Hi everyone, Cryptium Labs has been doing R&D on a shielded pool for contract-defined tokens, based on this proposed ZIP and toy implementation. We are currently analyzing the changes needed to the Sapling circuits, and posting here as the project seems to have mutual interest (technical discussion/feedback, peer-review, etc)
To start off, it seems there are a few technical items to consider:
Development of a group hash implementation in-circuit. It seems like the existing BLAKE2 implementation could be acceptable for this, and then a check that the value generator is a valid curve point (or at least not a small order point)
It seems to me that if the value generator is included in the note commitment, then the group hash does not need to be (re-)computed in the Spend circuit, since the note commitment included a generator that was witnessed to be a PRF-image in the Output circuit.