Issue 
Security and Safety
Volume 3, 2024
Security and Privacy for SpaceAirGround Integrated Networks



Article Number  2024006  
Number of page(s)  18  
Section  Information Network  
DOI  https://doi.org/10.1051/sands/2024006  
Published online  30 April 2024 
Research Article
Secure and efficient covert communication for blockchainintegrated SAGINs
School of Computer Science and Engineering (School of Cyber Security), University of Electronic Science and Technology of China, Chengdu, 611731, China
^{*} Corresponding author (email: ZY_LoYe@126.com)
Received:
30
March
2024
Revised:
24
April
2024
Accepted:
28
April
2024
Blockchain has brought great potential in improving SpaceAirGround Integrated Networks (SAGINs) in terms of security and efficiency. In blockchainintegrated SAGINs, many applications and services inherently require both the communication contents and communication behaviors to be secure against eavesdroppers, in which a covert communication algorithm is always deployed as a fundamental communication component. However, existing covert communication schemes suffer from critical problems. On the one hand, they require a sender to locally maintain a cryptographic key for a long period of time, which is very costly and inefficient to renew which means renewing the secret key. On the other hand, the ciphertext of covertly sent data would explicitly appear in the network, and thereby the schemes are vulnerable to secret key breach. In this paper, we propose a secure and efficient covert communication scheme for blockchainintegrated SAGINs, dubbed CCBSAGINs, to free the sender from maintaining secret keys. The key technique is to map the covertly sent data to some transactions on the underlying blockchain in a secure and efficient way; the mapping information is sent via a covert communication algorithm. Such a twostep mechanism releases the sender from key management and does not require the ciphertext to be communicated. We provide formal security proofs and conduct a comprehensive performance evaluation, which demonstrates the security and efficiency of CCBSAGINs.
Key words: Covert communication / blockchain / SpaceAirGround Integrated Networks
Citation: Li W, Zhang Y, He X, and Song Y. Secure and efficient covert communication for blockchainintegrated SAGINs. Security and Safety 2024; 3: 2024006. https://doi.org/10.1051/sands/2024006
© The Author(s) 2024. Published by EDP Sciences and China Science Publishing & Media Ltd.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
1. Introduction
SpaceAirGround Integrated Networks (SAGINs) have gained significant attention and become a promising architecture for ubiquitous connectivity 5GAdvanced and 6G, enabling the integration of satellite networks, aerial networks, and terrestrial networks. This integration brings tremendous communication benefits, such as nonterrestrial networks, seamless global coverage, high flexibility, and augmented system capacity [1]. SAGINs can be regarded as an extension of the traditional network, which has a strong demand for secure and reliable communication, especially in extreme environments [2].
Generally, the reliability and security of SAGINs are guaranteed by utilizing cryptographic primitives, e.g., public/symmetrickey encryption and digital signatures. However, critical issues in terms of security and efficiency still exist in deploying the primitives in SAGINs. Regarding security, most of the existing publickey encryption schemes and signatures rely on public key infrastructure (PKI), where a fully trusted certificate authority (CA) is required to issue a certificate for each entity. As a consequence, CA becomes a single point of failure, and adversaries who compromise CA can break the security of the underlying primitive. Regarding efficiency, PKIbased schemes are confronted with certificate management problems, including certificate revocation, storage, distribution, and verification. It would be very costly for application scenarios where the entities are dynamic and updated frequently. The above issues would be further exacerbated in deploying the PKIbased schemes in SAGINs, due to the complexity of SAGINs.
Blockchain can serve as a key complement to address the above problems. Specifically, as a blockchain system provides a publicly verifiable and tamperresistant database, the certificate of each user can be recorded in it to ensure authenticity and the singlepointoffailure problem can be addressed [3, 4]. Such a technique has been deployed in SAGINs [5–7] and brought great potential in improving SAGINs in terms of security and efficiency.
In addition to the improvement of security and efficiency, integrating blockchain into SAGINs also provides a “new” way to achieve the “traditional” goal. Particularly, in some applications of SAGINs, users’ communication behaviors are as sensitive as their communication content and thereby need to be well protected. Traditionally, users always utilize a covert communication scheme to protect their communication behaviors against adversaries. However, it always requires an underlying application service to “parasitize”, which always causes abnormal communications. In blockchainintegrated SAGINs, covert communication can be achieved by accessing blockchainrelated services for users: anyone who can access the blockchain can send/receive the message in a secure and covert way. Typical works include Ref. [8–10]. Despite the great benefits of blockchainbased covert communication schemes, there are also critical issues in terms of security and efficiency. Specifically, in existing schemes [11–13] senders need to well maintain cryptographic secret keys for a long period, and a message containing the covertly sent data is sent to the receiver. Consequently, if a sender is captured by adversaries, not only the communication behavior but also the communication content would be directly leaked. A straightforward way to mitigate this problem is to frequently update the secret key. However, it would introduce prohibited costs on the sender side, as generating, updating, and distributing cryptographic keys are very cumbersome, especially for SAGINs where the users’ devices are always resourceconstrained. Although some works have been proposed to improve the efficiency of blockchainbased covert communication, the fundamental issue of maintaining cryptographic secret keys on the sender is still not resolved.
In this paper, we propose an efficient covert communication scheme for blockchainintegrated SAGINs, dubbed CCBSAGINs, which frees the sender from maintaining secret keys. Specifically, CCBSAGINs utilizes a twostep paradigm: in the first step, a sender transfers the covertly sent data to a “treasure map”; in the second step, the sender sends the treasure map (rather than the ciphertext of covertly sent data) to the receiver in a covert and secure way using another covert communication algorithm. The treasure map is instantiated by utilizing the underlying blockchain of SAGINs in tandem with an efficient index mechanism. By doing so, the ciphertext of covertly sent data would not appear in the network, a sender just needs to maintain a “transformation” algorithm, which can be updated after each communication for security reasons and does not require the sender to maintain any secret key locally. Furthermore, CCBSAGINs are compatible with existing covert communication schemes and would inherit all the features. Specifically, the contributions of this work are summarized as follows.

(1)
We propose a twostep paradigm of covert communication, where the ciphertext of covertly sent data would not appear in the network, and the receiver can extract the data from a secure transformation mechanism. We also instantiate the transformation using blockchain and an efficient index algorithm, where only lightweight cryptographic operations, e.g., hash function and comparison, are involved.

(2)
We integrate the above mechanism into a covert communication scheme and develop the system, dubbed CCBSAGINs, in blockchainintegrated SAGINs, which frees the sender from maintaining longterm cryptographic secret keys and ensures the data confidentiality even if the sender is controlled by the adversary.

(3)
We provide formal security proofs and conduct a comprehensive performance evaluation, which demonstrates that CCBSAGINs are secure and efficient.
The remainder of this paper is organized as follows. We review the related works in Section 2 and introduce the preliminaries in Section 3. We propose CCBSAGINs in Section 4 and analyze the security in Section 5. In Section 6, we conduct a performance evaluation. Finally, we conclude and look at the future work in Section 7.
2. Related works
Covert communication can be traced back to the steganography technique of the 16th century, and the core idea is to hide communication messages using a physical or chemical method known only to a receiver. Covert communication is commonly depicted using the Prisoner’s Dilemma proposed by Simmons [14]. It can be succinctly described as follows: Alice and Bob are inmates who seek to escape from prison, yet all their communications are under strict surveillance by the prison warden, Willie. Any suspicious behavior detected by him would result in harsher penalties for them. In the second half of the 20th century, with the advent of the communications Internet, covert communication schemes are often constructed using communications and Internet technology. The core is to embed the covert data in the redundant information of the ordinary transmitted data. For example, errorcorrecting codes are often used as carriers to store covert information in shortwave and satellite communications. In addition, images and videos are often used for covert transmission of data [15–22]. Ma et al. proposed a novel method by reserving room before encryption with a traditional reversible data hiding (RDH) algorithm, and thus it is easy for the data hider to reversibly embed data in the encrypted image [23]. Sharifzade et al. [24] proposed a novel Gaussian embedding model by maximizing the detection error of the most common optical detectors within the adopted statistical model. They also extended the formulation to a costbased steganography, resulting in a universal embedding scheme that improves the empirical results of current costbased and statistical modelbased approaches.
