Paper 2018/1184

Uncontrolled Randomness in Blockchains: Covert Bulletin Board for Illicit Activity

Nasser Alsalami and Bingsheng Zhang


Public blockchains can be abused to covertly store and disseminate potentially harmful digital content. Consequently, this threat jeopardizes the future of such applications and poses a serious regulatory issue. In this work, we show the severity of the problem by demonstrating that blockchains can be exploited as a covert bulletin board to secretly store and distribute arbitrary content. More specically, all major blockchain systems use randomized cryptographic primitives, such as digital signatures and non-interactive zero-knowledge proofs, and we illustrate how the uncontrolled randomness in such primitives can be maliciously manipulated to enable covert communication and hidden persistent storage. To clarify the potential risk, we design, implement and evaluate our technique against the widely-used ECDSA signature scheme, the CryptoNote's ring signature scheme, and Monero's ring condential transactions. Importantly, the signicance of the demonstrated attacks stems from their undetectability, their adverse eect on the future of decentralized blockchains, and their serious repercussions on users' privacy and crypto funds. Finally, besides presenting the attacks, we examine existing countermeasures and devise two new steganography-resistant blockchain architectures to practically thwart this threat in the context of blockchains.

Available format(s)
Publication info
Preprint. MINOR revision.
BlockchainSteganographyKleptographyASACovert Broadcast ChannelsContent InsertionWallet Subversion
Contact author(s)
n alsalami @ lancaster ac uk
2019-02-20: last of 3 revisions
2018-12-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Nasser Alsalami and Bingsheng Zhang},
      title = {Uncontrolled Randomness in Blockchains: Covert Bulletin Board for Illicit Activity},
      howpublished = {Cryptology ePrint Archive, Paper 2018/1184},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.