To improve efficiency, Pedersen Commitment(i.e. g^Ex*h^r) or exponentiation g^Ex (so 1-2 exponentiations in a finite group) could be used instead of SHA256.
Con: new opcode is needed
Pros: efficiency, and PC / exponent could be proven itself in ZK in a very efficient way via Sigma protocols(can't imagine an useful example though).
Proving _knowledge_ or simple properties about the pre-image doesn't get you much of anything interesting.
In this protocol the prover proves something that makes the preimage valuable to the verifier. This generally puts into the land of ZKP for general computation; and in that land, facts about pedersen commitment are not more efficient to prove than SHA256.
(except with exceptional parameter selection... e.g. constructing a EC group out of the field created by the SNARK constructions' group.)
To improve efficiency, Pedersen Commitment(i.e. g^Ex*h^r) or exponentiation g^Ex (so 1-2 exponentiations in a finite group) could be used instead of SHA256.
Con: new opcode is needed
Pros: efficiency, and PC / exponent could be proven itself in ZK in a very efficient way via Sigma protocols(can't imagine an useful example though).