Welcome to the lecture Privacy Preserving Cryptocurrencies.

My name is Dominik Schluter and we are now in lecture number seven.

So to start this lecture, I will as always briefly recall what we did in the last lecture

and outline what we're going to do in this lecture.

In the last lecture, we essentially gave or discussed the security of the AUS protocol.

And as you know, the security of the AUS protocol was only shown in the semi-honest security

model where the adversary followed the protocol honestly and only tries to deviate it essentially.

And of course, the question is what about the security if the adversary is actually

allowed to deviate from the protocol?

And as it turns out, the AUS protocol is not secure in this setting.

And this brings us to the content of this lecture.

To understand the security guarantees, we first of all, we first have of course to understand

what malicious security actually means.

And this brings us to the definition of malicious security.

As already said in the last question and answer session, malicious security is very hard to

achieve in some cases depending on which security notion you want to follow, something like

fairness it is actually impossible to achieve in general.

So we will begin with the definition of malicious security.

And since we're also interested in constructing a protocol that achieve this notion, we will

also review some preliminaries that we need for the construction of a secure protocol.

And in particular, these preliminaries will include a notion of commitment schemes.

And you can think of a commitment as a cryptographic primitive that allows you to put some value

into some form of lock and you can send it just to one party, right?

So essentially, Alice puts some message inside and then sends this value to Bob.

And the key security properties are the following, first of all, once Alice did this, she cannot

change her mind anymore.

Once the value is in the lock, then this part is gone.

And this is essentially the binding property.

And the hiding property says that when Bob received this lock, he has no clue which value

is actually committed inside.

And then there is an opening phase where Alice can review this value.

We also need the notion of coin tossing.

And coin tossing essentially means that two parties are executing a protocol and they

somehow want to create some coins that is used for the following.

And coin tossing essentially is a protocol where the parties can toss a coin in a secure

manner.

So this is the outline for this lecture and the following you will see a lecture that

was previously recorded about the malicious security.

Right, so let's start.

Malicious security.

So basically, if we think back of semi-honest security, then there the difference was, these

are our two parties, X and common input Z, Y and common input Z, so they were talking

to each other.

Right, so in the case of semi-honest security, we essentially know that the adversary will

just do whatever was described in the protocol.

So this message, for example, here is computed as, I don't know, gobble X, for example,

then the adversary will do this.

And just at the end, right, I mean he will also output, I mean he will also output basically

this fraction of the function, but in addition, right, he tries to learn more information.

And this we can assume no longer in the case of malicious security.