If Bob (with known public key B = b * G) is expecting a payment of v nanogrin from Alice (with known public key A = a * G), then he could send Alice the following:
- output commitment C = r * G + v * H with rangeproof
- kernel for excess (r - Hash(a * b * G)) * G
- a signed statement that Bob accepts the confirmed kernel as proof of payment of v by Alice
with a * b * G = A * b = a * B being the Diffie-Hellman secret shared between Alice and Bob. This gives Alice all the information needed to make a transaction to Bob, by adding her input(s), change output, and appropriate offset.
This can be further enhanced with random nonces and stealth addresses and such; the above is just the most simplified version made to ease discussion.
Of course, Bob could also be Alice’s cold wallet, that she might want to fill up in future.
@vegycslol pointed out that Alice ends up revealing her private excess in the tx, which means that if Bob can intercept the tx, he can replace the kernel and offset to invalidate the payment proof. Unless this can somehow be fixed, the scheme is insecure…