Welcome to the 16th lecture of privacy preserving cryptocurrencies.

I am Davinic Schröder.

As always, I will briefly recall what we did in the previous lecture and then we discuss

what will be covered today and then we give an outline where we actually are within this

course.

In the last lecture, we started with a nice formalization of confidential transactions.

We have learned that this is essentially the basis for Monero.

We also started to discuss the underlying security properties and in particular, we

discussed the notion of balance.

In this lecture, we will continue towards the formalization of ring confidential transactions

and in particular, we will take a look at the security notion called non-slenderability

and privacy.

Since these notions are a little bit involved, we need some time to define and discuss the

corresponding oracles that are there.

Finally, we would like to understand how can we actually construct such a scheme.

And here we will start by looking at the generic construction.

And this generic construction requires certain building blocks that we will introduce.

In particular, we will introduce something that is called a tagging scheme.

And we will discuss why this is actually useful and in which part we actually need this.

So with respect to our lecture, we finished most of the building blocks.

In particular, we also finished the part on how to have privacy on top of Bitcoin.

And we started with the first cryptocurrency that has privacy built inside and this is

Monero.

We started with our introduction where we essentially said why do we need privacy preserving

cryptocurrencies and what is the difference to what we've seen so far.

We then discussed the different approaches that we have.

We learned that Dash is closely related to what you have learned before.

And now we started with the first real privacy preserving cryptocurrency which is Monero.

We started with the formalization of confidential transactions, which was the first part.

And then in this part today, we are working on the privacy notions, on the further security

notions and on the generic construction.

So we discussed the generic construction because this nicely abstracts away or basically nicely

explains what is the basic design idea underneath this currency.

And once we have finished this block, then we will go to cryptocurrency called Zerocash.

So we are covering both privacy preserving cryptocurrencies because they follow different

design choices.

In particular, Monero is based on a certain type of ring signatures and it obtains an

anonymity level that is weaker than Zerocash.

On the other hand, it requires significantly less or weaker assumption than Zerocash.

So here we see a nice trade-off between assumptions on the one hand and the security properties

that we obtain on the other hand.

Welcome to the lecture Privacy Preserving Cryptocurrencies.

We are now on lecture 15 and my name is Dominik Schroderhoff.

So let me briefly recall what you did in the past lectures.

When the past lectures, we started with the topic of privacy preserving cryptocurrencies

and we are now in the section where we talk about Monero.

As you know, the underlying cryptographic primitive of formalization of Monero, this is essentially

called ring confidential transactions after the introduction, after the main fork.

And there are several prior works in this area that try to formalize Monero.

Some of them did this before the introduction of ring confidential transactions, but none