[bitcoin-dev] The first successful Zero-Knowledge Contingent Payment

Gregory Maxwell greg at xiph.org
Fri Feb 26 23:45:03 UTC 2016

On Fri, Feb 26, 2016 at 11:33 PM, Tier Nolan via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
> That is very interesting.
> There has been some recent discussion about atomic cross chain transfers
> between Bitcoin and legacy altcoins.  For this purpose a legacy altcoin is
> one that has strict IsStandard() rules and none of the advanced script
> opcodes.

One might wonder why anyone would want to own coins that couldn't keep
up technologically, but to each his own. (especially one defunct
enough that it can't even update IsStandard rules...)

I don't think it's infeasible to do the EC multiply in a snark, but an
efficient implementation would be a lot of work. You'd probably want
to build a circuit for the field operations using 128 bit operations.
Fortunately the overall operation is pretty easy to directly convert
into a circuit (e.g. no branching).

Why not use the single-show-signature scheme I came up with a while
back on the Bitcoin side to force the bitcoin side to reveal a private


More information about the bitcoin-dev mailing list