This is already addressed in the aut-ct construction with key images; the application stores a flat file database of those key images. The same could also be done here afaik. You attach a trivial sigma-protocol type proof of DLEQ between a key image I and the non-blinded part of the blinded commitment to P, i.e. proof that C = xG + bH AND I = xJ.
Yes; also in Curve Trees the verifier can verify just against the root, it’s the same principle.
But (maybe stating the obvious?) basic AOS style ring signatures never really felt viable for these tasks, since they scale linearly in the anonymity set, so you can only get quite trivially small anonymity sets, which are probably too fragile to claim any real anonymity. Moreover, in some kind of flat network structure of interaction (like Lightning) you need verification of others’ proofs to be fast, so that you can’t get DOS just with claims of ownership etc. That’s why I gravitated towards the Curve Tree structure. This alternative STARK direction could well be viable too.
This feels like the most important question. Currently announcements are made publically of channel utxos. Assuming the key image (no double spend) thing mentioned above, how much worse is it to announce privately a utxo of the same size, for DOS resistance?
My (slightly woolly) thinking on this was always, while simply announcing money owned, not having to spend it, is obviously a vastly smaller cost, you can filter and control this to some extent: filters by age and by value can be included in your merkle/curve tree setup to make it that only “higher quality” utxos are allowed (e.g. amount =T^aV^b for age T, size V, perhaps). But … how is this defence really worse than the advertisement of “real” channels (which after all is not a meaningful distinction, in taproot/musig land, right?).