Thanks for the info @burdges,
You might be interested in this paper: https://arxiv.org/pdf/1803.02067.pdf
It is a characterization of all the MNT4-6 cycles of elliptic curves cycles, it should be possible to pick a cycle that is reasonnably secure and practical for ethereum.
Although, I don’t think doing this on a slow elliptic curve is that much a problem :
Let’s assume,
- We have a 3M gas snark verification because we are on a 3x slower curve cycle
- The cost of an extra proof being aggregated to be 15K Gas
- A block gas limit of 8M
Then we can aggregate 333 proofs per block instead of 466. This is less efficient but not what I would call a no-go.
Most of the costs is for the prover, but I assume we will have proving hardware
I like your idea of combining together several proof scheme in the cycle. We could for instance alternate between bulletproofs and SNARKS, I wonder how expensive the bulletproof verification inside the SNARK would be though.