Ok, found a good elliptic curve additively homomorphic encryption scheme. Here's the paper, http://ecewp.ece.wpi.edu/wordpress/crypto/files/2012/10/main.pdf. What the authors did was using regular elliptic curve Elgamal to encrypt several times the same message modulo different (small) pairwise coprime numbers. To decrypt one simply brute-forces the decryption of each plaintext (which should be easy since the moduli are small)  and then, using the chinese remainder theorem, one can recover the original message.

In more detail:
Setup-> Choose a elliptic curve prime field F_p, a base point P in F_p and a random integer x in [1;p-1]. Calculate point Q=x*P. Assume that the message space is Z_s and that sEncryption-> Choose random integers r_1,...,r_t in [1;p-1]. Calculate m_i= m mod d_i for all i in {1,..,t}. The ciphertext is the t tuples {(A_i,B_i)=(r_i*P, r_i*Q+m_i*P), for all i in {1,...,t}}.
Decryption-> Calculate C_i= B_i - x*A_i=m_i*P for all i. Then calculate m_i= log_P(C_i) for all i. Finally use the extended Euclidean algorithm to solve the system of congruences {m=m_1 mod d_1,...,m=m_t mod d_t}.

Assuming the message space is 2^51 (like bitcoin), we would need three 17-bit moduli. The public key would be a bit longer than regular Elgamal and the ciphertexts would have 3x the size but it would be fast to decrypt and more efficient than Paillier encryption.