Welcome to the lecture Privacy Preserving Cryptocurrencies.

We are now at lecture number 13 and my name is Dominik Schroeder.

So we'll start this lecture reviewing what we did in the previous lecture and then we

take a look where we actually are and what we wanted to cover in this class.

So in the last lecture we started with a nice topic of cryptographic accumulators.

And in particular there we discussed the corresponding security model and of course the construction

based on strong RSA. In addition to this in the second part we took a look at Zerocoin.

And Zerocoin was the nice idea that you essentially have a basecoin such as Bitcoin and then you

can convert this into 0coin and you can convert this back. So the idea is that this conversion

process removes the link between each of these steps. So in this lecture what we are going

to take a look at is another approach that is known as tumblebit. And tumblebit is one

technique that also helps us to add anonymization onto cryptocurrencies like bitcoin. This lecture

will be given by my student Irvind. So if we take a look on the current schedule where we are, then

essentially the basics we have already left quite some time ago. And now we are finishing the topic

on anonymity in Bitcoin. We started with the simple approaches such as mixing services.

We have seen more advanced approaches that require techniques like zero-knowledge proofs,

such as Zerocoin. We will conclude this section, this part here, with a discussion of one of the

very recent approaches that is called TumbleBit.

Thank you everyone. So in this lecture we will look at a protocol called TumbleBit.

Let me give you some context before I introduce what TumbleBit is and what it does.

So far we have seen proposals that are aimed at anonymizing transactions and payments in the Bitcoin protocol.

So specifically, for the Bitcoin compatible versions, we saw the mixing service protocol where there is a centralized party that kind of mixes the coins.

And then you saw CoinJoin where different users signed a multi-input, multi-output transaction and then thereby mixed their coins.

Then you saw CoinShuffle protocol which in a way implements the CoinJoin protocol and has better anonymity properties than CoinJoin.

And as a Bitcoin extension, you saw the Zerocoin protocol where you burn your Bitcoin to create a Zerocoin, right?

And then to redeem your Bitcoin back, you do this one out of many proof, right?

You say that your Zerocoin is among the many Zerocoins that have been created on the blockchain.

And note that the Zerocoin protocol was not per se readily compatible with Bitcoin.

It needed some script functionalities to check the burning and the proofs.

And the question is now, can we do better than CoinJoin, CoinShuffle in case of Bitcoin compatibility?

This is a well studied problem and in this lecture we will present you the state of the art proposal, right?

And that is the tumble bit, which was proposed in 2019 in DSS,

which is one of the top tier conferences of applied cryptography.

Let me just write it for you, you can check it out.

And the tumble bit kind of has an alternate approach to anonymizing Bitcoins.

So it kind of embraces the idea of having a hub through which payments happen.

So the benefit of this kind of having a hub and every payment routed through the hub

is that the participants per se need not interact with each other.

So remember that in case of CoinJoin and CoinShuffle,

you had the participants who construct the mixing transaction

to interact with each other and cooperate with each other at every stage.

And now, since you kind of rely on this payment hub,

you no longer have to participate with other participants of this payment hub.

This means that you kind of get rid of all those deniability attacks

where a participant just goes offline or misbehaves or just stalls the protocol and so on.

So this was one of the major drawbacks of CoinJoin and CoinShuffle,

which Zerocoin took care of.

So in Zerocoin, you didn't require the cooperation of other Zerocoin owners.

So now, with TumbleBit, you get rid of these deniability attacks.

And so what is a TumbleBit?