Prove properties of a blind signed transaction

There are often situations where for improved privacy you want a cosigner to be blind. However, a fully blind cosigner is as useful as having no cosigner at all. Therefore, we want that the cosigner can verify in zero-knowledge that the transaction fulfills certain properties, for example that the output amount does not exceed a threshold of that it goes to a specific receiver.

This may be also interesting to build a better “smart contracts unchained.” Instead of showing that you have the inputs to satisfy a certain smart contract, you just prove that those inputs exist.

UTXO-set commitments

Idea: Use a µcash-style accumulator instead of a Merkle tree (utreexo). But that application doesn’t need zero-knowledge.

HTLC<->PTLC bridge

Given hash h and point P, prove that h = hash(x) and P = x*G. This may be useful when adding PTLC to the existing network of HTLC nodes.

Other Applications