Porting Utreexo to Monero

[expiredhotdog]

Utreexo allows pruned Bitcoin nodes to be run off of just a few kilobytes of state, rather than gigabytes. The savings with this would be even more extreme on Monero, considering that pruned nodes currently can "only" discard less than 70% of blockchain data.

Since Monero does not reveal which enotes are spent, there would need to be two separate proofs, 1) a non-inclusion proof that the key images do not exist on-chain, and 2) an inclusion proof that the referenced decoys exist on-chain.

Number 1 should be simple by using a sparse merkle tree or similar, with proof sizes of a couple kilobytes or less per transaction, on average.

Number 2, however, would potentially require proofs on the order of tens of kilobytes for each transaction, even with optimizations from merging separate proofs. Possible, but not very useful. The need for this proof would be eliminated if FCMPs (#100) were to implemented, however, since decoys would be replaced by a small root anyway. Much larger proofs would still be needed for transactions spending old RingCT outputs, but those will quite quickly become rare after Seraphis activates.

I think it's worth exploring the possibility of porting Utreexo (Enote + tree = "Enotree"?) to Monero if FCMPs are included with Seraphis. This would allow users to trade marginally higher bandwidth usage, maybe even 50% or less, for >99.9% lower storage usage. Depending on the implementation, this could also allow light wallet users to easily verify the last N blocks without needing any form of a node, rather than solely relying on PoW.

Somewhat related to #69 and #111.