I'm only just this morning properly reading NUT-11 (P2PK). I didn't realise that it's possible to make a signature only to a specific combination of proofs; basically I kinda knew about SIG_INPUT in Cashu but not SIG_ALL. But I think I see now, also thanks to calle's message just above.
(As I'm new to this, I'm just obsessing about the ideas that [I think] I understand, and therefore I'm likely misunderstanding a lot of what others have said in this thread)
I might have another idea, which might be possible in current Cashu. Just thinking out loud:
A and the mint prepare a set (a few dozen) of BlindSignatures with P2PK for a variety of denominations - large denominations (many sats) and small denominations (millisats).
At any time, A can take a subset of those (e.g. 32 sat + 8 sat + 1 millisat) and sign the collection of those and give the signature to the router, giving the router unilateral exit to take the value in that set of proofs
Later, A can update the balance by taking a set which has a larger total value (e.g. 32 sat + 16 sat + 1 millisat) and giving the updated signature to Bob
It's important here that the new set has some overlap with the older set, in this case the 32 sat and the 1 millisat are in both the new transaction and the old one. This overlap ensures that the router can't exit with *both* sets; the mint will notice that the second signature is for a particular Proof that has already been spent
Every time A creates a new set of proofs and signs that collection, A must ensure that this set has an overlap with every one of the previous sets that A has signed. This ensures that B can only redeem via one of the many signatures B has got from A.
To satisfy the overlap constraint, maybe we could simply have a single 1-millisat proof that A includes in every set
https://github.com/cashubtc/nuts/blob/main/11.md