With the development of modern cryptography technology, a large number of covert communication schemes using cryptography have emerged. The core of these schemes is to embed covert data into digital signatures. Simmons constructed the first scheme using cryptographic techniques for covert communication, which successfully constructed a covert channel in the DSA [25]. Moreover, it is proved that there is also a covert channel in the ElGamal signature [26] and the ECDSA [27]. Anderson et al. found a class of covert channels in the ElGamal signature that combined the advantages of wideband and narrowband channels, that is, both the security of narrowband and wide bandwidth [26]. Jan et al. proposed two covert communication schemes based on discrete logarithms that shorten the length of required keys and digital signatures [28]. These two schemes may contain two or more covert messages in the signature, corresponding to different covert receivers, which shorten the required key and the length of the digital signature. Hartl et al. showed the existence of a broadband covert channel in the EdDSA [29] signature scheme [30]. Then they discussed the implications of the covert channel in practice using three different scenarios: broadcast clock synchronization, signed sensor data export, and classic TLS.
However, these schemes still have the problem of weak concealment of communication behaviors: the transmission of covert data depends on the generation of digital signatures, which may make adversaries notice the existence of covert channels.
To solve this problem, we started to build covert communication schemes using blockchain [31–37], because each transaction on the blockchain needs to generate a digital signature. The blockchain has the properties of antidestruction and persistent storage, and cannot be tampered with. Alsalami et al. drew attention to the potential threat of abusing uncontrolled randomness in blockchain cryptographic algorithms [38]. They proposed a new steganographic technique that affects most cryptocurrencies. Based on the novel blockchain steganographic technique, they designed and implemented a practical covert communication system. Cao et al. [39] proposed a hash chainbased covert data embedding (HCCDE) scheme. Besides, they proposed an elliptic curve DiffieHellman chainbased covert data embedding (ECDHCCDE) scheme to enhance the security of the HCCDE scheme. Luo et al. [10] proposed a covert communication method based on Bitcoin transactions.
Chen et al. did an extensive survey to investigate many covert communication schemes built on top of blockchain [40]. Gao et al. proposed a covert communication scheme for blockchain [41], which uses kleptography technology [42] to achieve high concealment and highperformance data transmission in an open network environment. Tian et al. proposed a blockchain covert channel construction scheme DLChain [43], in which dynamic labels were used instead of fixed labels to identify transactions containing covert information, and a dynamic label generation algorithm based on the statistical distribution of actual transaction data was designed to ensure the invisibility of dynamic labels. Zhang et al. proposed a covert communication method based on secret sharing and STC mapping on the public chain [44]. The method used the mapping relationship and transaction amount intertwined to complete the transmission of secret information and thus achieved covert communication. Basuki et al. proposed a smart contractbased covert channel coding SCCCE scheme [45] and combined it with the image steganography algorithm to realize a covert sending of private data for Ethereum. In this scheme, the data to be transmitted is embedded into the image, and then the URL of the image is embedded into the transaction. By using image steganography, the amount of data that can be embedded is greatly increased. Liu et al. used the VALUE field of a transaction on the Ethereum system to construct an HMACbased multiplebit embedding scheme [46]. Frkat et al. presented a method for hidden botnet communication that exploits the digital signatures used in blockchains to inject covert messages [47].
We investigate these related works and sum up a general framework. Figure 1 shows the general framework of the blockchainbased covert communication model. It should be pointed out that the sender 𝒮 and receiver ℛ need to agree on something ahead, and the covertmessageembedded transaction is indistinguishable from the general transaction.
Figure 1. Blockchainbased covert communication model 
Finally, we study schemes similar to our research line and carry out a detailed comparison in terms of confidentiality of messages, concealment of communication behaviors, anonymity of communication entities, computational costs, communication costs, cryptocurrency costs, key management issues, and ciphertext leakage issues, as shown in Table 1.
Comparison of existing blockchainintegrated covert communication schemes with CCBSAGINs
3. Preliminaries
3.1. Notation
For any string s_{1}, s_{2}, s_{1} denotes the length of s_{1}, s_{1}s_{2} denotes their concatenation. For any i ∈ ℕ^{+}, [i] denotes integer set{1, 2, …, i}. For any i, j ∈ ℕ with i < j, [i, j] denotes integer set {i, i + 1, …, j}. For any nonempty set 𝒳, x←^{$}𝒳 denotes sampling uniformly x from 𝒳. For any randomized algorithm Alg(x),y←^{$}Alg(x) denotes the random output of Alg(x). For any deterministic algorithm Alg(x),y = Alg(x) denotes the deterministic output of Alg(x). For n elements a_{1}, a_{2}, …, a_{n}, we denotes the set {a_{i}}_{i ∈ [n]} as A.
3.2. Basic theory
(1) PublicKey Encryption. A publickey encryption scheme PKE consists of the following algorithms:
 (a)
Setup(1^{n}) takes as input 1^{n} and returns the public parameter pp.
 (b)
Gen(pp) takes as input pp and returns a public/secret key pair (pk, sk).
 (c)
Enc(pk, m) takes as input pk and a plaintext m, and returns a ciphertext ct.
 (d)
Dec(sk, ct) takes as input sk and ct, and returns m′ or an abort symbol ⊥.
Correctness. PKE is correct if, let ℳ be the plaintext space, for any m ∈ ℳ,
$$\begin{array}{c}\hfill \begin{array}{c}\hfill \mathrm{Pr}[Dec(sk,ct)\ne m:pp{\displaystyle \stackrel{\mathrm{\$}}{\leftarrow}}Setup({1}^{n})\u037e(pk,sk){\displaystyle \stackrel{\mathrm{\$}}{\leftarrow}}Gen(pp)\u037ect{\displaystyle \stackrel{\mathrm{\$}}{\leftarrow}}Enc(pk,m)]\le negl(n).\end{array}\end{array}$$
Security. PKE is CPA secure for any probabilistic polynomial time (PPT) adversary 𝒜_{1} and 𝒜_{2},
$$\begin{array}{c}\hfill \begin{array}{c}\hfill {\displaystyle \mathrm{Pr}[b={b}^{\prime}:({m}_{0},{m}_{1},st)\stackrel{\mathrm{\$}}{\leftarrow}{\mathcal{A}}_{1}(pp,pk)\u037eb{\displaystyle \stackrel{\mathrm{\$}}{\leftarrow}}\{0,1\}\u037ec{t}^{\prime}\stackrel{\mathrm{\$}}{\leftarrow}Enc(pk,{m}_{b})\u037e{b}^{\prime}{\displaystyle \stackrel{\mathrm{\$}}{\leftarrow}}{\mathcal{A}}_{2}(st,c{t}^{\prime})]\frac{1}{2}\le negl(n).}\end{array}\end{array}$$
(2) Entropy Smoothing Hash Functions. Let ℋ = {H_{k}}_{k ∈ 𝒦} be a keyed hash function family associated with key space 𝒦, groups X, Y, and hash function H_{k} : X → Y. We say ℋ is entropy smoothing for any PPT adversary 𝒜, and k←^{$}𝒦, and x, x′←^{$}X,
$$\begin{array}{c}\hfill \begin{array}{c}\hfill \mathrm{Pr}[\mathcal{A}(k)\to (x\ne {x}^{\prime})\wedge {H}_{k}(x)={H}_{k}({x}^{\prime})]\le negl(n),\end{array}\end{array}$$
$$\begin{array}{c}\hfill \begin{array}{c}\hfill \mathrm{Pr}[\mathcal{A}(k,{H}_{k}(x))=1x{\displaystyle \stackrel{\mathrm{\$}}{\leftarrow}}X]\mathrm{Pr}[\mathcal{A}(k,y)=1y{\displaystyle \stackrel{\mathrm{\$}}{\leftarrow}}Y]\le negl(n).\end{array}\end{array}$$
(3) Blockchain. Blockchain [49] technology represents a secure and trusted decentralized distributed ledger, maintained by a network of interconnected nodes. This infrastructure [50, 51], devoid of a central authority, ensures that the blockchain possesses inherent security features such as immutability and unforgeability. Each node within this network maintains an identical copy of the ledger, chronicling transactions from their inception to the most recent ones. This ensures that once a transaction is recorded on the blockchain, it becomes immutable, preventing any unauthorized tampering or alteration.
