Building on recent ideas for tying nonces to identity, and not committing to the public key in the kernel hash challenge, here’s a proposal for Integrated Payment Proofs to replace the existing ed25519 based proofs.

UPDATE 20200910: not committing to the public key is shown to be insecure in Eliminating finalize step

Suppose party A wants to pay party B. Their wallets have associated fixed public nonces RA = kA*G and RB = kB*G.

Suppose they agree on payment details and compute a hash

h = H(RA | RB | timestamp | amount | memo)

From this they can both compute a public nonce R = RA + RB + h*G, and hash challenge e = H(R | m) for kernel features m.

UPDATE 20200912: Using a permanent public nonce for both sender and receiver is shown to be insecure in Integrated Payment Proofs and Round Minimization

NOTE: Since m includes the fees, the parties need to have agreed already on the (maximum) number of inputs and outputs that each party will later contribute.

Up to here, no slatepacks need to be exchanged yet, just nonce addresses and payment details.

Now wallet A picks excess xA and computes partial sig (sA,RA+(h/2)*G), where sA = kA + h/2 + e*xA,

while wallet B picks excess xB and computes partial sig (sB,RB+(h/2)*G), where sB = kB + h/2 + e*xB.

Now either party sends a slatepack with their public excess, signature, inputs, outputs, and offset to the other party, who can then finalize the transaction.

Which will have signature (s,R) on excess P and offset o where

s = sA+sB

R = RA + RB + h*G

P = (xA+xB-o)*G

satisfying s*G = R + H(R | m) * P.

The hash h is committed to and signed for by both parties.

Assuming that a signature with nonce R requires knowledge of kB, this constitutes agreement by party B to accept such a signature as proof of payment.

EDIT: Kurt pointed out that this is subject to a rogue key attack, and must therefore be accompanied by a proof of knowledge of kA or either of the partial signatures.

There remains an issue of relating the nonce address to the TOR address, where perhaps one should sign for the other.