication with numbers can be used to confirm the authenticity of the transaction. By hiding some covert information in the amount or transaction code, both parties can verify the validity of the transaction and prevent fraud during the transaction process.
Acknowledgement
This work is sponsored by the National Natural Science Foundation of China No. 62172353, No. 62302114, No. U20B2046 and No. 61976064. Future Network Scientific Research Fund Project No. FNSRFP-2021-YB-48. Innovation Fund Program of the Engineering Research Center for Integration and Application of Digital Learning Technology of Ministry of Education No.1221045.
References
- B. W. Lampson, "A note on the confinement problem," Communications of the ACM, vol. 16, no. 10, pp. 613-615, 1973. https://doi.org/10.1145/362375.362389
- A. Cheddad, J. Condell, K. Curran, and P. Mc Kevitt, "Digital image steganography: Survey and analysis of current methods," Signal processing, vol. 90, no. 3, pp. 727-752, 2010. https://doi.org/10.1016/j.sigpro.2009.08.010
- M. M. Sadek, A. S. Khalifa, and M. G. Mostafa, "Video steganography: a comprehensive review," Multimedia tools and applications, vol. 74, pp. 7063-7094, 2015. https://doi.org/10.1007/s11042-014-1952-z
- M. R. Vinothkanna, "A secure steganography creation algorithm for multiple file formats," Journal of Innovative Image Processing (JIIP), vol. 1, no. 01, pp. 20-30, 2019. https://doi.org/10.36548/jiip.2019.1.003
- C. Zhao and Y. Guan, "A graph-based investigation of bitcoin transactions," in Proc. of Advances in Digital Forensics XI: 11th IFIP WG 11.9 International Conference, Orlando, FL, USA, pp. 79-95, 2015.
- A. Sward, I. Vecna, and F. Stonedahl, "Data insertion in bitcoin's blockchain," Ledger, vol. 3, 2018.
- A. J. Di Scala, A. Gangemi, G. Romeo, and G. Vernetti, "Special subsets of addresses for blockchains using the secp256k1 curve," Mathematics, vol. 10, no. 15, p. 2746, 2022.
- S. Delgado-Segura, C. Perez-Sola, J. Herrera- Joancomarti, G. NavarroArribas, and J. Borrell, "Cryptocurrency networks: A new p2p paradigm," Mobile Information Systems, vol. 2018, pp. 1-16, 2018.
- T. Huynh-The, T. R. Gadekallu, W. Wang, G. Yenduri, P. Ranaweera, Q.-V. Pham, D. B. da Costa, and M. Liyanage, "Blockchain for the metaverse: A review," Future Generation Computer Systems, 2022.
- J. Zhang, S. Zhong, T. Wang, H.-C. Chao, and J. Wang, "Blockchainbased systems and applications: a survey," Journal of Internet Technology, vol. 21, no. 1, pp. 1-14, 2020.
- S. Nakamoto, "Bitcoin: A peer-to-peer electronic cash system," Decentralized business review, p. 21260, 2008.
- J. Partala, "Provably secure covert communication on blockchain," Cryptography, vol. 2, no. 3, p. 18, 2018.
- L. Zhang, Z. Zhang, W. Wang, R. Waqas, C. Zhao, S. Kim, and H. Chen, "A covert communication method using special bitcoin addresses generated by vanitygen," Computers, Materials & Continua, vol. 65, no. 1, pp. 597-616, 2020. https://doi.org/10.32604/cmc.2020.011554
- L. Zhang, Z. Zhang, Z. Jin, Y. Su, and Z. Wang, "An approach of covert communication based on the ethereum whisper protocol in blockchain," International Journal of Intelligent Systems, vol. 36, no. 2, pp. 962-996, 2021. https://doi.org/10.1002/int.22327
- W. Warren and A. Bandeali, "0x: An open protocol for decentralized exchange on the ethereum blockchain,". [Online]. Available: https://github.com/0xProject/whitepaper, pp. 04-18, 2017.
- J. Tian, G. Gou, C. Liu, Y. Chen, G. Xiong, and Z. Li, "Dlchain: A covert channel over blockchain based on dynamic labels," in Proc. of Information and Communications Security: 21st International Conference, ICICS 2019, pp. 814-830, 2020.
- F. Gao, L. Zhu, K. Gai, C. Zhang, and S. Liu, "Achieving a covert channel over an open blockchain network," IEEE Network, vol. 34, no. 2, pp. 6-13, 2020. https://doi.org/10.1109/MNET.001.1900225
- A. V. Markelova, "Kleptographic (algorithmic) backdoors in the rsa key generator," Prikladnaya Diskretnaya Matematika, no. 55, pp. 14- 34, 2022.
- S. Liu, Z. Fang, F. Gao, B. Koussainov, Z. Zhang, J. Liu, and L. Zhu, "Whispers on ethereum: Blockchain-based covert data embedding schemes," in Proc. of the 2nd ACM International Symposium on Blockchain and Secure Critical Infrastructure, pp. 171-179, 2020.
- K. Jezek, "Ethereum data structures," arXiv preprint arXiv:2108.05513, 2021.
- X. Luo, P. Zhang, M. Zhang, H. Li, and Q. Cheng, "A novel covert communication method based on bitcoin transaction," IEEE Transactions on Industrial Informatics, vol. 18, no. 4, pp. 2830-2839, 2022. https://doi.org/10.1109/TII.2021.3100480
- A. I. Basuki and D. Rosiyadi, "Joint transaction-image steganography for high capacity covert communication," in Proc. of 2019 International Conference on Computer, Control, Informatics and its Applications (IC3INA), pp. 41-46, 2019.
- J. Yoo and S. Choi, "Orthogonal nonnegative matrix factorization: Multiplicative updates on stiefel manifolds," in Proc. of Intelligent Data Engineering and Automated Learning-IDEAL 2008: 9th International Conference Daejeon, pp. 140-147, 2008.
- J. R. Bunch and J. E. Hopcroft, "Triangular factorization and inversion by fast matrix multiplication," Mathematics of Computation, vol. 28, no. 125, pp. 231-236, 1974. https://doi.org/10.1090/S0025-5718-1974-0331751-8
- R. Piziak and P. Odell, "Full rank factorization of matrices," Mathematics magazine, vol. 72, no. 3, pp. 193-201, 1999. https://doi.org/10.1080/0025570X.1999.11996730
- T. F. Chan, "Rank revealing qr factorizations," Linear Algebra and its Applications, vol. 88-89, pp. 67-82, 1987. https://doi.org/10.1016/0024-3795(87)90103-0
- G. W. Stewart, "On the early history of the singular value decomposition," SIAM review, vol. 35, no. 4, pp. 551-566, 1993. https://doi.org/10.1137/1035134
- L. M. Adleman, "On distinguishing prime numbers from composite numbers," in Proc. of 21st Annual Symposium on Foundations of Computer Science (sfcs 1980), IEEE, pp. 387-406, 1980.
- Z. Gu, D. Lin, and J. Wu, "On-chain analysis-based detection of abnormal transaction amount on cryptocurrency exchanges," Physica A: Statistical Mechanics and its Applications, vol. 604, p. 127799, 2022.
- L. Yang, X. Dong, S. Xing, J. Zheng, X. Gu, and X. Song, "An abnormal transaction detection mechanim on bitcoin," in Proc. of 2019 International Conference on Networking and Network Applications (NaNA), pp. 452-457, 2019.