When a new transaction enters the blockchain, the responsible node performs a rigorous verification process. This involves checking the digital signature of the transaction to ensure it meets the predefined criteria and standards. Once the verification is successful, the node proceeds to broadcast the transaction to all other nodes in the network. Each node then validates the transaction independently, accepting it as legitimate and adding it to their respective ledgers. This collective validation ensures the integrity and authenticity of each transaction recorded on the blockchain, fostering trust and transparency among all participants [52–54].
3.3. System and adversary model
System model. In BSAGINs, each entity that is distributed in the domains of space, air, and ground communicates with each other via the blockchain. Figure 2 depicts the system model. In CCBSAGINs, there are two entities: the sender 𝒮 and the receiver ℛ. 𝒮 and ℛ operate within distinct domains, while the blockchain refers to a blockchain integrated into the SAGINs. 𝒮 can send overt and covert messages to ℛ. Overt message transmission between 𝒮 and ℛ is facilitated through a public channel established on the blockchain. At the same time, two communication entities through which the public message flows can carry out covert communication through the covert channel. Thus, the covert message is sent.
Figure 2. System model 
Adversary model. In CCBSAGINs, there are two main types of adversaries: honest but curious receivers and network eavesdroppers.
(1) Honest but curious receiver. She or he attempts to know the identity of those utilizing the identical covert anonymous communication protocol or speculates on the sender’s identity. In comparison to network eavesdroppers, honest but curious receivers can receive the covert message, thereby affording them greater advantages in detecting. Such an adversary is an inside adversary who knows the receiver’s public key. She or he wants to know about the other pair of covert communicators while having covert communication with the sender. Furthermore, she or he wants to know the real identity of the sender with whom he is engaged in covert communication. She or he can interact with 𝒮.
(2) Network eavesdropper. The network eavesdropper detects covert channels through the act of intercepting and analyzing network traffic. Given the numerous occurrences of network eavesdropping incidents, it is reasonable to assume that the eavesdropper has robust monitoring capabilities with respect to endtoend data transmission. Since the blockchain network is public, and blockchain data is permanently stored, the network eavesdropper has enough time to detect and analyze all transaction data. Any noticeable differences will reveal covert channels. Such an adversary is an external adversary who only knows that someone on the blockchainintegrated SAGINs is conducting covert communication. She or he also cannot interact with 𝒮 and ℛ.
3.4. Design goals
We propose a twostep paradigm of covert communication, where the ciphertext of covertly sent data would not appear in the network, and the receiver can extract the data from a secure transformation mechanism. Then we integrate the above mechanism into the communication scheme and design a system, dubbed CCBSAGINs. The design goals are summarized as follows.
(1) No key management issues. In the realm of SAGINs, the volatile and dynamic nature of the environment poses unique challenges to secure communication. One such challenge is the establishment of secure key agreements, and exchanges among the various equipment and devices deployed within these networks. Given the high risk of equipment loss or compromise, traditional methods of key agreements can often become impractical or unfeasible. However, our solution, CCBSAGINs, offers an approach to this problem. CCBSAGINs stands out by enabling covert communication without the need for prior key agreements. This paradigm shift eliminates the dependency on complex and potentially vulnerable key exchange mechanisms, thus greatly simplifying the communication process.
The core advantage of CCBSAGINs lies in their ability to guarantee the concealment of communication behavior, even in the absence of a preestablished key. This means that equipment and devices within SAGINs can clandestinely transmit sensitive information or instructions without attracting undue attention or inviting security breaches. Such communication remains undetectable and untraceable. CCBSAGINs significantly enhance the security and reliability of communication in SAGINs. It not only mitigates the risks associated with equipment loss or compromise but also reduces the complexity and overhead involved in traditional key management processes. As a result, CCBSAGINs stand as a robust and efficient solution for secure communication in the dynamic and challenging environment of SAGINs.
(2) No ciphertext leakage. In CCBSAGINs, the ciphertext is not directly stored on the blockchain. 𝒮 matches the ciphertext with the transaction and then sends the transaction index to ℛ through a covert channel. After receiving the index, ℛ extracts the transaction and obtains the ciphertext from the blockchain. Therefore, the ciphertext is not leaked on the blockchain because we transfer the treasure map of the ciphertext rather than the ciphertext. However, some works [30, 41, 44, 46, 48] store the ciphertext on the INPUT field, signature, address, and so on. In this way, the ciphertext is permanently stored on the blockchain because of the blockchain’s immutable and distributed nature, which makes the ciphertext available to anyone. Although the current encryption algorithms are computational security, with the continuous progress of mathematical theory and computing technology, the existing encryption algorithms have the risk of being compromised. Once compromised, the corresponding plaintext of the ciphertext can be directly recovered by the adversary. This is the risk of ciphertext leakage.
(3) Compatible with existing public blockchain. Compatibility with existing public blockchain is crucial for the success of covert communication schemes. The reason for this lies in the fundamental nature of blockchain networks: the more normal transactions occur within the blockchain, the more effectively it camouflages communication behavior. This makes the most popular public blockchain ideal candidates for covert communication, as they boast a high volume of transactions and a widespread user base. However, to integrate covert communication into this popular public blockchain, it is essential that the communication scheme is fully compatible with the existing blockchain systems. This means that the scheme should operate seamlessly without the need to modify the core protocols of these blockchain systems. Any modifications to the underlying blockchain protocols could potentially introduce vulnerabilities or disrupt the integrity of the network, which is unacceptable. Therefore, the design of a covert communication scheme must take into account the specific characteristics and limitations of the target public blockchain. It should leverage the existing functionalities and mechanisms of the blockchain to achieve its objectives while adhering to the principles of compatibility and nonintrusive integration. By doing so, we can ensure that the covert communication scheme remains undetectable within the normal transactions of the blockchain, maintaining the security and integrity of both the communication and the blockchain network itself.
4. Proposed CCBSAGINs
In this section, we introduce the CCBSAGINs which frees the sender from maintaining longterm cryptographic secret keys and ensures data confidentiality even if the sender is controlled by the adversary. In the face of the highly complex and adversarial network environment of the SAGINs, as one of the nodes, unmanned aerial vehicle (UAV) has the risk of being controlled by adversaries. To defend against such adversaries, we consider the strongest assumption. In this application scenario, nodes in SAGINs can send messages in a covert and secure way by CCBSAGINs. CCBSAGINs consists of five algorithms Setup, TxRandom, CovertchannelSend, TxFind, and TxDec. Figure 3 shows the sketch of CCBSAGINs. Then we instantiate it.
Figure 3. Sketch of CCBSAGINs 
4.1. Paradigm
These five algorithms are listed below. Figure 4 shows all the algorithms of the scheme in detail.
 (1)
Setup(ℓ) takes as input a security parameter ℓ and returns public parameters {PKE, H_{k}, Add}, where PKE is a publickey encryption, H_{k} is an entropy smoothing hash function, and Add is an account address on a blockchain. In this algorithm, an encryption, a hash function, and a blockchain instantiation are determined.
