Welcome to the lecture Privacy Preserving Cryptocurrencies.

My name is Dominik Schröder and we are now in lecture number 20.

As always, I will start by reviewing what we did in the last lecture.

In the last lecture, we started with the introduction to Zerocoin.

As you remember, Zerocoin essentially achieves a very strong level of privacy slash anonymity.

And this is stronger than the one that we've seen in the case of Monero.

However, the price that we have to pay for this is in fact that we will get a trusted setup.

So we introduced Zerocash as a successor of Zerocoin

and we formalized the interfaces as a decentralized anonymous payment.

So the decentralized anonymous payment or DUB for short is in fact the cryptographic building block

that is afterwards realized with cryptographic primitives.

So here we essentially started with the definition of the interfaces.

And these interfaces usually describe how the system is actually working and what are the

interfaces or the basically the components that one can work with.

So in this lecture, we will now start with the security notion for DUBs.

So in particular, we will discuss three different properties.

The first one is ledger and distinguishability,

which essentially says that the ledger should not leak non-trivial information.

We will then define balance that essentially says that no money should be created out of thin air

and non-mellability, which ensures that the adversary cannot modify any transaction

before it actually comes to the ledger.

And of course, once the transaction is in the ledger, then the security or essentially

the property that you cannot modify it comes from the ledger and not of the DUB anymore.

So once we have this, we will start discussing a concrete construction and insensation.

And now we are almost at the end or we are essentially at the end of this lecture.

We started with the cryptographic primitives, with the crypto foundations.

We started with proof systems because these essentially build the underlying

techniques for everything that we've seen before. We looked at anonymity and privacy

in the case of Bitcoin. Afterwards, we investigated privacy preserving cryptocurrencies.

We took a brief look at Dash, but more importantly, we spent some time discussing

how Monero works and the underlying components, which in that case, we called

ring confidential transactions. And now we are in the last building block,

that is zero cash. Right. So basically looking from this, the crypto basics are required,

essentially for everything. The proof systems is something that is used in all subsequent

constructions, of course. The motivation for Bitcoin was to see how can we achieve

privacy slash anonymity in the most widely used currency. And afterwards, this building block here

essentially says, if we start from scratch, basically, if we can build a new cryptocurrency,

how can we add privacy slash anonymity onto it?

So we will now start discussing the security and the properties of the crypto.

The properties of the apps. So the first thing we will discuss before starting with the security,

of course, is actually correctness. We've seen the interfaces in the previous lecture.

So what about correctness? Correctness is not a security property, it's a rather functional

property that says, well, the construction should behave as we expected. For many cases,

such as private key or public encryption, correctness is rather easy to define.

Right. It usually says if the keys are honestly generated and we are encrypting a message

coming from the message space and we're decrypting it, always running the honest

algorithms, then of course, we will get back the corresponding message. But here in this case,

the definition of correctness is actually non-trivial. Right. So intuitively,

what we would like to have is that correctness essentially should say

that unspent transactions can be spent.