Can we aggregate inclusion proofs with Shamir’s trick and reduce this to O(1) for a proof of inclusion of a batch of any transactions?
\pi_1^x=A , \pi_2^y=A , where \pi_1=g^{\frac{u}{x}} and \pi_2=g^{\frac{u}{y}}
Shamir’s Trick
a*x + b*y=1
\pi_{1,2}=\pi_1^b\pi_2^a
\pi_{1,2}^{x*y}=A
i.e.
let A=g^{3*5*7}, x=3, y=5
A=g^{105}
\pi_1=(g^{35})
\pi_2=(g^{21})
a*3+b*5=1
a=7
b=-4
\pi_{1,2}=(g^{35})^-4 * (g^{21})^7
\pi_{1,2}=g^{-140} * g^{147} = g^{7}
check
(g^{7})^{3*5} = g^{3*5*7}=A
To be clear I don’t fully yet understand simultaneous exponentiation, just following Benedikt’s work from his talk and have questions about how {a,b} are computed.
Also I wonder if it would just be easier to aggregate u and divide out the product of every transaction inclusion you are proving. Using the example above you can notice \pi_{1,2}=g^{\frac{u}{x*y}}
Using this, Wesoloski would be h=g^{x*y}, z=h^{\frac{u}{x*y}}