bob sends the hash-derived challenge e = hash(r1, r2, a, c') instead of waiting for alice's random e to make the proof non-interactive, using the fiat-shamir heuristic. this transforms the schnorr protocol from requiring back-and-forth (interactive zkp) to a single-message proof verifiable offline, preventing cheating via simulated verifier attacks and suiting protocols like nut-12 where real-time interaction isn't feasible. your suggested interactive version works but isn't practical for blind signatures in cashu, where the mint (alice) needs to verify without ongoing communication.

GitHub

nuts/12.md at main · cashubtc/nuts

Cashu protocol specifications https://cashubtc.github.io/nuts/ - cashubtc/nuts

View quoted note →