I think this variant of payment proofs can be opened for selected subset of participants.
Consider we have f = H(H(contract1) | H(contract2) | … | H(contractn)).
If we want to show the payment proof of Participant2, we only need to show the following data:
H(contract1), contract2, … , H(contractn).
So we show the contract of the Participant2 and only show the hashes of other contracts. This is enough to compute f and prove the payment proof equation holds.
We can show any subset of contracts/paymentproofs and blind the others by only showing the hashes. For instance if we have a combined transaction of 3 senders and 3 receivers, if the senderi wants to prove they sent to receiverk, they only need to reveal (contracti, contractk) and hashes of other contracts.
However, people would need to be careful to avoid collisions e.g. if senderj sent the same amount as senderi, both could reveal their contract and the contract of receiverk but really only one of them paid this receiver.
This could be solved by either:
- making receiverk commit to the senderi e.g.
H(contractk | H(contracti)). - not sharing the contracts with everyone in the transaction (only showing the hashes and adding the public excess and nonce to the total)
The 1st option is probably preferable because both parties are in the commitment which prevents attacks through collusion.