Fwiw, I think, also the QR construction can easily be made to support several incoming transactions. But in that case, you need to assume and rely on the hardness of the higher residuosity problem. The whole construction could be generalized into that direction. Receiver could check higher residues on her end, not only just quadratic (non-)residues.
What I mean is that the recipient has the master key , the sender uses a random string as a public key. The recipient than can generate the private key from the random string,.
How does the recipient know that a particular public key was generated through his master key? It seems he needs to scan all txs in this way, looking for PKs for which he can generate private keys…
what if we set ephemeral keys in database alongside chain .
This allows for easier scanning i.e when the user managed to get stealth address associated with him ,the ephemeral public key automatically got deleted from database !
You delves into solutions like hidden-order RSA groups and homomorphic encryption, cleverly navigating the trade-offs between efficiency and anonymity. Respect!