 (2)
TxRandom(pk, dm) takes as input a public key pk of ℛ and a plaintext message m and returns transaction index set Index. In this algorithm, 𝒮 encrypts a message m with ℛ’s public key. Then the ciphertext is divided into l slices according to the length of j, and the transaction whose hash value is equal to the slice is found on the blockchain.
 (a)
𝒮 encrypts a message m with ℛ’s public key and gets ciphertext ct.
 (b)
𝒮 divides the ciphertext into l slices of length j, that is ct = ct_{1}ct_{2}⋯ct_{l} (l ⋅ j = ct,ct_{l}=j).
 (c)
𝒮 finds a transaction tx_{i} on the amount address Add whose hash value is equal to the ciphertext slice, that is ct_{i} = H_{k}(tx_{i}), and records the index value of the transaction index[i]. That is, ciphertext slices are matched with transactions one by one.
 (d)
Finally, 𝒮 gets the set of index Index. (Index = {index[i]}_{i ∈ [l]}).
 (a)
 (3)
CovertchannelSend(message) implies sending a message through a covert channel. In this algorithm, 𝒮 sends the set of index Index to ℛ through a covert channel.
 (4)
BlockchainFind(Index) takes as input a transaction index set Index and returns the transaction set Tx. In this algorithm, after receiving the index value set Index, ℛ finds the transaction corresponding to the index value on the amount address Add and finally extracts the transaction set Tx. (Tx = {tx_{i}}_{i ∈ [l]}).
 (5)
TxDec(sk, Tx) takes as input a secret key sk of ℛ and a transaction set Tx and returns m′. In this algorithm, ℛ recovers the ciphertext by computing the hash value of the transaction and finally decrypts the ciphertext into plaintext with her or his private key sk.
 (a)
ℛ computes the hash value of each transaction to obtain the ciphertext slices, that is $ct{\prime}_{i}={H}_{k}(t{x}_{i})(i\in [l])$.
 (b)
ℛ concatenates the ciphertext slices to obtain the ciphertext, that is ct′=ct′_{1}ct′_{2}⋯ct′_{l}.
 (c)
ℛ decrypts the ciphertext ct′ with private key sk. Ultimately, ℛ gets the plaintext m′.
 (a)
Figure 4. The workflow of CCBSAGINs 
4.2. Construction of the CCBSAGINs
We construct an efficient instantiation, where the PKE is based on ElGamal encryption, and the covert channel is based on [41].
(1) Setup. With the security parameter ℓ, the public parameters {p, G, g, H, Enc(⋅),Dec(⋅),Add} are determined, where G is a multiplicative group with prime order p, g is a generator of G, H : {0, 1}^{*} → Z_{p} ^{*} is entropy smoothing hash functions, Enc(⋅) is ElGamal encryption algorithm, and Dec(⋅) is ElGamal decryption algorithm, Add is an account address on the blockchain. ℛ uniformly chooses an element a in the group G as the private key, then computes g ^{a} as the public key. Thus, ℛ’s key pair is (pk, sk)=(g ^{a}, a)
(2) TxRandom. 𝒮 encrypts a message m with ℛ’s ElGamal public key. The ciphertext is divided into l slices, and each slice is 8bit. Then 𝒮 finds a transaction on the blockchain amount address Add whose hash value is equal to the slice and records the index of the transaction. Thus, ℛ gets the set of index Index.
 (a)
𝒮 uniformly chooses r←^{$}Z_{p} and computes ct = (g ^{r}, (g ^{a})^{r} ⋅ m). ct is a pair of ciphertext corresponding to the plaintext m.
 (b)
𝒮 divides the ct into l slices of length 8 bits, ct = ct_{1}ct_{2}⋯ct_{l}.
 (c)
𝒮 computes H(tx_{i}) and records index[i] the index of transaction of the blockchain address Add for which H(tx_{i})=ct_{i}. Finally, 𝒮 obtains the index set Index.
(3) CovertchannelSend. 𝒮 sends the set of index Index to ℛ through a covert channel based on [41].
(4) BlockchainFind. ℛ finds the transaction corresponding to the index on the address Add. Ultimately, ℛ obtains the transaction set Tx. Namely, ℛ extracts the transactions according to the Index.
(5) TxDec. ℛ recovers the ciphertext slices and decrypts the ciphertext into plaintext with her or his ElGamal private key sk.
 (a)
ℛ computes ct_{i}′=H(tx_{i}) and obtain the ciphertext ct′=(C_{1}, C_{2}).
 (b)
ℛ computes m′=C_{2}/(C_{1})^{a}. In the end, ℛ gets plaintext m′.
4.3. Advantages of CCBSAGINs
We compare CCBSAGINs with other works [30, 41, 44], highlighting its unique advantages in the following aspects: no key management issues, no ciphertext leakage, and low cost (especially in terms of cryptocurrency consumption). Table 2 shows the advantages of CCBSAGINs.
Comparison
(1) No key management issues. Most of the covert communication systems are built using blockchain need key agreements between 𝒮 and ℛ, such as the private key of the blockchain account, and the secret key of symmetric encryption. However, in SAGINs, due to the easy loss, damage, and capture of the device, and the complexity and fragility of the network, it is impractical to carry out key agreements between the two parties. For example, it is obviously not practical for satellites in space, charging stations on the side of the road, drones in the sky, and TV towers in the suburbs to exchange keys. Gao et al. proposed a kleptographybased covert data transmission mechanism [41], and Hartl et al. proposed a covert channel scheme in EdDSA [30], the sender and receiver need key agreement so that they can share a private key. Furthermore, Zhang et al. proposed a covert communication scheme [44], in which the sender and receiver not only share a private key of blockchain but also agree on a secret key for threshold secret sharing [55].
(2) No ciphertext leakage. The direct storage of ciphertext on the blockchain poses a risk due to its immutable and distributed nature, as advancements in mathematical theory and computing technology, particularly the advent of quantum algorithms and computers, have rendered current mainstream encryption algorithms vulnerable. Once these vulnerabilities are exploited, confidential data stored on the blockchain will be exposed, rendering this situation unacceptable. To be specific, Gao et al. proposed the kleptographybased covert data transmission mechanism that [41] stores the ciphertext in the INPUT field of the blockchain, and Hartl et al. proposed the covert channel in EdDSA [30] that stores the ciphertext in the random number in signature. However, in CCBSAGINs, the treasure map of ciphertext rather than ciphertext itself is stored on the blockchain.
(3) Low costs. The implementation of a blockchainbased covert communication system typically involves utilizing transactions as the transmission medium for concealed information, often by embedding such information within digital signatures and INPUT fields. However, conducting transactions on the blockchain necessitates fuel in the form of cryptocurrency, thereby resulting in high monetary costs associated with this type of scheme. Specifically, in proposed the kleptographybased covert data transmission mechanism [41, 𝒮 costs cryptocurrency to send a transaction on the blockchain so that can embed the covert information in the INPUT fields.
5. Security analysis
We follow the security definitions in [56, 57]. CCBSAGINs differs from ℓsenderanamorphic encryption (ℓsender AME) in [56] in only a few ways: we use the transaction index to replace anamorphic ciphertext. Thus, the security proof of our proposed scheme is based on the proof of ℓsenderAME in [56]. We analyze the security of CCBSAGINs from three aspects.
Since CCBSAGINs has the advantage of no ciphertext leakage issue, to investigate the securityenhanced extent, we add the securityenhanced analysis compared with a scheme [41] that does not have the advantage.
5.1. Confidentiality of messages
If H_{k} is modeled as a random oracle H, and PKE is CPAsecure, then CCBSAGINs is CPAsecure.
