From james.chiangwu at gmail.com  Wed Jan 30 22:31:47 2019
From: james.chiangwu at gmail.com (James Chiang)
Date: Wed, 30 Jan 2019 23:31:47 +0100
Subject: [Lightning-dev] Revocations with OP_CSFS & signed sequence
	commitments
Message-ID: <ACE7B676-1208-4641-84BD-30CA78736D74@gmail.com>

Dear all,
 I am trying to understand how channel commitment transactions can be revoked with op_checksigfromstack(msg, sig, key) and signed sequence commitments.

I understand that a commitment c(n, randomness)  is signed by both parties for each state, and that this signature can be verified with op_csfs(c, sig(A+B), key(A+B)). The sequence n is incremented for each new state.

Given the most recent commitment sequence signature (from both parties) and the sequence commitment opening (n++, r), an output script of an older, revoked commitment transaction can verify that a newer signed commitment sequence exists by examining:
op_checksigfromstack(c++, sig(A+B), key(A+B)) 
c++ == commitment(n++, r)
However, it must also have information about its own sequence number n, so it can verify that this is indeed lower than n++ (current). How is sequence number n committed to the nth commitment tx and accessible on-stack during script evaluation?

I learned about this concept from Johnson Lao's and Roasbeef's Talk from Scaling Bitcoin at Stanford:
https://scalingbitcoin.org/stanford2017/Day1/SB2017_script_2_0.pdf 

Any pointers would be very much appreciated.

Kind regards,

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190130/358a7d34/attachment.html>