 Hi, my name is Michele and this talk is about Mimbo-Wimble non-interactive transactions. This is joint work with Georg Fuchsbauer. Mimbo-Wimble is a cryptocurrency initially proposed in 2016 by an anonymous author, coined by the name of Tom Elvis Gettysaur, the name of Voldemort in the French edition of Harry Potter. It is based of three main ideas from Gregory Maxwell, initially envisioned for Bitcoin, namely confidential transactions which had privacy on the top of Bitcoin by replacing plain text values with homomorphic commitments, coin join, which had anonymity on the top of Bitcoin by allowing transactions to be merged and shuffling inputs and outputs so to destroy the link between them, and transaction cut through, which is not really available in Bitcoin, but should allow to provide scalability by removing unnecessary data from the blockchain, like outputs that have been already spent. In this talk, we will use another key idea, namely stealth addresses that have been initially proposed in CryptoNode and are now used in cryptocurrencies such as Monero. Since 2016, a number of cryptocurrencies have started to use Mimbo-Wimble, like Beam or Green, and more recently Mimbo-Wimble coin or an extension of Litecoin called Mweb. In late 2018, together with Georg Fuchsbauer and Yannick Zaha, we published a formal security model for Mimbo-Wimble called Aggregate Cash System, and we proved that the initial version proposed in 2016 satisfies this model. In this work, we strengthened this model by giving stronger security guarantees and stronger anonymity guarantees to our model, and then we provided new schemes that satisfy these properties. This scheme also allows for non-interactive transactions, and the smallest variants of it are now in use by Mimbo-Wimble coin and by Litecoin, where the first one to provide non-interactive transactions in Mimbo-Wimble and to have it deployed in the real world. The breakthrough of Mimbo-Wimble is that it is possible to aggregate transactions non-interactively while preserving security. For instance, it is possible to aggregate transactions at transaction transaction prime and a transaction transaction second into a new transaction, while preserving security. Additionally, and this is the cut-through idea that I was talking about, it is possible to remove outputs that are immediately being spent. Unfortunately, some metadata information, namely the access, which guarantees that a transaction is balanced, is not spending more money than allowed. In an aggregate, once aggregated, this makes that information leaks information about the constitue and transactions, and so it could be used to relate inputs to outputs. This is one of the open problems in our model that we tackle. Secondly, in order to make a transaction in Mimbo-Wimble, you need both sender and recipient to be online. There is no concept of wallet or address to send money to. This is very different from other cryptocurrencies. It is the second problem that we tackle. Additionally, something that was not considered in our previous model was what happens if an adversary tampers with transactions before they reach the ledger. Our new notion, transaction binding, says that once a transaction is broadcasted, only the intended recipient can spend that particular output. Our new notion of privacy says that not only the values in a transaction are hidden, but also that it is not possible to decompose an aggregate transaction relating inputs and outputs that belong to the same simple transaction. Also, we enforce that recipients of a transaction are hidden, and only the recipient can understand what's happening in a particular transaction output. The two key ideas in order to achieve these are stealth addresses and transaction offset. Stealth addresses allow us for having non-interactive transactions, and they're roughly speaking work as follow. Now, when Alice wants to send some money to Bob, it will generate a one-time public key from Bob's public key. An observer cannot link the one-time public key to the public key itself. Bob has associated to the public key a view key and a secret key. From the view key, it is possible to generate the one-time public key, so Bob can just scan transaction outputs to find the ones that belong to him. Using the secret key, Bob will be able to spend the output related to the one-time public key that was generated. Transaction offset add a way of providing privacy to non-interactive coin join, and the way to do that is to add a new random offset to the access in such a way that when merging transactions together, no information about the single accesses reveals information about the outputs and the inputs. This feature was already available in green for a couple years, but we provide the first security models of its guarantees in this work. The resulting transactions in our scheme look something as follows. We have the one-time public keys that were introduced with stealth offsets and that allow for non-interactive transactions, and the signatures that are under this one-time public key. Now, these signatures do not relate inputs to outputs instead. We use an equation similar to the one that we've just seen for the access to provide it a transaction is valid. In order to provide privacy, as mentioned before, we have these transaction offsets to be included. And as in vanilla Mimbo-Wimble and confidential transactions, the value of a transaction are replaced with a homomorphic commitment to them, paired with a range proof that proves no overwrap was done. Wrapping up, we strengthen the model of aggregate cash system of EuroClip 2019 and we provide a new scheme that allows for non-interactive transaction, and our scheme is in use by Mimbo-Wimble coin and by Litecoin. Thank you.