Efficient Zero-Knowledge Contingent Payments in Cryptocurrencies Without Scripts

One of the most promising innovations offered by the cryptographic currencies (like Bitcoin) are the so-called smart contracts, which can be viewed as financial agreements between mutually distrusting participants. Their execution is enforced by the mechanics of the currency, and typically has monetary consequences for the parties. The rules of these contracts are written in the form of so-called "scripts", which are pieces of code in some "scripting language". Although smart contracts are believed to have a huge potential, for the moment they are not widely used in practice. In particular, most of Bitcoin miners allow only to post standard transactions (i.e.: those without the non-trivial scripts) on the blockchain. As a result, it is currently very hard to create non-trivial smart contracts in Bitcoin. Motivated by this, we address the following question: "is it possible to create non-trivial efficient smart contracts using the standard transactions only?" We answer this question affirmatively, by constructing efficient Zero-Knowledge Contingent Payment protocol for a large class of NP-relations. This includes the relations for which efficient sigma protocols exist. In particular, our protocol can be used to sell a factorization (p,q) of an RSA modulus n = pq, which is an example that we implemented and tested its efficiency in practice. As another example of the "smart contract without scripts" we show how our techniques can be used to implement the contract called "trading across chains".