not sure, but curve trees seem really cool nostr:npub1vadcfln4ugt2h9ruwsuwu5vu5am4xaka7pw6m7axy79aqyhp6u5q9knuu7

I've thought a little about applications to Layer 2s, but not much. It isn't obvious that it could be a part of such a system, like e.g. building proofs and having them verified onchain, such that a person owning funds in an L2 could claim them back on L1, seems decidedly non-obvious, because these proofs, while sharing the same elliptic curve, use a set of generators, not just the 'G' that we use in Bitcoin for our signatures (note: i am framing the problem based on *not* changing bitcoin with a hard or even soft fork; clearly if new verification code was added, then things like bulletproofs could be added, as was envisaged originally for Confidential Transactions, and as is seen in e.g. Liquid/Elements).

On the other hand, yes, indirectly: my motivation for the token idea was, more than anything, a system like Lightning: you have a lot of potential Sybilling problems, for example Lightning uses gossip of *real* "unencrypted" channel opening utxos to identify channels, so that the gossip system doesn't get swamped with fake channels. I believe this is a promising (and maybe even the best) direction to solve that problem; I've had a few brief discussions with some Lightning engineers, but I don't see much interest/traction for it, at least yet.

Lastly I'd say: this is not just interesting to get anonymized tokens on ownership for anti-Sybil; the same technique can be used to publish proof of ownership of assets aggregated over many utxos e.g. "I prove I own 1btc of taproot utxos but I won't show them" is not only possible with this tech; I've already done it, in the same repo. I'm probably going to post such a proof shortly. I think it *could* be of interest for proof of reserves applications, since it preserves privacy but provides irrefutable evidence of onchain funds.