Blockchains are decentralized and immutable databases that are shared among
the nodes of the network. Although blockchains have attracted a great scale of
attention in the recent years by disrupting the traditional financial systems,
the transaction privacy is still a challenging issue that needs to be addressed
and analysed. We propose a Private Token Transfer System (PTTS) for the
Ethereum public blockchain in the first part of this paper. For the proposed
framework, zero-knowledge based protocol has been designed using Zokrates and
integrated into our private token smart contract. With the help of web user
interface designed, the end users can interact with the smart contract without
any third-party setup. In the second part of the paper, we provide security and
privacy analysis including the replay attack and the balance range privacy
attack which has been modelled as a network flow problem. It is shown that in
case some balance ranges are deliberately leaked out to particular
organizations or adversial entities, it is possible to extract meaningful
information about the user balances by employing minimum cost flow network
algorithms that have polynomial complexity. The experimental study reports the
Ethereum gas consumption and proof generation times for the proposed framework.
It also reports network solution times and goodness rates for a subset of
addresses under the balance range privacy attack with respect to number of
addresses, number of transactions and ratio of leaked transfer transaction
amounts