gmaxwell: Sorry, I thought you were talking about regular Elgamal, not the exponential variant. My bad. 
The problem with exponential Elgamal (as you've said) is that you need to brute-force the decryption. As the balances of the accounts are also encrypted, users only have two options:
1) Store a copy of the balance in theirs computers using a different encryption. Since the mini-blockchain only stores transactions for a limited time, they would need to connect to the network periodically (7 days in the case of cryptonite).
2) Brute-force the decryption. Which requires solving the discrete logarithm problem in a search space equal to the total number of coins. For bitcoin that would be 2^50. I don't how much time it would take in a regular PC, but if it is more than a few seconds it becomes problematic (people don't like to wait).
Other than that, I agree with you. Elgamal is better studied, faster and has better libraries. As I have said, any additively homomorphic encryption would do. The choice of Paillier was arbitrary.
gmaxwell, adam3us: I don't need to prove that the values don't wrap around. That isn't a problem with the linear algebra zero-knowledge arguments that I'm using. You should probably read the original paper by Groth:
www0.cs.ucl.ac.uk/staff/J.Groth/MatrixZK.pdf
It is a great read. The most revelant sections are 3.3 (about the Schwartz-Zippel Lemma) and 5.1 (it explains the proof that I'm using). Sorry that I didn't include the proof for these zero-knowledge arguments, but the paper was already very long and I did not want to make it even longer.
The problem with exponential Elgamal (as you've said) is that you need to brute-force the decryption. As the balances of the accounts are also encrypted, users only have two options:
1) Store a copy of the balance in theirs computers using a different encryption. Since the mini-blockchain only stores transactions for a limited time, they would need to connect to the network periodically (7 days in the case of cryptonite).
2) Brute-force the decryption. Which requires solving the discrete logarithm problem in a search space equal to the total number of coins. For bitcoin that would be 2^50. I don't how much time it would take in a regular PC, but if it is more than a few seconds it becomes problematic (people don't like to wait).
Other than that, I agree with you. Elgamal is better studied, faster and has better libraries. As I have said, any additively homomorphic encryption would do. The choice of Paillier was arbitrary.
gmaxwell, adam3us: I don't need to prove that the values don't wrap around. That isn't a problem with the linear algebra zero-knowledge arguments that I'm using. You should probably read the original paper by Groth:
www0.cs.ucl.ac.uk/staff/J.Groth/MatrixZK.pdf
It is a great read. The most revelant sections are 3.3 (about the Schwartz-Zippel Lemma) and 5.1 (it explains the proof that I'm using). Sorry that I didn't include the proof for these zero-knowledge arguments, but the paper was already very long and I did not want to make it even longer.