Welcome to the lecture Privacy Preserving Cryptocurrencies.

My name is Dominik Schröder and we are now in lecture number 12.

So to begin this lecture, let me review what we did in the previous lecture and afterwards

I will discuss the content that is covered in this class and finally we're taking a look

at the overall picture to see how we make progress in this entire topic here.

So in the last lecture we used the time to introduce two new cryptographic primitives

and these cryptographic primitives are the building blocks for advanced techniques for

getting anonymity in the setting of Bitcoin.

So the two new primitives that we introduced were the following.

The first primitive is known as Signatures of Knowledge.

So Signature of Knowledge is very similar to Digital Signature Scheme.

In fact that can be seen as a generalization of digital signatures.

Recall that in the Digital Signature Scheme essentially the signer proves knowledge in

some sense about the private key that corresponds to the public key.

So in the case of Signatures of Knowledge essentially the signer essentially knows,

as a witness, for some statement.

And besides introducing this cryptographic primitive we also discussed the security notions

and here we discussed two security notions.

The first security notion is called Simulatability.

And Simulatability essentially says that the signer does not leak any information

about the witness.

And the second security property that we discussed is Extractability.

And this notion essentially says, intuitively at least, that the signer must know the witness.

And both properties are in fact defined similar to the notion of zero knowledge.

Then we discussed the construction based on general assumptions.

So this was the security.

And then we discussed the construction based on general assumptions.

And having a construction based on general assumptions essentially means that we are

not focusing on some specific properties of certain groups, but we can define this with

respect to, for example, any encryption scheme.

And as part of this construction we used an NICK for the following language.

So on a non-interactive zero knowledge proof.

And I would like to repeat this and make this explicit to be sure how to handle essentially

the different types of proofs and how we combine them in a more global language.

So let me explain what I mean by that.

So first of all, whenever we have a non-interactive zero knowledge proof, then we need to define

this language.

And in fact, this language will consist of two components.

So essentially what we will consider is whether the public elements are in a certain language.

And if we look back, how we constructed them, we see that the public elements consist of

the public key, a statement, the ciphertext, and the message.

Note that there's no privacy requirement on the message, and therefore it's not necessary

to put the message in the witness.

So this tuple essentially is in the language, which means there exists a witness, and this

witness usually stores all private information.

So the witness consists of two elements of WIT, the witness and are.

So now you might be a bit confused, because I basically define two elements and they say

they are both witnesses, but they will be witnesses for two distinct parts of the language.

The first part shows the correctness of the ciphertext.

So the ciphertext is well formed.