Du befindest dich hier: FSI Informatik » Prüfungsfragen und Altklausuren » Hauptstudiumsprüfungen » Lehrstuhl 13 » PPCryptoCur Exam 2020-10-21   (Übersicht)

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

Link zu der Vergleichsansicht

Beide Seiten, vorherige ÜberarbeitungVorherige Überarbeitung
Nächste Überarbeitung		Vorherige Überarbeitung
pruefungen:hauptstudium:ls13:ppcryptocur-2020-10-21 [21.10.2020 15:02] Marcel[Inf]pruefungen:hauptstudium:ls13:ppcryptocur-2020-10-21 [21.10.2020 15:09] (aktuell) Marcel[Inf]
Zeile 14: Zeile 14:
     * active collaboration in lecture/exercises during the semester     * active collaboration in lecture/exercises during the semester
     * two weeks preparation directly before the exam of 4-5 hours per day (without weekends)     * two weeks preparation directly before the exam of 4-5 hours per day (without weekends)
 +    * I read through my lecture notes and the official script (which is still work-in-progress) in parallel. As the script was still work-in-progress, sometimes motivating paragraphs are missing or crucial ideas are not that well presented [note: they accept pull requests, and I submitted some]. Hence, be sure to reserve more amount of time for extraction of those ideas by rereading things, inferring from experiments, thinking about how things can (still) go wrong, and discussing this with your peers. I have not rewatched any of the lecture videos thanks to having kept very well lecture notes back then when I watched the videos during the semester.
     * I focussed very much on relating all privacy-preserving techniques, on knowing (i) very well all models (e.g. RingCT) (ii) pretty good general ideas on the constructions and ingredients (e.g. zero-knowledge proofs, how RingCT can be instantiated, tagging schemes -- but without instantiation of ZeroCash).     * I focussed very much on relating all privacy-preserving techniques, on knowing (i) very well all models (e.g. RingCT) (ii) pretty good general ideas on the constructions and ingredients (e.g. zero-knowledge proofs, how RingCT can be instantiated, tagging schemes -- but without instantiation of ZeroCash).
     * I skipped almost all proofs altogether. One of the few proofs I looked at was the one for the binding and hiding properties of the Pedersen commitment scheme.     * I skipped almost all proofs altogether. One of the few proofs I looked at was the one for the binding and hiding properties of the Pedersen commitment scheme.
Zeile 29: Zeile 30:
  
 > RingCT. In contrast to BTC, it provides three main advantages: (i) ring signatures, (ii) stealth addresses, (iii) hidden amounts. I elaborated on every point with at least 3-4 sentences saying how it's *not* (or badly) done in BTC and with what consequences and how it's done in RingCT. Roughly: > RingCT. In contrast to BTC, it provides three main advantages: (i) ring signatures, (ii) stealth addresses, (iii) hidden amounts. I elaborated on every point with at least 3-4 sentences saying how it's *not* (or badly) done in BTC and with what consequences and how it's done in RingCT. Roughly:
 +>
 +> * ad (i): in BTC a TX with exactly 10 senders contains exactly those 10 senders in plaintext. In RingCT, you can provide 100 putative senders, of which, say, 90 are just "decoy" senders. And no outsider can discern the actual senders from the decoy ones.
 > >
 > * ad (ii): in BTC, if you want someone to pay you, you have to publish your BTC address. The same holds true if you want to run, say, a donation campaign. Then, on the blockchain everyone can see who donated to you, and that's bad. Hence, it's recommended to always freshly generate receival addresses, but that's impossible with donation campaigns. Hence, RingCT offloads that fresh generation thing onto the sender via stealth addresses. > * ad (ii): in BTC, if you want someone to pay you, you have to publish your BTC address. The same holds true if you want to run, say, a donation campaign. Then, on the blockchain everyone can see who donated to you, and that's bad. Hence, it's recommended to always freshly generate receival addresses, but that's impossible with donation campaigns. Hence, RingCT offloads that fresh generation thing onto the sender via stealth addresses.
 > >
 +> * ad (iii): in BTC, transferred amounts are public. In RingCT, they are hidden.
  
   * You mentioned some great ideas. Let's dive into that and start with something simple: The BTC blockchain only contains addresses. What's so privacy-invading about that?   * You mentioned some great ideas. Let's dive into that and start with something simple: The BTC blockchain only contains addresses. What's so privacy-invading about that?
Zeile 73: Zeile 77:
  
   * Why cannot we have perfect hiding and perfect binding at the same time?   * Why cannot we have perfect hiding and perfect binding at the same time?
-  +
 > See https://crypto.stackexchange.com/questions/41822/why-cant-the-commitment-schemes-have-both-information-theoretic-hiding-and-bind. > See https://crypto.stackexchange.com/questions/41822/why-cant-the-commitment-schemes-have-both-information-theoretic-hiding-and-bind.
  
Zeile 94: Zeile 98:
   * How does a (non-interactive) signature of knowledge work? How can it be secure without any communication/challenges by the verifier?   * How does a (non-interactive) signature of knowledge work? How can it be secure without any communication/challenges by the verifier?
  
-> We often have an interactive protocol that we then transform via the Fiat-Shamir transform. There, we replace the challenges by the verifier (that all need to be public-coin) by hashes of all previous messages. This is then guaranteed to be secure in the ROM. +> We often have an interactive protocol that we then transform via the Fiat-Shamir transform. There, we replace the challenges by the verifier (that all need to be public-coin) by hashes of all previous messages. This is then guaranteed to be secure in the ROM. [note: sometimes, we can get a secure scheme with Fiat-Shamir even without the ROM assumption, see https://eprint.iacr.org/2020/915].
  
   * We covered many different privacy-preserving techniques in the lecture: CoinJoin, CoinShuffle, TumbleBit, ZeroCoin, RingCT, ZeroCash. Which one of these would you recommend using?   * We covered many different privacy-preserving techniques in the lecture: CoinJoin, CoinShuffle, TumbleBit, ZeroCoin, RingCT, ZeroCash. Which one of these would you recommend using?