There are often situations where for improved privacy you want a cosigner to be blind. However, a fully blind cosigner is as useful as having no cosigner at all. Therefore, we want that the cosigner can verify in zero-knowledge that the transaction fulfills certain properties, for example that the output amount does not exceed a threshold of that it goes to a specific receiver.
This may be also interesting to build a better “smart contracts unchained.” Instead of showing that you have the inputs to satisfy a certain smart contract, you just prove that those inputs exist.
Idea: Use a µcash-style accumulator instead of a Merkle tree (utreexo). But that application doesn’t need zero-knowledge.
Given hash h
and point P
, prove that h = hash(x)
and P = x*G
. This may be useful when adding PTLC to the existing network of HTLC nodes.