Welcome to the lecture Privacy Preserving Cryptocurrencies.

My name is Dominik Schröder.

We are now at lecture number seven.

And I will begin this lecture by first of all recalling what we did in the last lecture.

Then we will discuss the topics covered in this lecture.

And then I give a brief overview where we are in our class.

So in the last lecture we started introducing this amazing cryptographic protocol called

zero knowledge.

So intuitively a zero knowledge protocol is a protocol between two parties.

One is the prover and one is the verifier.

And the prover has some statement and some witness.

And the verifier has the statement.

And the prover wishes to convince the verifier that he knows the actual witness.

So he knows the secret.

And the difficult part here is that the prover would like to do this in such a way that the

verifier learns the validity of the statement.

So the verifier is convinced that this is actually true.

But in fact the verifier does not necessarily learn or does not learn anything beyond the

validity of the statement.

So this idea is pretty cool and we have to understand how can we actually define it.

What does it mean to actually provide zero knowledge?

And here when we started discussing the security definition we introduced the simulation paradigm.

And the simulation paradigm is something that is completely new to what you have seen so

far.

So in particular the simulation paradigm tells you that the information that you can learn

from the execution of the protocol you can also learn without interacting at all.

And this is where the name is coming from because there exists a magic simulator.

And this magic simulator essentially can give you the same instance, can give you or can

compute for you transcripts that are actually distinguishable from a real execution.

So in other words you have a code or a program that you can simply run and this gives you

the same information as you would obtain by running the protocol itself.

So the non-trivial part here is that this simulator actually does not have the witness

at all.

So it can only provide the same view but without knowing the witness.

And therefore whatever you learn from the protocol execution you can also learn from

this magic machine called the simulator.

So after defining or introducing the simulation paradigm we looked at the formalization of

zero knowledge.

And we started by discussing several different definitions of zero knowledge.

We started with a notion called honest verifier zero knowledge.

We then discussed a stronger notion called perfect zero knowledge.

And as the name suggests in contrast to the first definition this definition also holds

with respect to malicious parties.

And afterwards we essentially changed the quantifiers and we obtained a notion that

is called perfect black box zero knowledge.

Finally we looked at an easy or at least an easy accessible example for the case of Sudoku.

So in this lecture we are continuing our path and understanding how can we construct zero

knowledge protocols and what are the corresponding notions of security.

Now you might wonder why we are introducing so many different notions of zero knowledge

protocols.