Prove properties of a blind signed transaction

There are often situations where for improved privacy you want a cosigner to be blind. However, a fully blind cosigner is as useful as having no cosigner at all. Therefore, we want that the cosigner can verify in zero-knowledge that the transaction fulfills certain properties, for example that the output amount does not exceed a threshold of that it goes to a specific receiver.

This may be also interesting to build a better “smart contracts unchained.” Instead of showing that you have the inputs to satisfy a certain smart contract, you just prove that those inputs exist.

UTXO-set commitments

Idea: Use a µcash-style accumulator instead of a Merkle tree (utreexo). But that application doesn’t need zero-knowledge.

HTLC<->PTLC bridge

Given hash h and point P, prove that h = hash(x) and P = x*G. This may be useful when adding PTLC to the existing network of HTLC nodes.

Other Applications

• Deterministic musig (similar to MuSig-DN)
• Proof of reserves
• Add OP_ZKP opcode to script
• Replace all witness data in block with succinct proof that the witness data exists.
• In Bitcoin this doesn’t save that much space (compared to ETH) since there isn’t all that much witness data and it’s already discounted.
• Prove that a UTXO set was generated by a list of valid blocks (aka ZeroSync)
• This reduces resources for IBD and keeping up with the chain and may allow full node in browser or phone.
• It’s even better with utreexo because then the client doesn’t need to receive the entire UTXO set