Let H_{1} denote the game for 𝒜 in ℓsenderanamorphic encryption in [56]. Game H_{2} is the same as H_{1} except that all the ciphertexts in ct are hash values sampled from H_{k}({0, 1}^{l}) uniformly, instead of generated by encrypting the plaintext. Game H_{3} is the same as H_{2} except that the (FPK, FSK) are not generated. Games H_{1}, H_{2}, and H_{3} are shown below. Since H_{1} has been proven to be CPAsecure, to demonstrate that H_{2} is also CPAsecure, it suffices to show that the PPTadversary 𝒜 cannot distinguish between a hash value and a ciphertext encrypted from a public key with a significant advantage. Therefore,
$$\begin{array}{c}\hfill \mathrm{Pr}[{\mathsf{H}}_{1}(n)=1]\le \frac{1}{2}+negl(n),\\ \hfill \mathrm{Pr}[{\mathrm{\Pi}}_{\mathcal{A}}^{\mathit{Oracle}}(n)=1]=\frac{1}{2}.\end{array}$$
Then we have
$$\begin{array}{c}\hfill \mathrm{Pr}[{\mathsf{H}}_{1}(n)=1]\mathrm{Pr}[{\mathrm{\Pi}}_{\mathcal{A}}^{\mathit{Oracle}}(n)=1]\le negl(n).\end{array}$$
Assuming that there is a PPT adversary 𝒜 who can distinguish from a significant probability the output returned by the oracle, then there must be a PPT adversary ℬ who can win H_{2} with a significant probability. However, there is no such PPT adversary 𝒜, so there is no such PPT adversary ℬ. Namely,
$$\begin{array}{c}\hfill \mathrm{Pr}[{\mathsf{H}}_{2}(n)=1]\mathrm{Pr}[{\mathrm{\Pi}}_{\mathcal{A}}^{Oracle(n)}=1]\le negl(n).\end{array}$$
In the same way, there is no such PPT adversary 𝒞 who can win H_{3} with a significant probability. We have Pr[H_{3}(n)=1]−Pr[H_{2}(n)=1] ≤ negl(n), then
$$\begin{array}{c}\hfill \mathrm{Pr}[{\mathsf{H}}_{3}(n)]=1\le negl(n).\end{array}$$
Game H_{3} corresponds to CCBSAGINs, thus CCBSAGINs is CPAsecure. This concludes the proof. ■
H_{1}(1^{n}) 
H_{2}(1^{n}) 
H_{3}(1^{n}) 
1: pp←^{$}Setup(1^{n})  pp←^{$}Setup(1^{n})  pp←^{$}Setup(1^{n}) 
2: (fpk_{i}, fsk_{i})_{i ∈ [l]}, (dpk, dsk)←^{$}Gen(pp)  (fpk_{i}, fsk_{i})_{i ∈ [l]}, (dpk, dsk)←^{$}Gen(pp)  (dpk, dsk)←^{$}Gen(pp) 
3: b←^{$}𝒜^{ENC1}(pp, FPK)  b←^{$}𝒜^{ENC2}(pp, FPK)  b←^{$}𝒜^{ENC3}(pp, FPK) 
4: return b  return b  return b 
ENC_{1}(1^{n}) 
ENC_{2}(1^{n}) 
ENC_{3}(1^{n}) 
1: R←^{$}f Random(FPK, FM, dpk, dm)  Index←^{$}Tx.Random(dpk, dm)  Index←^{$}Tx.Random(dpk, dm) 
2: return {ct_{i}}_{i ∈ [l]}  return {ct_{i}′}_{i ∈ [l]}  return {ct_{i}′}_{i ∈ [l]} 
5.2. Anonymity of communicating entities
It is well known that when a blockchain user wants to create a blockchain account, she/he does not need any identity information of herself/himself, only a string of fixed size as her/his private key. The identity of the blockchain a determined by the blockchain address, which is the hash of the public key. Thus, blockchain is an anonymous system. Therefore, the communication entities in the communication system based on blockchain also have anonymity. Despite the blockchain account being a pseudonym generated by the user that is not directly related to his or her real identity, current research shows that through heuristic analysis of transaction records, the clustering relationship of pseudonymous address can be deduced, and even the user’s real identity can be inferred [58]. Hence, the anonymity of communicating entities cannot be fully guaranteed by only using blockchain technology. The proposed solution in CCBSAGINs is as follows: communicating entities do not require blockchain accounts; rather, they only need to accomplish communication by observing transactions associated with a specific account on the blockchain. Furthermore, when communication entities need to transmit messages, we employ covert channels.
A scheme is anonymous for communicating entities if for any PPT adversary 𝒜, the tokens of communication entities are indistinguishable from the uniform string.
If Hash is modeled as a random oracle H, then CCBSAGINs are anonymous for communicating entities.
In blockchainintegrated SAGINs, every communication entity can construct an account on the blockchain without any real private information. Furthermore, the address is the identity of the blockchain account, where address = Hash(account.publickey). Because the tokens of the communication entities are the hash values, they are indistinguishable from the uniform string for any PPT adversary 𝒜. This concludes the proof. ■
5.3. Concealment of communication behaviors
Inspired by [57, 59], we define the communication behavior concealment.
A scheme is covert for communication behaviors if for any PPT adversary 𝒜, a covert message/ciphertext is indistinguishable from an overt message/ciphertext.
If PKE is a CPAsecure encryption and H_{k} is modeled as a random oracle H, then CCBSAGINs is covert for communication behaviors.
If 𝒜 succeeds in breaking communication behavior concealment in CCBSAGINs with a nonnegligible probability, we can construct an efficient 𝒜′ to break a CPAsecure PKE with a nonnegligible probability. Specifically, 𝒜′ uses 𝒜 as a subroutine and can break the PKE as follows. Oracle ℐ chooses a secret c←^{$}Z_{p} and computes H_{k}(c) and PKE.Enc(c). After 𝒜′ obtains H_{k}(c),PKE.Enc(c) from ℐ, 𝒜′ queries 𝒜 with (H_{k}(c),PKE.Enc(c)). Upon receiving (H_{k}(c),PKE.Enc(c)), 𝒜 distinguishes between the H_{k}(c) and PKE.Enc(c) with a nonnegligible probability. However, there is no such adversary that can break a CPAsecure PKE with a nonnegligible probability. Therefore, CCBSAGINs is covert for communication behaviors. This concludes the proof. ■
In a word, communication behavior concealment means that for any PPT adversary 𝒜, general ciphertexts (overt messages) and special ciphertexts (covert messages) cannot be distinguished with a significant advantage.
5.4. Security enhanced analysis
Let us recall the kleptographybased scheme in [41]. The scheme consists of two algorithms Special transaction creation and Special transaction filtering. The sketch of it is listed below.
(1) Special transaction creation(m, pk_{r}) takes as input the receiver’s public key pk_{r} and a plaintext message m, and returns a general transaction T_{n} and a special (covertmessageembedded) transaction T_{s}.
(2) Special transaction filtering(TX = {T_{0}, …, T_{n}},(pk_{r}, sk_{r})) takes as input the transaction set TX, the receiver’s public key pk_{r}, and the receiver’s private key sk_{r}, and returns a special transaction set TX_{s} and a private key extracted from a special transaction set SK_{s}.
Algorithm 1 and Algorithm 2 show the detail.
Input: The receiver’s public key: pk_{r}; The plaintext message: m.
Output: A general transaction T_{n}; A special (covertmessageembedded) transaction T_{s}.
set (pk_{s}, sk_{s}) = ECC.KeyGen(λ);
set addr = CreateAccount(pk_{s});
set e = ECC.Enc(m, pk_{s});
set data_{tn} = CreateTrans(addr, null, params_{0});
set data_{ts} = CreateTrans(addr, e, params_{1});
set K_{1} ← {0, 1}^{λ};
set σ_{n} = ECDSA.Sign(data_{tn}, sk_{s}, K_{1});
set σ_{s} = ECDSA_{KLE}.Sign(data_{ts}, sk_{s}, K_{1}, pk_{r});
set T_{n} = (data_{tn}, σ_{n});
set T_{s} = (data_{ts}, σ_{s});
return T_{n}, T_{s}.
Input: The transaction set TX; The receiver’s public key pk_{r}; The receiver’s private key sk_{r}.
