Mimblewimble Non Interactive Transaction
Recent Major Changes:
- (10 Oct. 2020) Revised for a mistake on P' & P (swapping), add the case of dishonest receiver, and the mixing scheme.
- (3 Sep. 2020) Creation (on Cryptology ePrint Archive)
I describe a non-interactive transaction scheme for Mimblewimble protocol, so as to overcome the usability issue of the Mimblewimble wallet. With the Diffie–Hellman, we can use an Ephemeral Key shared between the sender and the receiver, a public nonce R is added to the output for that, removing the interactive cooperation procedure. And an additional one-time public key P' is used to lock the output to make it only spendable for the receiver, i.e. the owner of P'. The new data R and P' can be committed into the bulletproof to avoid the miner’s modification. Furtherly, to keep Mimblewimble privacy character, the Stealth Address is used in this new transaction scheme. All the cost of these new features is 66-bytes additional data (the public nonce R and the one-time public key P') in each output, and 64-bytes additional signature data in each input. That is about 12% payload size increasing in a typical single input double outputs Mimblewimble transaction.
