Funny how this works. Couple years back, I cheekily gave my audience a 'homework question': https://reyify.com/blog/homework-answer-advancing-2022

Just this week, I realised that it's a solution to a problem that's been bothering me for a while: cool, I can use Curve Trees to get an efficient ZK proof of knowledge of 1 out of N secp256k1 pubkeys (e.g. taproot utxos), but isn't that a bit useless to limit usage, if a bad actor can just keep generating proofs indefinitely, using the same pubkey, but we don't know because we wanted the ZK property for user anonymity?

Because curve trees use a 'rerandomised' pubkey, we can use the above 'homework' proof (proof that you know the opening of a Pedersen commitment), plus a DLEQ, to create a verifiable key image, that can only be used once, for a specific curve tree (which is an accumulator that everyone can reconstruct, using the blockchain - e.g. 100k taproot pubkeys).

This can give 'decentralized' anonymous usage tokens (i.e. without an issuer), with very large anon sets without bad prover or verifier computation blowup.

More detail: https://github.com/AdamISZ/aut-ct.pdf