This post already described the idea, but it was joined with other ideas which are completely unrelated. I thought it would be worth to present the idea as a separate thing which is why I described it here Bidirectional payment proofs for Mimblewimble | grinvestigation.
This shows a way for parties to commit to another (hidden) arbitrary message at step2 which in this case is our payment proof.
I’m calling it bidirectional because it allows not only to prove the direction
sender ------sent to------> receiver
but also
sender <---received from--- receiver
NOTE: This is not a proposal. While I personally don’t think it’s more complicated than other payment proofs because it’s really just another message commitment, it’s unclear to me which payment proof method is best. It also has not been studied deeply by anyone else than myself so it could very well be insecure.
NOTE2: I’m not sure that replacing f * Rr
with Rr + f*G
would be secure, because both parties share the same f
. In case one party didn’t add f*G
the other could add 2f*G
. Whether that’s feasible or not and in which cases isn’t clear to me, so I’m scaling both nonce by f
to avoid this situation.