This is another take on non-interactive transactions.

I had posted a failed attempt in the past here

Recently, Gary Yu proposed a scheme that modified current Mimblewimble transactions. "Pay-to-Address" / "Pay-to-Public-Key": Non-Interactive Transaction Solution for Mimblewimble

in an Email To: mimblewimble@lists.launchpad.net

In this writeup I propose allowing non-interactive transactions based on the insight that the Rangeproof and the commitment to zero H multiplier can be separated to allow sending to a pay-to public key.

Iāll develop the method following these steps: Alice is sending to Bob

- Bob publishes a āsend-toā key
*with a signature proving no H-Multipliers in his public key* - Alice generates a transaction on her own
*to her own blinding factors and with range proofs on her own outputs as well as zero H multiplier signatures* - Each one output in her transaction, now proven to be in range,
*is forwarded to one recipient cover*by re-blinding it for the ultimate recipient. Since we have (single input goes to single output) we can say this step requires no range proof. However, we still require a zero H-multiplier proof. This is done as follows - To preserve Bobās anonymity, Alice generates a
*private shared secret with Bob*, q, for the purposes of this transaction - Alice generates a
*blinding factor for Bob*based on his āsend-toā key and the shared secret and applies it to one of the transaction outputs - Alice generates a ā
*Sender Generated Signature*ā on the transaction output that proves that the output minus the input has no H-multiplier.

The main difference in transactions is that each output has an extra blinding step *after the range proofs are done* .

**Receiver Publishes a Receive Public Key with āZero H-Multiplierā Signature**

Bob publishes a āSend-Toā key, āBā, with secret ābā. Where B = bG.

Bob also publishes a signature to prove the H multiplier is zero in his public key:

r = Hash(b)

R = rG

s = Hash(G)b + r

The signature, (R,s) with public key B, proves the H multiplier in B is zero.

**Sender-Generated Zero H-Multiplier Signature**

The insight here is that Alice can generate another signature for Bob from his published one with the same desirable property. Alice has a private key, a, with public key A = aG. Alice, generates a shared secret with Bob as follows:

q = Hash(m,aB) where B is Bobs public key and m is unique to this transaction

Note q is now a shared secret between Alice and Bob since Bob can generate it with q = Hash(m,bA)

Now notice that multiplying both sides of Bobās Schnorr signature by the shared secret produces another relationship that still holds the properties we desire.

q (s = Hash(G)b + r) which expands to qs = Hash(G)qb + qr

So, given [(R,s) B], Alice can generate [(qR, qs) qB], renamed [(Rā,sā) Bā], which is a signature that proves that the H multiplier in Bā is zero. (Bā = qB, if Bā has a non-zero H multiplier then B must have one as well, which is a contradiction.)

**Sender Generated Blinding Factor**

Alice now uses Bā as the difference of the blinding factor for Bob and her blinding factor (Bobās public blinding factor can be calculated from the difference) and publishes (Rā,sā) as the proof that Bā has a zero H multiplier; verifiable as sāG = Hash(G)Bā + Rā (*from* qs = Hash(G)qb + qr )

Both Alice and Bob know the shared secret q, but only Bob knows bā, the secret part of Bā, since bā = qb and only bob knows b.

**Addendum**

By careful choice of A and m, Alice and Bob will never interact.

- A is selected as the curve point corresponding to the blinding factor the sender, Alice, is using on the input coins.
- m is selected as the Hash of unique parts of the input.
- Bob, the recipient, has a wallet that checks all new outputs by retrieving A and m, calculating a q = Hash(m,bA), and checking that Bā has the property that Bā = Hash(m,bA)B
- The wallet then calculates Bobās blinding factor from Bā, determines the sent balance, and adds the balance to the total Bob has in the wallet.

No interaction between Bob and Alice outside the transaction required!

Regards,

Farid