And your question about motivation: I think anti-sybil is going to prove to be a crucial property for these anonymous systems using bitcoin (most importantly, Lightning: see, jamming attacks). I discussed this a fair bit in this talk: https://pretalx.com/adopting-bitcoin-2022/talk/RVFS9C/
TLDR: proving ownership of one out of 1 million utxos, means 1 million keys, with a proof size that is reasonably compact, and a verification time that is reasonably quick (hence we talk about "sublinear", i.e. less than O(n)).
Not TLDR: you can see work I did previously to find schemes that are at least close to this here: https://reyify.com/blog/little-riddle , and the referenced earlier blog posts. These aren't, probably, fast enough in verification. Then there's also the idea of using Curve Trees which I discussed in a post here on nostr in some detail, recently. This is another approach (at least, I *think* it is), but now I think about it, we *might* still get stuck with linear verif time here too.