Example use case, an imageboard where the server hosts a public membership tree containing identity commitments. Each time a user holding an identity secret can generate a new anonymous identity by proving membership within the membership tree and non-membership of any of her nullifiers within the ban-set, emitting a new nullifier. The user is banned when any of her nullifier is included into the ban-set. Specifically I'm interested in formulating the system in SP1, and to be post quantum with practical performance. (So the mental starting point is poseiden hashes over sparse merkle tree). Usually the identity commitment is formulated as hash(secret) and the nullifier is hash(secret|blinder) which means both are anonymous. But current schemes can only handle one anonymous identity per context if the nullifier is formulated as hash(secret|context). Zcash uses the same model, where user membership is substituted with coin ownership, and ban-set represents spent coins.…