From rusty at rustcorp.com.au Wed Mar 9 00:43:36 2016 From: rusty at rustcorp.com.au (Rusty Russell) Date: Wed, 09 Mar 2016 11:13:36 +1030 Subject: [Lightning-dev] Backward deterministic R Value In-Reply-To: <56DEECD9.9060202@blockchain.com> References: <87d1r5ooev.fsf@rustcorp.com.au> <1457421588.1640.3.camel@ultimatestunts.nl> <56DEECD9.9060202@blockchain.com> Message-ID: <87twkglbuv.fsf@rustcorp.com.au> Mats Jerratsch via Lightning-dev writes: > What about if Alice does not want to disclose R? Bob could have taken > too much fee and Alice does not agree to accept a payment too small. > > While there is technically not really a security problem in disclosing > the R values when the payment isn't in the current commitment, the whole > idea of 'proof-of-payment'/'pay-to-contract' relies on only revealing R > for an accepted payment. Nomenclature clash :( We usually use R to mean the chained atomic swap preimage, which allows you to claim the funds (presumably R means "receipt" here). Confusingly, we also use "revocation preimage" as the term method to invalidate old transactions, a private matter between pairs of nodes, but try to avoid abbreviating it to R. We can't use a simple chain for R (because they need to disclose them out of order), and don't need to (since they don't care about the value once it's spent). Cheers, Rusty.