Suppose Alice wants to send Bob a donation of 5 coins and wants to avoid doing the regular 3 steps. Let's assume Alice has an input with 10 coins.
Alice produces the following transaction T1
:
inputs = [10*H + r1*G]
outputs = [5*H + r2*G]
kernels = []
offset = r2-r1
This transaction is invalid because the amounts don't balance out. Notice that there is no kernel at all.
Alice then sends T1
to Bob who then adds a kernel and the output:
inputs = [10*H + r1*G]
outputs = [
5*H + r2*G,
5-fee*H + r3*G
]
kernels = [K]
offset = y
So Alice creates a random kernel and adjusts the offset to account for this random kernel and r3
.
The fact that Alice sends r2-r1 is insecure because Bob could revert the transaction, however, if the transaction is reversed, then Alice profits and Bob gets his money taken away, which is why Bob constructs the kernel to protect himself.
The downside is that there is no payment proof.
Looks ok. Bob cannot change the value distribution between his and Alice's change output, because the latter is fixed by Alice's range proof.