Contracts can't hold private keys as all their data is public. Homomorphic encryption does offer data manipulation without knowledge of data, yet even if you somehow managed to get it to produce a signature, you'd still need the decryption key which can't be itself encrypted. Therefore, it still falls back into a single party.

While you can't control the XMR, you can (theoretically) control the ETH. The Dogethereum Bridge allowed to anyone to put DOGE on ETH, with the condition if any bridge member stole the DOGE they lost an equivalent, or larger, ETH amount.

So you'd need to prove NFT existence (easy) AND that the key image was spent in a Monero block on the main chain. This means some form of SPV + TX inclusion proof + TX parsing.

Which becomes infeasible the second we look at any ETH network which is already sufficiently used, hence why DOGE isn't 10% on ETH despite the gigantic wallet they had allocated to the Dogethereum bridge.

<kayabaNerve> "While you can't control the XMR,..." <- this is the design tBTC uses (tbtc.network). it's AFAIK feasible, at least it's still operating at current fee levels. the only trusted element in it is the ETHBTC price oracle (well, that's a big one, but still better than a single multisig holding everything). you can't really get around the oracle problem.

at least not in this design. the other way would be endowing Monero with the requisite scripting capabilities to make sense of and verify tx data from other chains

chaser[m]: Yeah, this Dogethereum esque. It's still a multisig, just one with a bond.

kayabaNerve: yes, the basic building block is multisig, but it's as many multisigs as many deposits there are. bonding is quite capital-inefficient, but it's the best you can have in this model