Welcome to the lecture Privacy Preserving Cryptocurrencies.

My name is Dominik Schröder and we are now in lecture number 17.

So at the beginning of the lecture I will begin by reviewing what we did in the past

lecture and then I will give an outline what we are going to do in this lecture and also

discuss how this fit into the overall content of this lecture.

In the last lecture we started with formalization of ring confidential transactions.

As you know ring confidential transactions in fact are the underlying technology of the

underlying formalization of Monero.

So two lectures ago we started with the definition of the interfaces

and these describe what are the possibilities to interact with the scheme.

And then we also took a closer look on the security definitions.

And that its security properties in fact consist of balance, non-slenderability

and privacy.

Then we also started by discussing a general construction.

So construction that is based on general cryptographic primitives.

And one component that we need in our specific primitives are so called tagging scheme.

So tagging scheme binds the secret key to some value that is the tag.

And as you can already guess or you know and we discussed this, this will be used for in

fact making sure that double spending is not possible.

So in the next step and this is what we are actually going to do in this lecture, we are

going to discuss how to insensate the generic construction

with efficient cryptographic primitives.

So this is way more challenging than it sounds.

It is not only about picking the right cryptographic primitives but in fact we will have to design

a new proof system in order to get an efficient construction.

So this lecture is actually based on our own work and the one before as well and I would

like to stress this.

So this is based on a scientific publication called OmniRing that appeared at our flagship

conference of IT security called ACMCCS19.

And the technical core here, so the formalization itself of course is a contribution and it

is actually highly non-trivial.

There were prior works before that did not manage to cover all of the properties.

But besides that the technical core that we have here is an extension of a proof system

called Bulletproofs.

And the extension that we developed is essentially for proving knowledge

of a discrete log representation.

Where the exponents in the representation satisfy an arbitrary arithmetic circuit.

So to put these things together and in fact the contribution of our works or of the specific

works is as follows.

In fact we have designed the first scheme that does not require trusted setup

or pairings which means we have weaker cryptographic assumptions.

The first construction that supports StealthAddress

and the very cool thing is and this is where our proof comes into the game is that we have

the first scheme with logarithmic spend proof size.

So in the current timeline where we are in our lecture is essentially that was the Bitcoin

block here.

We are essentially almost at the end of our Monero block.

So we started by building the preliminaries, we started by the security properties, we

also discussed the construction, basically the generic one and now we are here in this

part where we understand what are the components, how do they actually look like.