I’m new to Grin and am very excited about the technology. I noticed that transaction are interactive and decided to take a cut at making them noninteractive. (I’m not judging the merits of either way but I’m new here and may have missed some discussions, so bear with me.)
Assume Alice wants to pay Bob but Bob is not online. Alice has a public key, A, and Bob has well known public key, B, available to Alice. I’ll develop the method following these steps:

To preserve Bob’s anonymity, Alice generates a “Sender Generated Ephemeral Receive Key” for Bob, C, for the purposes of this transaction

Alice generates a “Sender Generated Blinding Factor” for Bob, X, for this transaction

Alice generates a “Sender Generated Signature” on the transaction sum that proves that the coin values sum to zero
Sender Generated Ephemeral Receive Key
If Alice wants to use a public key from Bob but only has access to wellknown Bob public keys, then Alice may want to generate a brand new keypair that is untraceable to Bob but has the property that only Bob can create the private key. Alice can then use the public side of this new anonymous key for the rest of the protocol.
This is how it’s done. Alice has a private key, a, with public key A = aG. (Where G is the basis point in the ECC system). Let Bob have a wellknown public key B known to Alice.
The sender, Alice, generates the public side of a new key pair for Bob as follows:
q = Hash(m,aB) where B is Bobs public key and m is unique to this transaction
Note q is now a shared secret between Alice and Bob
C = qB C is Bob’s ephemeral public key. Alice can use this now.
Note that later Alice can send A and m to Bob, and Bob is the only one able to generate the private part of the new keypair as follows:
q = Hash(m,bA) Note that b is Bob’s private key and bA = aB,
allowing Bob to create the shared secret
c = q b This is an integer multiply modulo a large prime (order of ECC)
We can check that C = cG and Alice has use of C, an ephemeral public key for Bob.
Sender Generated Blinding Factor
The sender, Alice, now generates a blinding factor for Bob that only Bob will know. Alice will know the corresponding public point in the group. It basically follows the same idea as above:
u = Hash(m,aC) where C is Bobs ephemeral key and m is unique
X = uC X is the group point corresponding to Bob’s blinding factor
Again note that later with A and m in hand, Bob is the only one able to generate the actual blinding factor as follows:
u = Hash(m,cA) Note that c is Bob’s ephemeral private key recovered
in the previous section
x = u c This is an integer multiply modulo a large prime (order of ECC)
(note that X = xG)
At this point Alice can use X in building the transaction and we are left with a verification sum
xG + 0H
that needs to be signed using the basis point G to prove that the coins sum to zero. (The signature will only succeed if the multiplier of the basis point H is zero.)
This signature cannot be created by the sender, Alice. She does not know x, Bob’s blinding factor.
Sender Generated Signature
The insight here is that there is another way to prove that the H multiplier is zero. Note the following:
xG + 0H = X + 0H = uC + 0H
Alice happens to know u and C. She can create a signature, using u as the secret and C as the basis point, that proves that the H multiplier is zero. It goes a follows:
r = Hash(u,C)
R = rC
s = Hash(X,R)u + r
Now C, (R, s) is the required Schnorr signature. We include the basis point, C, over which the signature is performed.
Verifying the signature given C, (R, s)
Note that X = xG + 0H, so X is available to the verifier. Also, since uC = X, what he needs to confirm is that:
sC ?= Hash(X,R)X + R
Well, there it is. I hope I understood what is needed to construct Mimblewimble transactions and that this is a valid method of generating noninteractive transactions.
Addendum
I wanted to add that by careful choice of A and m, Alice and Bob need never interact.

A is selected as the curve point corresponding to the blinding factor the sender, Alice, is using on the input coins.

m is selected as the Hash of unique parts of the input.

Bob, the recipient, has a wallet that checks all new outputs for the property that they are noninteractive and have signature C, (R, s).

Bob’s wallet then retrieves A and m and checks that C has the property that
C = Hash(m,bA)B Again, b is Bob’s private key

The wallet then calculates Bob’s blinding factor, x, determines the sent balance, and adds the balance to the total Bob has in the wallet.
No interaction between Bob and Alice required!
Regards,
Farid