From joseph at lightning.network Tue Mar 8 02:56:20 2016 From: joseph at lightning.network (Joseph Poon) Date: Mon, 7 Mar 2016 18:56:20 -0800 Subject: [Lightning-dev] We don't need R-Value, how OP_CODESEPARATOR saves the day In-Reply-To: References: Message-ID: <20160308025557.GA2685@lightning.network> Hi Nicolas, Yes, I do think exploring using signatures as a method of revocation is interesting! For revoking Commitments, I believe if you did disclosure of the private-key as a method of revocation, then it's possible to achieve this compactness without using OP_CODESEPARATOR. Side note: It's necessary to disclose temporary private keys (instead of signatures) under this mechanism, since it's possible to compactly store the keys by making it derived from a tree or chain of hash functions. A compact revocable example for Bob to broadcast could be: OP_CHECKSIG OP_NOTIF OP_DROP OP_CSV OP_ENDIF OP_CHECKSIG On the other hand, if Alice broadcasted it, her script could be: OP_CHECKSIG OP_NOTIF OP_DROP OP_CSV OP_ENDIF OP_CHECKSIG Alice successful redemption of her broadcast would be: (after one week) <0> Bob's penalty transaction on Alice's broadcast would be: If Alice did not broadcast the correct Commitment, Bob can take the money immediately because she disclosed her private key when creating the new Commitment transaction, so Bob has both PrivkeyBob and PrivkeyAlice. If Alice correctly broadcast the most recent Commitment, Bob does not have PrivkeyAlice so he cannot take the funds, but Alice does not have PrivkeyBob so she has to wait for the CSV delay. If the goal is to save space, it saves a little in the timeout/non-penalty case, but the transactions are larger for penalty cases (although they may be less frequent). It's also possible to make it just a multisig output with the child transaction spending from it pre-signed as well using nSequence, but that requires more storage and more on-chain transactions (while saving in the script output size), this design is not necessary for this particular instance if there's OP_CSV. As a side note, OP_CODESEPARATOR may become useful if there is SIGHASH_NOINPUT inside segregated witness in the future, by being able to have one signature be able to apply towards multiple types of transactions (e.g. different redeemScript/scriptPubKey r-values or pubkeys). -- Joseph Poon