Output: A special transaction set TX_{s}; A private key extracted from a special transaction set SK_{s}.
init TX_{s} = {}, SK_{s} = {};
for i = 0; i ≤ n; i ++ do
extract addr_{i} from T_{(n−1)};
find last transaction T^{prev}_{(n−1)} associated with input address addr_{i};
extract σ_{(n−i)} from T_{(n−i)};
extract σ^{prev}_{(n−i)} from T_{(n−i)};
set sk_{i} = skExtract(T_{(n−i)}, T^{prev}_{n−i}, σ_{(n−i)}, σ^{prev}_{n−i}, sk_{r}, pk_{r}, pk_{s});
set pk_{i} = ECC.generatePk(sk_{i});
if pk_{s} ≠ pk_{i} then
i++;
continue;
else
add T_{(n−i)} to TX_{s};
add sk_{i} to SK_{s};
i++;
end;
return TX_{s}, SK_{s}.
If 𝒜 succeeds in breaking CPA in the kleptographybased scheme with a nonnegligible probability, we can construct an efficient 𝒜′ to break a CPAsecure ECC with a nonnegligible probability. However, there is no such 𝒜′. Therefore, there is no such 𝒜. This concludes the proof. ■
If the ciphertext is stored on the INPUT field of a transaction directly, then the kleptographybased scheme is not covert for communication behaviors.
Because it stores the ciphertext on the INPUT field of a transaction, the 𝒟 can distinguish between the general transaction from the special transaction (covertmessageembedded transaction). Therefore, the kleptographybased scheme is not covert for communication behaviors. This concludes the proof. ■
This scheme is CPA secure. However, it has a fatal drawback: it stores the ciphertext directly on the INPUT field of a transaction, which makes the ciphertext available to anyone. In CCBSAGINs, the ciphertext is generated by transactions on the blockchain as a “seed” because of ct_{i} = H(tx_{i}). The ciphertext does not appear on the blockchain, the “seed” is stored on the blockchain.
6. Performance evaluation
We implement a prototype in Python 3.9 and conduct experiments to evaluate the performance with a security parameter of 1024 bits, and PKE is implemented using ElGamal encryption. The experiments are conducted on a laptop with Windows 10, an AMD Ryzen 7 5800H with Radeon Graphics 3.2 GHz CPU, and 32 GB 3200 Mhz DDR4 of RAM. Ethereum is used as the underlying blockchain and Etherscan is used as the Application Programming Interface (API) function.
There are five algorithms in CCBSAGINs, and we will analyze each algorithm one by one. First, Setup usually takes about 1 second with a security parameter of 1024 bits. Since ℛ will not update the secret key frequently in a short period of time, Setup is not executed every time. Thus, its costs are very small. Then TxRandom includes the encryption and matching, therefore, it takes high. CovertchannelSend depends on the specific covert channel algorithm, we do not consider its costs here. BlockchainFind extracts the ciphertext from the transactions and its costs between TxRandom and TxDec. TxDec is a decryption process, which only consumes at the millisecond level.
Since blockchain technology is used, the costs of cryptocurrency on the blockchain should also be considered.
Furthermore, we compare computational, communication, and cryptocurrency costs of CCBSAGINs with the kleptographybased scheme in [41], the Shamir thresholdbased scheme in [44], the EdDSAbased subliminal channel in [30], the Hashbased multiplebit embedding scheme in [46], and the Zcashbased subliminal channel in [48]. Table 1 and Figure 5 show the comparison.
Figure 5. Costs. (a) Enc/Dec delay. (b) Match/Extract delay. (c) Matched slices. (d) Transactions costs. (e) Ciphertext costs. (f) Parameter size. (g) Extract delay. (h) Matching delay. (i) Cryptocurrency costs comparison. (j) Computational costs. (k) Communication costs. (l) Cryptocurrency costs. 
6.1. Computational costs
We evaluate the computational costs in two aspects.
Sender. The delay of 𝒮 is mainly divided into two parts: encryption delay and matching delay. It should be pointed out that because 𝒮 needs to connect to Ethereum, the delay in connecting to Ethereum is related to Ethereum service providers and network connectivity. Since this is not the focus of this paper, we ignore this part of the delay. With a security parameter of 1024 bits, the encryption delay is usually in the order of milliseconds. However, the matching delay is usually in the order of seconds. Furthermore, the ciphertext is divided into 256 slices according to the length of 8 bits. Figure 5a shows the encryption delay of the sender, Figure 5b shows the matching delay of the sender, and the independent variable is the number of ciphertexts. Figures 5a and 5b show us that the relationship between the number of ciphertexts and the delay is linear. The simulation test shows that it takes about 1600 transactions to match the 256 slices completely. Figure 5c shows the relationship between the number of transactions and matched ciphertext slices. Clearly, they are logarithmic. 𝒮 gets the ciphertext of size 2048 bits, and it takes 1600 transactions to match. Though a transaction costs about 1 MB, we only need the transaction index to cost about 256 bits. Thus, the 1600 transactions of indexes are about 50 KB. Figure 5d shows the relationship between the number of ciphertexts and transaction index costs. Finally, a 2048bit ciphertext needs 50 KB transaction indexes based on CCBSAGINs.
Receiver. As mentioned earlier, we also ignore this part of the delay for the receiver to connect to Ethereum. The delay of ℛ is mainly divided into two parts: decryption delay and extraction delay. Figure 5a and 5b show the decryption and extraction delay. Compared to 𝒮, the delay of decryption and extraction is much lower.
Comparison. Figure 5g shows the relationship between the number of ciphertexts and extracting delay. It can be seen that for every 100 ciphertexts, our extraction delay is 10 seconds, and that of the scheme [41] is 1920 seconds. Figure 5h shows the relationship between the number of ciphertexts and matching delay. It can be seen that for every 100 ciphertexts, our matching delay is 26.47 s, and that of the scheme [41] is 145.6 s. Thus, CCBSAGINs are much lower than [41] in the computational costs. Figure 5j shows the computational cost comparison of CCBSAGINs with other schemes [30, 41, 48].
Table 3 shows the computational costs corresponding to each ciphertext in detail.
Computational costs
6.2. Communication costs
We evaluate the communication costs in two aspects.
Sender. For instantiation of CCBSAGINs, we use ElGamal encryption as the building block of PKE with a security parameter of 1024 bits and Ethereum as the building block of the blockchain. Thus the public parameters are {p, G, g, H, Add}. The prime order p and the generator g determine the multiplicative group G. Add in the address of Ethereum and is 256 bits in size. Therefore, the size of public parameters is 2304 bits. Figure 5f shows the relationship between the number of ciphertexts and the size of public parameters, and comparison with [41].
Receiver. ℛ obtains the about transactions indexes of size 50 KB from the covert channel and extracts the ciphertext of size 2048 bits, namely 256 Bytes. Figure 5e shows the relationship between the number of ciphertexts and ciphertexts costs, and the comparison with [41].
ℛ obtains transaction indexes of approximately 50 KB in size from the covert channel and extracts ciphertexts sized at 2048 bits, equivalent to 256 Bytes. The relationship depicted in Figure 5e demonstrates how the number of ciphertexts impacts the overall cost.
Communication costs
Table 4 shows the communication costs corresponding to each ciphertext in detail. Figure 5k shows the communication costs comparison of CCBSAGINs with other schemes [30, 41, 44, 46].
