Welcome to the lecture Privacy Preserving Cryptocurrencies.

So we are now in lecture number eight.

So before starting with the actual lecture, I will briefly review what we did in the last

lecture.

I'll give an outline of the content of this lecture, and then we take a brief look at

the timeline to see how this part actually fits into the entire course.

So in the last lecture, the main topic that we discussed there were actually practical

zero-knowledge proofs.

And in particular, we discussed the very famous Schnorr protocol.

Schnorr protocol actually also leads to a signature scheme, the well-known Schnorr signature

scheme if you apply the FHR-METRONS form.

And it's a pity that Schnorr actually patented the scheme, because just a side note, the standardized

DSA signing, so the digital signing algorithm, or ECDSA that we have seen, was just a variant

to bypass this pattern.

So if he wouldn't have patented his scheme, then most likely everybody would use Schnorr

signature scheme now in practice.

So we also discussed stronger notions of soundness, and this essentially was the proof of knowledge.

So a proof of knowledge captures the notion that the prover must actually know the witness.

And the way that this is formalized is essentially in the way that if the prover is able to answer

both challenges correctly, multiple challenges correctly, then he must know the corresponding

witness.

And this is captured by defining an algorithm that then allows us to extract the witness.

We then have also seen the famous FHR-METRONS form.

And the FHR-METRONS form allows us to turn an interactive proof into a non-interactive

zero-knowledge proof.

This transformation works for certain sigma protocols.

We have essentially discussed the corresponding properties.

So the properties that we require here are in particular that the protocol is public

coin, which means that all the coins or the messages that the verifier is sending to the

prover must be random messages and must not depend on anything else.

And this essentially allows us to derive these random challenges based on the messages of

the prover.

And there were also restrictions on the number of rounds.

So for the case of sigma protocols that we have seen, it's just three rounds, and the

Schnorr protocol has this property, and therefore we can make the proof system non-interactive

by applying the FHR-METRONS formation.

So in the last lecture, we essentially have finished the introduction into zero-knowledge

proof with the efficient instance.

And in this lecture, we will continue our journey.

So in particular, we will now start with the first big building block in the sense of privacy

preserving cryptocurrencies.

So this block is about Bitcoin in general.

So Bitcoin is the oldest cryptocurrency, as you know, and by its nature, it's not privacy

preserving.

So in this lecture, we will essentially start to understand what is Bitcoin, what is the

challenge of actually constructing a cryptocurrency, and to do so, we start first with the question,

how about decentralized versus centralized systems?

As you will see, there are many successful examples of both of these systems.

We will then discuss what are the properties that we are actually expecting from a cryptocurrency.

So we will see what is the difference between a fiat currency and a cryptocurrency.