Welcome to the lecture Privacy Preserving Cryptocurrencies.

My name is Dominik Schwedde and we are now at lecture number 15.

As always, I will briefly recall what we did in the previous lecture in order to establish

a connection to this lecture.

Then I will give an outline what we will cover today and I will also talk about how it fits

in the entire structure of this class.

So in the last lecture we started with the introduction of privacy preserving cryptocurrencies

and in particular those cryptocurrencies that have privacy built in.

Before we were only looking at techniques how to enhance the privacy for the case of

bitcoin and other currencies where privacy is not present.

So we briefly gave an overview over the three largest privacy preserving cryptocurrencies.

We started with Dash.

As mentioned last time, Dash itself, they don't consider themselves anymore as a privacy

preserving cryptocurrencies and part of the reason might be because our own research showed

that most of the transactions are not private and those that use the privacy feature in

fact have many, many weaknesses.

So Dash, and this is why we covered it first, was a nice bridge between bitcoin and the

techniques that you have seen before, which means Dash builds inside of the currency,

uses so-called masternodes and these masternodes are used to perform two things.

The first one was InstantSend, which is used to instantaneously send money and reduce the

confirmation time and the other one was PrivateSend, which is nothing more than a coin joint transaction.

We then gave a very, very high level overview over Monero and also over Zcash and in this

lecture we would like to start deepening our knowledge there and formalize the properties

of Monero.

So the underlying cryptographic building block is called a confidential transaction.

So in this lecture, Victoria Rung will give an introduction to the formalization of confidential

transactions and this is in fact based on our own publication.

So we were the first to formalize confidential transactions with all the properties in depth

and we also suggested a new and more efficient construction.

As you can imagine, this is a little bit involved, therefore we will spread it as you can also

see in the schedule over several lectures.

So in this lecture we will cover the definition of the interfaces

and we also start with the security notions.

We will only cover one of the security properties and the next security properties in the upcoming

lectures.

So with respect to our timeline, to be honest I don't want to repeat all the basic blocks

anymore, I think we've seen this now quite often in math.

So we basically finished the last bigger block, if you want to call it like that, and that

was privacy plus bitcoin.

And now finally we are at the stage where we can look at Monero as one of the candidates

to achieve privacy directly as part of the design and not as an add-on.

And once we have finished this block we will take a look at Zcash.

The reason why we are covering both currencies is that the design is different and they achieve

different levels of privacy.

So the following formalization will be given by Victoria Range.

Hello everyone, my name is Victoria Range and in this lecture we will talk about the

formalization of ring confidential transactions, which is currently used in Monero.

And especially we will talk about the interfaces we need for the formalization and also talk

about the first security property it provides that is called balance.

As a first step we now will try to get a better intuition of what Monero actually does so