Duplicating info here for visibility:
We explored two approaches that might allow for secure proof generation.
Full Local EVM Proofs
The user generates all the proofs for the transactions - and hence the entire RM transaction - locally. This would of course be preferable for any cypherpunks and people actually interested in security.
However, this is practically unattainable currently.
Firstly we have to take into account that the user will have to download a 18 GB large proving key for proving. Yet that part is ok, the user would need to do it only one time. If they are interested in security that is bearable, although - if we’re comparing ourselves to Railgun - this may take hours depending on internet speed. Took 3 hours for me, but I have pretty bad connection.
Secondly, the local generation of EVM proofs currently ranged from very slow to impossible.
Locally running sha256 example taken from the official repo takes about 20 minutes - for a single hash function run and one equality comparisson! - and barely made my 64 GB RAM machine shut down. At some point it simply froze while running at 99+% of RAM usage.
While testing @xuyang provided mock compliance proof generation my laptop simply ran out of memory after 20+ minutes.
Local app-proving and server-side aggregation proof
The user generates all the app proofs and then sends them to e.g. us to aggregate them into an EVM-verifiable proof.
Currently this does not actually grant us anything because it seems that the app proofs lack any ZK properties. While theoretically it may not be easy to get any info from them, for all intents and purposes we should look at it as basically being transparent.
However, as @cwgoes mentioned, if they can can make them ZK then it might be worth returning to this idea in the future, hoping that the proof sizes and times do not escalate due to that.