I just read this post on Vitalik’s blog about ZK-SNARK :

I am interested in implementing the part “ZK-SNARKs for coins” of the article into an Algorand smart contract (the Verifier code).

Basically we need to store on-chain 2 sets of hashes :

hashes of type L when coins are created

hashes of type N when coins are spent

The smart contract needs to verify the (off chain made) ZK-SNARK proof proving that :

some L and N hashes come from the same secret (i.e. the prover is allowed to spend the coin L)

the L hash is indeed in the set of hashes L (i.e. the coin L exists)

the N hash is not in the set of hashes N (i.e. the coin L has not been already spent)

So I wonder if this is actually possible to implement the Verifier for this with current AVM and TEAL/PyTEAL (at least with small number of coins for a Proof Of Concept) ?

You are proving that you know (from Algorand account B) of a path in a merkle tree to the root (that you have contributed to, but from Algorand account A) without actually revealing the path (as that would reveal that account B is linked to account A). A nullifier is also provided ensuring that someone can only make this proof of the particular path once.

Another way of describing it is proving that withdrawer account B is actually a member of the set of depositors (among which account A is included), without actually revealing which exact member.

Thanks a lot for your answer and links !
I’m glad this is something being worked on, and I look forward to try those new AVM features for ZK proof verification when they will be released.

(By the way the use case you described is exactly the one I want to implement)