What is the correct transaction protocol (especially in the face of privacy trade-offs)?

How does a user learn that they have received a payment?

This appears to be a hard problem when users can't self-validate the entire state of the system (e.g. are light clients or, in our case, CBDC users who simply don't get access to all transactions) and system provides strong privacy.

In particular, in Zerocash/Zcash-style systems a user is tasked with decrypting every payment and see if the decryption succeeds. This is also true for decoy-based privacy like CryptoNote/Monero. The issue appears inherent -- strong privacy mandates that no third party can detect when a payment is sent to you.

Some potential solutions include:

Letting participants observe the entire traffic and do payment decryption themselves. This is unworkable for our throughput and usability requirements.
Having payment detection nodes that learn this information on user's behalf. This is, e.g., how some Zcash/Monero light clients work.
Using fancy cryptography (e.g., FHE) to have the server compute an encrypted version of which payments are for which user, that only the particular user can later decrypt.
Using something like Vuvuzela's dead drops to which sender will address a message.
Simply making recipient's address available to the CBDC servers. I.e. everyone learns that a payment was made to Bob, but not that it came from Alice or how much she sent.
Changing the transaction model: mandating that a recipient has to counter-sign to receive transaction (so by definition they know they have received money). This implies interaction but might be useful for achieving certain policy goals (e.g. in counter-signing model I can't be implicated for receiving a payment I did not consent to receive, whereas in traditional system everyone (including people I don't want to!) can send me a payment, provided they know my address)

mit-dci / opencbdc-tx

What is the correct transaction protocol (especially in the face of privacy trade-offs)? #28