Welcome to the lecture Privacy Preserving Cryptocurrencies.

My name is Dominik Schröder and we are now in lecture number 18.

So let me begin this lecture with a short review of what we did in the previous lecture

and also give you an outline what is the content of this class.

Finally, we will take a look on where we actually are in the entire lecture.

So in the last lecture we started with a generic construction

of ring confidential transactions.

The core of the ring confidential transactions is the formalization of the cryptocurrency

Monero.

And for this we introduced something that we called a label public encryption scheme

and we also discussed the specific insensation.

Furthermore, we discussed that one of the components is a homomorphic commitment scheme.

We also need a tagging scheme to bind the secret key.

And we also, and that was actually the content, the main content of the last lecture was the

signature of knowledge.

And in particular we discussed the language that we require in order to prove the scheme

and we formally described this language.

And of course the question is why is this necessary and the answer is yes we can have

generic zero knowledge proof but they are quite inefficient and therefore we try to

be as specific and as precise as possible about this language.

And then we identified the corresponding that we need as a language that we call a group

arithmetic circuit satisfiability.

So the content of this lecture that will be given by Russell will in fact be very technical.

That's probably the most technical class that we have in the entire course.

And this lecture is mainly, or we mainly view it as the intuition behind the formal stuff

and we encourage you to take a look at the script for the precise formalization.

So in particular what Russell will present in this lecture is the zero knowledge succinct

arguments of knowledge for group arithmetic circuit satisfiability.

So we will essentially begin this lecture by describing how can we actually express

such a circuit, what are the operations that we need to cover and once we did this we again

try to find a useful equivalent representation on which we can essentially work better.

So with respect to our timeline we are almost at the end of the entire lecture with me which

means we finished the basic building blocks of course of crypto, of number theory and

also to achieve privacy in the setting of bitcoin.

And now we are essentially at the very last lecture of Monero.

And as you can imagine this is essentially of course the most technical lecture of the

entire class.

Once we finish this we will go or we will continue looking at Zcash.

So thank you for your attention and enjoy the lecture given by Russell.

Welcome to chapter 8, zero knowledge succinct argument of knowledge for group arithmetic

circuit satisfiability.

This chapter is highly technical so the video serves as a high level explanation of the

material and for details I encourage you to refer to the lecture notes.

Hello I'm going to talk about argument systems for some language L in NP.

An argument system is a couple of algorithms set up the prover and the verifier algorithm.

The set up algorithm inputs security parameter and a description of the language and outputs

some common reference strength CRS.

After this CRS is generated prover and the verifier engage in a protocol.

The prover has input a CRS a statement which is supposedly in the language L and a witness.

The verifier gets the same input except the witness and they engage in an interactive