Use case for anonymous transfer of a single token between Alice and Bob

[HarryR]

1. Alice wants to anonymously send Bob a token
2. Bob and Alice agree on a shared secret
3. Alice derives Bob's stealth address, using the shared secret
4. Alice deposits the token into a ring for Bob's stealth address
5. Alice tells Bob which ring she deposited the token into
6. Bob waits for the ring to become ready / filled up / completed
7. Bob creates a ring signature for his stealth address
8. Bob withdraws the token from the ring using his stealth address

The number of other participants in the ring obscures the origin and destination of the token, an observer knows that each input can be linked to each output with a probability of 1/n where n is the number of participants. e.g. 2 participants = 50% chance that Alice sent to Bob. However, the observer knows that both Alice and Bob participated in an anonymous transaction as a sender and receiver respectively.

Assuming Alice knows Bob's Master Public Key this system requires only one message from Alice to Bob to synchronise enough state for Bob to recover his token. This contains the shared secret, or enough information to derive the shared secret, in addition to the address of the ring to withdraw the token from.

---

If Alice already knows Bob's Master Public Key it isn't necessary for Bob to first communicate with Alice, assuming stealth addresses are used.

It is possible for Alice to communicate indirectly and anonymously with Bob by submitting an encrypted blob using an ECDH shared secret between an ephemeral key pair and Bob's Master Public Key, Bob then scans all messages and tries to decrypt them. This means that Bob doesn't know who the sender is, only a 1/n probability (if multiple rings are used it may be possible for Bob to perform a set intersection on the senders of all rings to find the common denominator).

For the system to be audited bidirectionally, e.g. either Alice or Bob can disclose a secret that allows a third party to monitor all tokens transferred between them, they must use ECDH between their Master Keys then derive a shared secret then share secret with the auditor that along with both of their Master Public Keys, this allows the auditor to derive all of the receiving public keys on either side which can then be used to identify deposits and trace the total amount of money transferred.