From ZmnSCPxj at protonmail.com Sun Jun 21 02:10:32 2020 From: ZmnSCPxj at protonmail.com (ZmnSCPxj) Date: Sun, 21 Jun 2020 02:10:32 +0000 Subject: [Lightning-dev] [bitcoin-dev] RBF Pinning with Counterparties and Competing Interest In-Reply-To: References: <67334082-5ABA-45C7-9C09-FF19B119C80D@mattcorallo.com> <62P_3wvv8z7AVCdKPfh-bs30-LliHkx9GI9Og3wqIK6hadIG0d6MJJm077zac1erpPUy31FqgZjkAjEl9AQtrOCg4XA5cxozBb7-OIbbgvE=@protonmail.com> <4c4f3a06-0078-ef6a-7b06-7484f0f9edf1@mattcorallo.com> <20200619195846.fclw4ilngvbbf2kk@ganymede> <20200619205220.fshbr7pbijaerbf2@ganymede> <20200620103647.g62srlcxbjqpaqj6@ganymede> Message-ID: Good morning again, > Good morning Dave, > > > ZmnSCPxj noted that pay-to-preimage doesn't work with PTLCs.[2] I was > > hoping one of Bitcoin's several inventive cryptographers would come > > along and describe how someone with an adaptor signature could use that > > information to create a pubkey that could be put into a transaction with > > a second output that OP_RETURN included the serialized adaptor > > signature. The pubkey would be designed to be spendable by anyone with > > the final signature in a way that revealed the hidden value to the > > pubkey's creator, allowing them to resolve the PTLC. But if that's > > fundamentally not possible, I think we could advocate for making > > pay-to-revealed-adaptor-signature possible using something like > > OP_CHECKSIGFROMSTACK.[3] > > > > The signed message could be a signature to `SIGHASH_NONE`, finally an actual use for that flag. If you are going to embed it in an `OP_RETURN` in the same transaction, you also need `SIGHASH_ANYPREVOUT`, otherwise you cannot embed the adaptor signature for spending from that transaction in the transaction being spent, it also implies `A[p4s] = a[p4s] * G` is a one-time-use keypair. Regards, ZmnSCPxj