Welcome to the fourth lecture of Privacy Preserving Cryptocurrencies.

My name is Dominik Schwedter.

So in the following, we will start as always by reviewing what we did in the last lecture.

I will then give an outlook about the content that we will cover in this lecture.

And finally, we will take a look at the door wall structure.

So in the last lecture, we started by introducing further cryptographic primitives that we actually

need towards building privacy preserving cryptocurrencies.

So in particular, we looked at the following cryptographic building blocks.

So we introduced commitment schemes.

And a commitment scheme essentially realizes the cryptographic functionality of a safe,

meaning that there is one party, sometimes called the sender or the committer, that commits

to some value and sends this value to a receiver.

And the security properties of the commitment scheme are twofold.

First, the sender does not reveal which information he's actually committing to, this is called

hiding, and protects the sender.

On the other hand, the second property is for the receiver and it's called binding.

This property means that the sender cannot change its mind about the committed value

after having committed to that value.

So in this setting, as always, we started by giving formal definitions.

And these definitions consist, of course, the definition of the interface, as well as

the security model.

And here we looked at two properties, as I just said, binding and hiding.

In the exercise, you will also ask the question, or you have to think about the question, what

kind of properties can we achieve simultaneously?

So to be a little more precise, we defined hiding and binding both in computational and

statistical fashion.

Could it be possible that both properties can hold simultaneously in the statistical

sense?

We then also took a look to specific constructions.

And here we essentially took a look at two different constructions.

The first one was a hash-based.

And here the commitment was actually very simple, super elegant.

It's just take some randomness R, some random string that is long enough, concatenate it

to the message, and yep, you get a commitment.

So here we have seen in particular that the construction is hiding in the random oracle

model.

And we could show binding based on collision resistance.

So while this construction is super efficient and very simple, unfortunately, in many cases,

we cannot use it because whenever cryptographic primitives interact with each other, then

the structure must fit and hash functions are basically one of the less structured or

most chaotic structures primitive that we have.

So we took a look at the second construction, and this was a DLOG-based construction.

That was the Peterson commitment scheme.

So the Peterson commitment scheme is the basis for many, many things that we actually use

in crypto.

For example, a very similar construction is known as chameleon hash functions.

In case you're interested, feel free to Google that.

So the construction here was also very simple.

So essentially it consisted of raising an element to the R plus A times M. And as we

discussed, we're using this matrix notation to simplify the expression of the cryptographic