6.3. Cryptocurrency costs
The application of blockchain usually requires cryptocurrency, and the relationship between blockchain and cryptocurrency is similar to the relationship between car and fuel oil. Cryptocurrency is required to perform transactions on the blockchain, invoke smart contracts, and so on, but not for every operation, such as viewing transactions on the blockchain, cryptocurrency is not required. As the proposed scheme in this paper, we match the existing transactions on the blockchain with the ciphertext. It is essentially a lookup process and does not require the use of cryptocurrency. However, the proposed scheme in [41] must use cryptocurrency, because their scheme needs to send transactions on the blockchain. Furthermore, a lot of covert communication schemes based on blockchain require sending transactions. The costs of cryptocurrency are very high, and the channel capacity of the covert communication scheme constructed by the blockchain is measured in bits. Therefore, the overhead of cryptocurrency is very large using this kind of covert communication scheme. For example, the proposed scheme in [41] requires approximately $ 0.122 in cryptocurrency per 80 Bytes. But CCBSAGINs do not require cryptocurrency and cost $ 0 per 80 Bytes. Figure 5i shows the relationship between cryptocurrency costs and covert data size of the scheme [41] and CCBSAGINs. Figure 5l shows the cryptocurrency costs comparison of CCBSAGINs with other schemes [41, 44, 48].
7. Conclusion
In this paper, we have proposed a twostep paradigm of covert communication, where the ciphertext of covertly sent data would not appear in the network and the receiver can extract the ciphertext from a secure transformation mechanism. We also have instantiated the transformation using blockchain and an efficient index algorithm. Furthermore, we have integrated the above mechanism into a covert communication scheme and developed a system, in which we have formally proven the security and conducted a comprehensive performance evaluation.
For future work, we will investigate how to further reduce the computational and communication costs introduced by deploying CCBSAGINs, since the devices in SAGINs have limited computation and network resources. The covert communications between the devices should be conducted as efficiently as possible. We will research on how to design a more efficient instantiation while achieving the same security guarantee as CCBSAGINs.
Conflict of interest
The authors declare that they have no conflict of interest.
Data Availability
No data are associated with this article.
Authors’ Contributions
Weijia Li and Yuan Zhang designed and coordinated the research program; Weijia Li, Yuan Zhang, and Xinyu He set up the methodology; Xinyu He and Yaqing Song performed the analyses; and Weijia Li and Yuan Zhang wrote the manuscript.
Acknowledgments
We thank all anonymous reviewers for their helpful comments and suggestions.
Funding
This work was supported in part by the National Key R&D Program of China under Grant 2023YFB3106500; in part by the Young Elite Scientists Sponsorship Program by the China Association for Science and Technology (CAST) under Grant 2022QNRC001; in part by the Sichuan Science and Technology Program under Grant 2022ZDZX0038 and Grant 2023ZYD0142.
References
 Shang B, Yi Y and Liu L. Computing over spaceairground integrated networks: Challenges and opportunities. IEEE Network 2021; 35: 302–309 [CrossRef] [Google Scholar]
 Bao Z, Luo M, Wang H, et al. Blockchainbased secure communication for space information networks. IEEE Network 2021; 35: 50–57. [CrossRef] [Google Scholar]
 Ali M, Nelson J, Shea R, et al. Blockstack: A global naming and storage system secured by blockchains. In: Proc. USENIX ATC, 2016, 181–194. [Google Scholar]
 Tomescu A and Devadas S. Catena: Efficient nonequivocation via bitcoin. In: Proc. IEEE S & P, 2017, 393–409. [Google Scholar]
 Yang N, Guo D, Jiao Y, et al. Lightweight blockchainbased secure spectrum sharing in spaceairground integrated iot network. IEEE Internet Things J 2023; 10: 20 511–20 527. [Google Scholar]
 Liu X, Yang A, Huang C, et al. Decentralized anonymous authentication with fair billing for spaceground integrated networks. IEEE Trans Veh Technol 2021; 70: 7764–7777. [CrossRef] [Google Scholar]
 Huang C, Xue L, Liu D, et al. Blockchainassisted transparent crossdomain authorization and authentication for smart city. IEEE Internet Things J 2022; 9: 17 194–17 209. [Google Scholar]
 Wang D, Qi P, Zhao Y, et al. Covert wireless communication with noise uncertainty in spaceairground integrated vehicular networks. IEEE Trans Intell Transp Syst 2021; 23: 2784–2797. [Google Scholar]
 Chen X, Chang Z, Tang J, et al. Uavaided multiantenna covert communication against multiple wardens. In: Proc. IEEE ICC, 2021, 1–6. [Google Scholar]
 Luo X, Zhang P, Zhang M, et al. A novel covert communication method based on bitcoin transaction. IEEE Trans. Ind. Inform., vol. 18, no. 4, pp. 2830–2839, 2021. [Google Scholar]
 Yang B, Taleb T, Fan Y, et al. Mode selection and cooperative jamming for covert communication in d2d underlaid uav networks. IEEE Network 2021; 35: 104–111. [CrossRef] [Google Scholar]
 Jadav NK, Rathod T, Gupta R, et al. Blockchainbased secure and intelligent data dissemination framework for uavs in battlefield applications. IEEE Commun Stand Mag 2023; 7: 16–23 [CrossRef] [Google Scholar]
 Saraswat D, Bhattacharya P, Singh A, et al. Secure 5gassisted uav access scheme in iobt for region demarcation and surveillance operations. IEEE Commun Stand Mag 2022; 6: 58–66 [CrossRef] [Google Scholar]
 Simmons GJ. The prisoners’ problem and the subliminal channel. In: Proc. CRYPTO, 1984, 51–67. [Google Scholar]
 Luo Y, Qin J, Xiang X, et al. Coverless realtime image information hiding based on image block matching and dense convolutional network. J RealTime Image Process 2020; 17: 125–135. [CrossRef] [Google Scholar]
 Peng F, Lin Z, Zhang X, et al. Reversible data hiding in encrypted 2d vector graphics based on reversible mapping model for real numbers. IEEE Trans Inf Forensics Secur 2019; 14: 2400–2411. [CrossRef] [Google Scholar]
 Long M, Peng F and Li Hy. Separable reversible data hiding and encryption for hevc video. J RealTime Image Process 2018; 14: 171–182. [CrossRef] [Google Scholar]
 Liao X, Yu Y, Li B, et al. A new payload partition strategy in color image steganography. IEEE Trans Circuits Syst Video Technol 2019; 30: 685–696. [Google Scholar]
 Wang Z, Feng Shen L, et al. Cover selection for steganography using image similarity. IEEE Trans Dependable Secur Comput 2022; 20: 920–935. [Google Scholar]
 Qiao T, Luo X, Wu T, et al. Adaptive steganalysis based on statistical model of quantized dct coefficients for jpeg images. IEEE Trans Dependable Secur Comput 2019; 18: 2736–2751. [Google Scholar]
 Zhang Y, Luo X, Wang J, et al. Image robust adaptive steganography adapted to lossy channels in open social networks. Inf Sci 2021; 564: 306–326. [CrossRef] [Google Scholar]
 Mohsin AH, Zaidan A, Zaidan B, et al. Pso–blockchainbased image steganography: towards a new method to secure updating and sharing covid19 data in decentralised hospitals intelligence architecture. Multimed Tools Appl 2021; 80: 14 137–14 161. [Google Scholar]
 Ma K, Zhang W, Zhao X, et al. Reversible data hiding in encrypted images by reserving room before encryption. IEEE Trans Inf Forensics Secur 2013; 8: 553–562. [CrossRef] [Google Scholar]
 Sharifzadeh M, Aloraini M and Schonfeld D. Adaptive batch size image merging steganography and quantized gaussian image steganography. IEEE Trans Inf Forensics Secur 2019; 15: 867–879. [Google Scholar]
