Using an AOS ring signature only works when you know the pubkeys, which you don't for most coins in the Bitcoin UTXO set.
In any case, the ring signature used to construct the CT range proof is just the AOS scheme when not used with any AND, so thats implement in secp256k1-zkp.
To avoid the proof size-- you're off in snark land-- e.g. the statement you prove "I know a private key for an adequate coin belonging to a utxo set with this hashroot". I previously suggested a scheme that lets you avoid doing 99% of the EC math inside a snark, so this could get a small under 400 byte proof and be implementable. I think it was in a forum post... I'll have to look. But the basic process have the snark instead prove "Pubkey P is a blinding of a pubkey that is member of this tree", and then you also prove you know P's discrete log externally to the snark. The verification of the blinding can be done with a single point addition in the prover.
Uh... Mr gmaxwell, could you say that again in "plain language" ? I mean, in "normal English" ? I'm seriously trying to understand what you're trying to say.
The way I said it, although a solution, is centralized. This can probably even be implemented by a large block explorer or block chain site, automatically. But I know everyone is looking for a better way, or something that can be done in the bitcoin core client.
Some alt-coins have this thing called Proof of Stake, I'm wondering if that's an angle bitcoin can use (for proving the original question of the OP, not for mining.)
Proof of stake isn't anonymous as ZKP proofs are. The AOS signature lets you mathematically prove a statement "I have access to a private key for at least one of the addresses in this set" without revealing which. If you're trying to prove you own 1 BTC you'd sign it so that set would be a set of a bunch of keys that all contain 1 BTC.
I'm not sure about the 'snark' concept. It would be nice if someone could provide an explanation or a link to one.