A Non-Interactive Transaction is easily accomplished if Alice and Bob are ok with the following state of affairs:

*Both Bob and Alice can spend the resulting transaction.*

*No one else can spend it.*

*When Bob comes online, he must immediately spend the transaction to a secure blinding factor of his own choosing and only then is the transfer between the two of them considered concluded.*

This is accomplished by Alice directly generating a blinding factor for Bob that both Alice and Bob can use.

x = Hash(m,aB) where B is Bob’s well known public key and m is unique to this transaction.

Note x is now a shared secret between Alice and Bob since Bob can recover it using bA which is equal to aB. *This is used as Bob’s blinding factor*.

Let X = xG

Now Alice can directly sign the verification sum, xG + 0H, because she knows the new blinding factor, x. She can also participate in generating the range proof required by the transaction.

The job of Bob’s wallet is a little more complicated unless we add a bit to the protocol to indicate this is a shared transaction.

If A and m are selected as in the original post, then no interaction at all is required between Alice and Bob.

Regards,

Farid

Footnote: Of course there is no way that Alice can prove to anyone else that Bob collected his grin.