on 'anonymous usage tokens from curve trees': it's taken a good long while (being at a beginner level in Rust doesn't help!), I've been able to construct a rudimentary tool to do the job of creating a key image of a single utxo pubkey, and prove that it corresponds to a rerandomised entry in a curve tree.
My tests are now showing verification time of about 700ms for an anon set of 48K keys.
This is fast, but a lot slower than the 24ms listed in table in 6.1 of the paper! Though i am using optimised/release build, I'm not using parallelization or any actual benchmarking setup, so, hard to say. But I guess it's safe to say you could reach 1-300ms in practice(?). That should be fine in the cases where this primitive is useful.
Increasing to anon set 1-4M shouldn't increase verification time by more than 2x, afaict.
There are a ton more details that need to be checked out, but with the 'pedersen-dleq' bolt-on that I came up with, I think this curve trees approach should be better than the spartan-ecdsa approach; the latter is more powerful machinery but more general.
I asked the authors about my idea here (you can find the original paper, and my suggestion), though no response as of yet: