a publicly verifiable scheme is not required for a coordinator, OPRF based blind DH e-cash tokens would suffice for the unit token.
however, using a set denomination and a unit token inherently forces linkage of post-spend change in subsequent coinjoins, and links those to the change-from-coinjoin. the only safe approach here is to strand all change from post coinjoin payments or even burn them as fees, obviously not an acceptable solution. the alternative, letting users use those coins and link them after the fact has serious implications for clustering. in particular the way it composes with Goldfeder et al's cluster intersection results (https://arxiv.org/pdf/1708.04748, see also introductory post by me) and wallet fingerprinting based clustering (https://arxiv.org/pdf/2107.05749, https://www.usenix.org/system/files/sec22-kappos.pdf)
additionally supporting just 1 input per registration request forces this information on chain (like scamourai's tx0 does, unlike wasabi 1.x)
the use of homomorphic value credentials would alleviate this at the cost of additional complexity and rounds of communication.
a publicly verifiable scheme is not required for a coordinator, OPRF based blind DH e-cash tokens would suffice for the unit token.
however, using a set denomination and a unit token inherently forces linkage of post-spend change in subsequent coinjoins, and links those to the change-from-coinjoin. the only safe approach here is to strand all change from post coinjoin payments or even burn them as fees, obviously not an acceptable solution. the alternative, letting users use those coins and link them after the fact has serious implications for clustering. in particular the way it composes with Goldfeder et al's cluster intersection results (https://arxiv.org/pdf/1708.04748, see also introductory post by me) and wallet fingerprinting based clustering (https://arxiv.org/pdf/2107.05749, https://www.usenix.org/system/files/sec22-kappos.pdf)
additionally supporting just 1 input per registration request forces this information on chain (like scamourai's tx0 does, unlike wasabi 1.x)
the use of homomorphic value credentials would alleviate this at the cost of additional complexity and rounds of communication.