 Simmons GJ. Subliminal communication is easy using the dsa. In: Proc. EUROCRYPT, 1993, 218–232. [Google Scholar]
 Anderson R, Vaudenay S, Preneel B, et al. The newton channel. In: Proc. IH, 1996, 151–156. [Google Scholar]
 Bohli JM, González Vasco MI and Steinwandt R. A subliminalfree variant of ecdsa. In: Proc. IH, 2007, 375–387. [Google Scholar]
 Jan JK and Tseng YM. New digital signature with subliminal channels based on the discrete logarithm problem. In: Proc. IEEE CMC, 1999, 198–203. [Google Scholar]
 Bernstein DJ, Duif N, Lange T, et al. Highspeed highsecurity signatures. J Cryptogr Eng 2012; 2: 77–89. [CrossRef] [Google Scholar]
 Hartl A, Annessi R and Zseby T. A subliminal channel in eddsa: Information leakage with highspeed signatures. In: Proc. ACM CCS, 2017, 67–78. [Google Scholar]
 Li Y, Ding L, Wu J, et al. Research on a new network covert channel model in blockchain environment. J Commun 2019; 40: 67–79. [Google Scholar]
 Partala J. Provably secure covert communication on blockchain. Cryptography 2018; 2: 18. [CrossRef] [Google Scholar]
 Zhang P, Cheng Q, Zhang M, et al. A group covert communication method of digital currency based on blockchain technology. IEEE Trans Network Sci Eng 2022; 9: 4266–4276. [CrossRef] [Google Scholar]
 Zhang L, Zhang Z, Wang W, et al. Research on a covert communication model realized by using smart contracts in blockchain environment. IEEE Syst J 2021; 16: 2822–2833. [Google Scholar]
 Zhang L, Zhang Z, Wang W, et al. A covert communication method using special bitcoin addresses generated by vanitygen. Comput Mat Contin 2020; 65: 597–616. [Google Scholar]
 Torki O, AshouriTalouki M and Mahdavi M. Blockchain for steganography: Advantages, new algorithms and open challenges. In: Proc Int ISC Conf Inf Secur Cryptol, 2021, 1–5. [Google Scholar]
 Xu M, Wu H, Feng G, et al. Broadcasting steganography in the blockchain. In: Proc. IWDW, 2020, 256–267. [Google Scholar]
 Alsalami N and Zhang B. Uncontrolled randomness in blockchains: Covert bulletin board for illicit activity. In: Proc. IEEE IWQoS, 2020, 1–10. [Google Scholar]
 Cao H, Yin H, Gao F, et al. Chainbased covert data embedding schemes in blockchain. IEEE Internet Things J 2020; 9: 14 699–14 707. [Google Scholar]
 Chen Z, Zhu L, Jiang P, et al. Blockchain meets covert communication: A survey. IEEE Commun Surv Tutorials 2022; 24: 2163–2192. [CrossRef] [Google Scholar]
 Gao F, Zhu L, Gai K, et al. Achieving a covert channel over an open blockchain network. IEEE Network 2020; 34: 6–13. [CrossRef] [Google Scholar]
 Young A and Yung M. The prevalence of kleptographic attacks on discretelog based cryptosystems. In: Proc. CRYPTO, 1997, 264–276. [Google Scholar]
 Tian J, Gou G, Liu C, et al. Dlchain: A covert channel over blockchain based on dynamic labels. In: Proc. ICICS, 2020, 814–830. [Google Scholar]
 Zhang P, Cheng Q, Zhang M, et al. A blockchainbased secure covert communication method via shamir threshold and stc mapping. IEEE Trans Dependable Secur Comput 2024. [Google Scholar]
 Basuki AI and Rosiyadi D. Joint transactionimage steganography for high capacity covert communication. In: Proc. IC3INA, 2019, 41–46. [Google Scholar]
 Liu S, Fang Z, Gao F, et al. Whispers on ethereum: Blockchainbased covert data embedding schemes. In: Proc. ASIACCS, 2020, 171–179. [Google Scholar]
 Frkat D, Annessi R and Zseby T. Chainchannels: Private botnet communication over public blockchains. In: Proc. IEEE CPSCom, 2018, 1244–1252. [Google Scholar]
 Biryukov A, Feher D and Vitto G. Privacy aspects and subliminal channels in zcash. In: Proc. ACM CCS, 2019, 1813–1830. [Google Scholar]
 Nakamoto S. Bitcoin: A peertopeer electronic cash system, 2008. [Google Scholar]
 Bonneau J, Miller A, Clark J, et al. Sok: Research perspectives and challenges for bitcoin and cryptocurrencies. In: Proc. IEEE S & P, 2015, 104–121. [Google Scholar]
 Shen M, Tang X, Zhu L, et al. Privacypreserving support vector machine training over blockchainbased encrypted iot data in smart cities. IEEE Internet Things J 2019; 6: 7702–7712. [CrossRef] [Google Scholar]
 Zhang Y, Xu C, Cheng N, et al. Chronos^{+}: An accurate blockchainbased timestamping scheme for cloud storage. IEEE Trans Serv Comput 2019; 13: 216–229. [Google Scholar]
 Zhang Y, Xu C, Lin X, et al. Blockchainbased public integrity verification for cloud storage against procrastinating auditors. IEEE Trans Cloud Comput 2019; 9: 923–937. [Google Scholar]
 Li S, Zhang Y, Xu C, et al. Healthfort: A cloudbased ehealth system with conditional forward transparency and secure provenance via blockchain. IEEE Trans Mob Comput 2022; 22: 6508–6525. [Google Scholar]
 Shamir A. How to share a secret. Commun ACM 1979; 22: 612–613. [CrossRef] [Google Scholar]
 Wang Y, Chen R, Huang X, et al. Senderanamorphic encryption reformulated: Achieving robust and generic constructions. In: Proc. ASIACRYPT, 2023, 135–167. [Google Scholar]
 Von Ahn L and Hopper NJ. Publickey steganography. In: Proc. EUROCRYPT, 2004, 323–341. [Google Scholar]
 Kappos G, Yousaf H, Maller M, et al. An empirical analysis of anonymity in zcash. In: Proc. USENIX Security, 2018, 463–477. [Google Scholar]
 Hopper NJ, Langford J and Von Ahn L. Provably secure steganography. In: Proc. CRYPTO, 2002, 77–92. [Google Scholar]
Weijia Li received his B.Sc. degree from the University of Electronic Science Technology of China (UESTC), China, in 2022. He is currently a master student in the School of Computer Science and Engineering (School of Cyber Security) at the University of Electronic Science Technology of China. His research interests are applied cryptography, data security, and blockchain technology.
Yuan Zhang received his B.Sc. and Ph.D. degrees from the University of Electronic Science Technology of China (UESTC), China, in 2013 and 2019, respectively. He was a Visiting Ph.D. Student with BBCR Lab, Department of ECE, University of Waterloo, Canada, from 2017 to 2019. He is currently an Assistant Professor at the School of Computer Science and Engineering at UESTC. His research interests include applied cryptography, data security, and blockchain technology.
Xinyu He received her M.E. degree from Xidian University, China, in 2022. She is currently working toward a Ph.D. degree in the School of Computer Science and Engineering (School of Cybersecurity) at the University of Electronic Science Technology of China. Her research interests include applied cryptography, data exchange, and data security.
Yaqing Song received her B.Sc. degree from the University of Electronic Science Technology of China (UESTC), China, in 2021. She is currently a master student in the School of Computer Science and Engineering at the University of Electronic Science and Technology of China. Her research interests are applied cryptography and data security.
All Tables
Comparison of existing blockchainintegrated covert communication schemes with CCBSAGINs
All Figures
Figure 1. Blockchainbased covert communication model 

In the text 
Figure 2. System model 

In the text 
Figure 3. Sketch of CCBSAGINs 

In the text 
Figure 4. The workflow of CCBSAGINs 

In the text 
Figure 5. Costs. (a) Enc/Dec delay. (b) Match/Extract delay. (c) Matched slices. (d) Transactions costs. (e) Ciphertext costs. (f) Parameter size. (g) Extract delay. (h) Matching delay. (i) Cryptocurrency costs comparison. (j) Computational costs. (k) Communication costs. (l) Cryptocurrency costs. 

In the text 
Current usage metrics show cumulative count of Article Views (fulltext article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.
Data correspond to usage on the plateform after 2015. The current usage metrics is available 4896 hours after online publication and is updated daily on week days.
Initial download of the metrics may take a while.