Welcome to the 11th lecture Privacy Preserving Cryptocurrencies.

My name is Dominik Schröder.

As always, I will review what we did in the previous lecture and then I'll give a short

outline of what we're going to do in this lecture.

And afterwards, we will take a look at everything fits into the overall context of this class.

So in the previous lecture, we started with the anonymization of Bitcoin.

We in particular learned that Bitcoin does not achieve anonymity.

It achieves a certain form of pseudonymity, but at the end of the day, everything is linked

together over the blockchain.

So we started this lecture by understanding what anonymity actually means.

Afterwards, we started with the definition of unlinkability.

We also discussed the basics of the anonymizing Bitcoin.

We in particular discussed some very simple heuristic that essentially said, for example,

if a certain payment is done from two different addresses, because for example, the value

was not sufficient, then most likely the person doing the payment has control over both addresses.

And this is a transitive relation and in particular allows you to make conclusions about previous

payments that led to the current address that is used.

We then discussed mixing services and principles.

Here we've seen that there are actually certain businesses that are offering mixing services

for you.

But the problem with all of these approaches, of course, is that you have to trust these

services.

This is really not in the spirit of Bitcoin.

And therefore we started our journey looking at decentralized mixings.

And we discussed two different protocols here.

The first one is the CoinJoin protocol.

And the second one that we discussed is CoinShuffle.

So remember that the idea of CoinJoin was the following.

The basic idea was that certain people meet, for example, Alice, Bob, and Carol, and ideally

they wish to mix the same value.

And then, for example, we might end up with such a mapping.

For example, C might go to A, A might go to B, and B might go to C.

So the basic idea was that the participants in this protocol essentially agree on this

permutation pi here.

And only the participants of the protocol, of course, know this permutation.

And therefore, at least as long as they're essentially honest, nobody can tell from the

outside how the mix was realized.

So slightly more advanced solution is the one that essentially hides or tries to hide

the permutation.

So the setting is very similar as before, but now the difference is that we are replacing

this random permutation or this permutation here with something that is hidden in a cryptographic

protocol.

So in this lecture, we are following essentially this path.

But the first thing that we observe are the weaknesses of these approaches.

So let's think about it for a second.

What could a possible weakness be?

And again, you might want to pause the video here and think on it on your own.

This is actually how research often works.

You see a proposal, you see a state of the art solution, and then you start wondering

is this actually the optimal solution that we have out there or is there anything that