I posted this in another thread but I wanted to repeat it here.
A Non-Interactive Transaction is easily accomplished if Alice and Bob are ok with the following state of affairs:
Temporarily both Bob and Alice can spend the resulting transaction. This ends when Bob comes online.
No one else can spend it while Bob is still gone.
When Bob comes online, he must immediately spend the transaction to a secure blinding factor of his own choosing and only then is the transfer between the two of them considered concluded.
This is accomplished by Alice directly generating a blinding factor for Bob that only both Alice and Bob can use.
x = Hash(m,aB)
Where B is Bob’s well known public key and m is unique to this transaction. Also, a is an Alice-secret-key corresponding to the A used as the curve point corresponding to the blinding factor the sender, Alice, was using on the input coins. Bob’s wallet can retrieve A from input side of the transaction. Also, m is selected as the Hash of unique parts of the input (TBD). Bob’s wallet must be able to generate that.
Note x is now a shared secret between Alice and Bob since Bob can recover it using bA which is equal to aB, and m. This is used as Bob’s blinding factor.
Now Alice can directly sign the verification sum, xG + 0H, because she knows the new blinding factor, x. She can also participate in generating the range proof required by the transaction.
The job of Bob’s wallet is a little more complicated unless we add an anonymous bit to the protocol to indicate this is a shared transaction between Alice and Bob.
Bob must have a wallet that checks all new outputs. If the wallet can calculate Bob’s blinding factor, x, it can move the funds again using a new unique blinding factor and add the balance to the total Bob has in his wallet.
No online simultaneous interaction between Bob and Alice required and no extraneous side channel such as email or pigeons required.
Footnote: Of course there is no way that Alice can prove to anyone else that Bob collected his grin.