Daira-Emma Hopwood

Another way to sample the challenges, for curves that support a cubic endomorphism, is given by Algorithm 1 in the [Halo paper](https://eprint.iacr.org/2019/1021). See also the proof of correctness in Appendix...

Hmm. Perhaps this should have gone in the server repo. I guess it affects both the client and server. Feel free to move it if it should go elsewhere.

OpenBazaar's [moderator functionality](https://blog.openbazaar.org/what-is-openbazaar/) requires multisig, which isn't directly supported by Zcash for anonymous transactions, but there are workarounds: https://github.com/zcash/zcash/issues/782

I would prefer that we not rerun selector compression, just for simplicity of analysis. Selector compression is supposed to be expressible as an optimization that transforms PLONKish circuits to PLONKish...

The mock prover could calculate shape information on both (or all) passes, and error if it is not the same.

I strongly think we should make this change. It's basically just a search-and-replace of `extern "C"` to `extern "C-unwind"` in Rust code. (See however https://github.com/rust-lang/rust/issues/83116 .)

I am still investigating using a copy of @LarryRuane's datadir. I likely will not be able to resolve this until after Zcon (I get back on the 11th August).

> Is it possible for a miner to perform aggregation over their entire mempool? Yes (for supported, i.e. fully shielded Orchard, transactions and aggregates). It might be concretely quite expensive...

The original proposal had a bug — the recipient of a note found by scanning outputs would not have had sufficient information to construct its witness. [Edit 2024-05-15: I can...

If we wanted to retrofit the trimmable/non-trimmable distinction onto the existing shielded protocols, the fields that are trimmable in Sprout, Sapling, and Orchard, are the note ciphertexts and outgoing ciphertexts.