Sorry for missing the meeting, yet to clarify my contribution to issue #100 (cc UkoeHB rbrunner Rucknium[m]), I want to build a membership proof circuit over Bulletproofs, not over Groth16 (trusted setup SNARKS, ZEC/Tornado) and not over Halo 2. As for combining both proofs... you're reduced to the privacy of ring signatures and TX size would be additive. Performance would be significantly less than additive if you can still batch

verify.

And then for jberman[m] UkoeHB Pools are twofold. We need a consistent linkability format to have them. We also need a consistent accumulator structure for the membership proof to have them.

even if the membership proof changes, you should be able to build two accumulators over the same reference set

The issue with the consistent accumulator format is if we do a MiMc/Poseidon hash construction now, and that takes time to prove, and we later want to move to more efficient hash X... that's breakage. That said, if any new proof is able to select old hashes as needed by old segments, continuing the accumulator...

so long as linkability remains separate

Oh. Yes. At hard fork, you can absolutely re-execute all old outputs into the pool.

So yeah, there's a few options there. Thanks for bringing that up :)

yep

Anyuways. It is adding a circuit. It is not adding what is frequently called ZK-SNARKS in my initial proposal, nor is it incorporating any proprietary software (MIT/BSD-3). And then for Reddit trolls, it's also not introducing any ECC/ZFND/ZEC software.

*(it'll all be MIT/BSD-3)

Idk too much about zk-snarks, but choosing a good hash func is very important with good params

I haven't seen too much discussion online about this (or maybe I'm not looking hard enough)

But there have been competitions to find preimages of new arithmetic oriented hash funcs

25% proof size reduction? Interesting.

Lol what timing, great find though and curious if it plays out in practice.

Can't wait for BP+++ 😆

Wen stark