Privacy

Question 1

Unlinkability

Answer 1

Two transactions of individual cant be linked together

Question 2

Anonymity of transactions

Answer 2

transaction cant be linked to entity

Question 3

Heuristic 1

Answer 3

If multiple utxos are used for the input of a new transaction they probably belong together

Question 4

Heuristic2

Answer 4

If a utxo belongs to address A and it is used in a transaction where coins are sent to an address B which already existed and another new address A’ than A’ is probably the change and belongs with A

Question 5

Address unlinkability in bitcoin

Answer 5

An attack A should not be able to significantly outperform a random answer

Question 6

What is a mixer

Answer 6

Mixers are entities that mix transactions via a mixing address. Problem is that the mixing entity cannot be trusted and thus could steal coins

Question 7

Coinjoin

Answer 7

n users transfer funds from n inputs to n output addresses in a single transaction signed by every users key.
=> no user would sign if their transaction if its own output address is not present

Question 8

CrytoNote

Answer 8

Application layer protocol which can be integrated with decentralized currencies:
To prevent sender identification senders output are grouped with output of others
Sender needs to assure network that he possesses atleast one of the private keys that corresponds to group of public keys+
Receiver anonymity is achieved by creating unique key for each transaction based on secrets from sender and receiver

Question 9

Zerocoin

Answer 9

Zero Knowledge Proof protocol
prevent linking between input and output
are proven in zero knowledge to have originated from a valid and unspent btc
Bitcoins have to be minted to become zerocoins

Question 10

Interactive Zero Knowledge Proof

Answer 10

Send, receive messages and perform private computations of t rounds (value challenge response scheme). Verifier cant learn anything from protocol and could simulate proof themself

Question 11

Properties of ZKP

Answer 11

Verifier accepts proof if assertion is true, parties follow protocol
if fact is false verifier rejects proof if parties follow protocol

Question 12

Ali babas cave

Answer 12

Proof that you know secret door by repeatedly coming out of the correct side of the cave

Question 13

Protocol ZKP

Answer 13

1. Alice picks random k and sends commitment C = f(k) to Bob
2. Bob picks Challenge 0 or 1 and sends to Alice
3. Alice computes Response y = k if challenge = 0 y = k + s mod n if challenge 1
4. Bob checks f(y) = C if challenge = 0 C * S if challenge = 1

Question 14

zkp for auth

Answer 14

Completeness: A prover will be able to convice with prob of 1
Soundness: Alice can only answer 1 of 2 challenges correctly
ZK: Pairs of (C,y) can be simulated by B alone by choosing y at random then defining C = f(y) or C = f(y)/S

Question 15

Non interactive ZKPs

Answer 15

Make protocol non-interactive by making challenge of the verifier depend on value of the challenge (hash of message and challenge). Then make send m r s with r = g^s y^(-h(m||r)

Question 16

ZeroCoin Properties

Answer 16

1. ZC anonymity ( through the zero knowledge property of signature of knowledge
2. Double spending resistance (through id uniqueness)

Question 17

Zerocoin problems

Answer 17

ML analysis can link user transactions, every zerocoin is exactly one bitcoin

Question 18

ZeroCash and extended ZeroCoins

Answer 18

allow for multivalued zcs
enable spending zcs without converting back to btcs

Question 19

how to pay ezc

Answer 19

btc -> ezc: sender creates commitment c to val BTCs, a serial number ser and a key K hides them in commitment and sends c to btc network to confirm
ezc -> btc sender retrieves val, ser and K Signature of knowledge using K transfers commitment of value val to recipient R val, ser revealed in netwrk
ezc-> ezc:
sender retrieves val, ser, K ..

Question 20

ezc security analysis

Answer 20

Anonymity: due to perfect hiding commitment schemes adversary cant link transaction to minted btc
unlinkabilty: adversary cannot tell wether two different ezc.spend belong to same user
fairness: no user or coalition of users can spend more eZCs than they minted

Question 21

Blacklisting

Answer 21

Mean of establishing accountability:
- Ideally btcs of blacklisted addresses are not accepted by anyone and lose value
- Users could misbehave using low balance addresses => link addresses with users that are misbehaving

Question 22

Privacy accountabilty tradeoff

Answer 22

Sign coin => send coin => confirm signature => double spending
blind signature => could lead to signing bigger value => send thousand blinded copies of bill and reveal all but one => very likely caught for misbehaviour
Serial number => very big database, users may choose same serial number
Identification => add id so that spender can be identified when coin is spent twice
Chaums protocol SigB{[100€, f(x1,y1) … ])
Merchant challenges e = [e1, .. en] and alice sends one of [x1,y1] …
if no information in database bank credits merchants account
Brands protocol