Wonder what info/comments the devs have? Have they done anything to keep ~25kb and use >80 bit security, with the same benefit that larger proofs provide?
It's probably not possible, unless they've made some advancement in cryptography. From the paper I posted earlier:
Unfortunately, the double discrete log proof is constructed using cut-and-
choose methods which effectively repeat a single proof multiple times to decrease
the probability of forgery. As a result, the proof is of size λ · 2k where k is the
size of a single field element and λ is the soundness parameter of the proof. For
1024 bit commitments and an 80 bit security level, this results in a 20KB double
discrete log proof and a total proof size (including the accumulator proof) of
25KB. Moreover, single threaded runtime for both verification and generation of
the proof runs in O(λ · k).
There's a reason that ZeroCoin hasn't really been implemented in a cryptocurrency before. Although AnonCoin claims to have done so, using 128 KB niZKPs; God only knows what the verification time is like on those.
