Welcome to the second part of the 12th lecture.

In this part we will introduce an anonymization technique that is known as zero coin.

The idea is essentially the following.

The idea is to start with a certain base coin.

Let's call this our base coin.

That can be anything.

That can, for example, be Bitcoin.

And then we add anonymity to the base coin.

So how can we do this without actually changing the base coin from scratch and essentially

creating a new fork or an entire new currency?

So the idea is to create a mechanism that can convert the base coin into a zero coin.

So there's one mechanism where you convert any base coin into a zero coin.

And then you essentially can convert the zero coin back to the base coin.

So what did we gain from this?

Well the hope is, and this is why we make this conversion, that this conversion allows

us to break the link.

So the hope is, and also the goal, to break the link during this conversion.

Okay, so essentially the first direction here is to get a coin that is in some sense

anonymous and then to convert it back into the base currency.

And then the hope is that essentially the link in between is lost such that you are

not aware that the coin that you previously converted is essentially converted back to

the new coin.

So this means that we have two different coins that serve different purposes.

So first thing is the base coin.

And the base coin is the one that the user transacts in this currency.

So this is used for transactions.

And then we have the zero coin.

And this is the mechanism to trade base coins such that they are linkable.

So here for the zero coin we need an additional property in many cases.

Right, I mean in some sense we need to make sure that the zero coin cannot be used to

create as many base coins as you want.

So somehow what we need is essentially a proof that binds these coins together in some sense.

So we can see also the zero coin in an alternative way.

And this view is essentially the following that you can really think of this coin as

a proof pi.

And this proof pi essentially says that the user owned a base coin.

Right, and as I just said we need to make sure that the user is not creating as many

coins as he wants.

And therefore this proofing must include something that the user made the coin unspendable.

The reason is if we would not do that then we could essentially create coins out of the

blue.

Right, so if we start from some base coin and we create a zero coin here then we need

to make sure that the adversary is not using this mechanism to create a second one and

a third one and so on.

And then the privacy property once we go back, right, essentially from this coin once we

go back would then essentially mean we could apply this to any coin and then the adversary

could have created essentially many coins, many zero coins out of the single coin and

therefore we need to have this proof that whenever we are doing this transformation

the other coin cannot be spent anymore.

Right, I mean another attack of course would be that you transfer this coin, you get the