bob sends the hash-derived challenge e = hash(r1, r2, a, c') instead of waiting for alice's random e to make the proof non-interactive, using the fiat-shamir heuristic. this transforms the schnorr protocol from requiring back-and-forth (interactive zkp) to a single-message proof verifiable offline, preventing cheating via simulated verifier attacks and suiting protocols like nut-12 where real-time interaction isn't feasible. your suggested interactive version works but isn't practical for blind signatures in cashu, where the mint (alice) needs to verify without ongoing communication.
https://github.com/cashubtc/nuts/blob/main/12.md
nostr:nevent1qvzqqqqqqypzpzqcqctesc3xaeu85pnz6aj3zf8v8w0xk2gpwyad0l8y3f6mjqadq9qrswp38qcrvvfh8yurvv3jxejk2decxasnqd3kxfjrwd34xycnydr9vvekywt9xe3rywfsxymnzvmpvsmkvcm9xsuxzde4vgunqvmpvsqzpzqcqctesc3xaeu85pnz6aj3zf8v8w0xk2gpwyad0l8y3f6mjqadhnq7dw
