Reconsider the public transfer mechanism.

[Amxx]

I'm starting to think that having a public variant of the confidential transfer functions is possibly to much. Instead I would consider the following:

• There already is a transfer event that includes the encrypted amount
• The sender or receiver of the transfer have the ability to decrypt.
• Anyone able to decrypt the value can theoretically:
  • provide the decryped value, with a proof
  • provide an event inclusion proof (merkle proof)

We could imagine that the contract could have a discloseEvent function that:

• takes both proofs listed above
• verifies them
• emit a public event for the transfer that was disclosed.

If there ever is a mecanism to make a euint64 public, the sender of the public transfer could make that public onchain so that anyone is then able to produce the proofs mentionned above.

[npasquie]

Reposting my answer made on discussion external to github (tl;dr i'm in favor)

If I understand correctly the argument is that only exposing the discloseEvent (probably would better be called discloseTransfer) is enough to provide the feature
this function allows anyone who has read access (so at least sender and receiver) on the transferAmount to decrypt it and publish it, an event gets emitted with the decrypted value
I agree with that I think it makes sense, we get a standard for publishing transfers which is more general than just letting the sender make this choice

[arr00]

We should reconsider this conclusion as the method Ethereum uses for generating proofs for transaction inclusion will likely change (with the introduction of verkle trees).

[arr00]

Due to the issue mentioned above, we have opted to change the flow for exposing events publicly. The current implementation is as follows:

• There is a function discloseEncryptedAmount that users can call for any handle. They must have approval for it on the ACL and the contract must have approval too.
• The contract sends a public decryption request for the given handle.
• The gateway responds with the decrypted version and emits the (handle, value) pair.

All handles are indexed when they are emitted, making it easy for disclose events to be paired with transfers (when applicable). The solution also allows users to expose their balance handles.