Hi ZmnSCPxy,
> As the network is pseudonymous, an anonymous attacker can flood the fullnode mempool network with large numbers of non-aggregated transactions, then in cooperation with a miner confirm a single aggregated transaction with lower feerate than what it put in the several non-aggregated transactions.
Arguably this is hardly a feasible attack. Let's suppose the attacker creates 1000 such transactions, and attaches each transaction with a small amount of transaction fee X. The total fee will be 1000*X collectible by the aggregation vendor, who pays the miner a fee Y. We can reasonably assume that 1000*X is much larger than Y, yet X is much smaller than Y. Note that Y is already much larger than the regular fee for other transactions as the aggregated transaction should contain many inputs and many outputs, thus very large in size.
Now, the attacker will have to generate proofs for these 1000 transactions, which is non-trivial; and pay for 1000*X upfront. The aggregation vendor has to spend more computing power doing the aggregation (or recursive verification) and take (1000*X - Y) as profit. Miner gets Y.
Miners are unlikely to collude with the attacker. I don't think the vendor would, given profit of 1000*X - Y. Or the attacker could play the vendor, however, it is still not a trivial attack after spending lots of computing power generating all the proofs and aggregation/recursion, and paying at least Y, which is also non-trivial given the size.
All that being said, let's focus on the OP_ZKP for now and leave aggregation or recursive verification for future discussion. I brought up the scalability issue just to stress that there is potential room for further improvements. The research and implementation might take much longer. As far as I know, CISA (cross input signature aggregation) is still experimental. Again, thank you very much for detailed analysis and replies.
Regards,
Weiji