I’ve tried to describe what I refer to as a transaction obfuscator which I tried to describe a few times on the keybase chat. I believe this path is worth debating and researching further.
Aggregator+Obfuscator could be a good privacy combination. The reason I’m bringing it up now is because the early payment proofs might make the idea of output swapping unfeasible, so we should perhaps take some time to explore this path before we discard it.
aren’t payment proofs proved by providing the signature of the receiver? so they commit to the excess of the receiver, which doesn’t contain the offset. So the receiver needs to keep the same private excess for the payment proof to remain valid or not?
Yes, the receiver cannot change their excess, which equals
their outputs minus their inputs minus their offset times G.
So they can make any changes that keeps this equation balanced.