Author: Lloyd Fournier 2020-09-01 20:27:15
Published on: 2020-09-01T20:27:15+00:00
The storage complexity of punishing a revoked commitment transaction is worse than the present spec, according to a realization made by an individual. The reason for this is that to punish such a transaction efficiently, one needs to extract the publication secret and keep around the encrypted signature (also known as an adaptor signature) for that particular commitment transaction. This implies O(n) storage, unlike the present spec's O(1) storage method through deriving the previously revealed revocation secret from the present one. This flaw seems to be unaddressed in the original work. However, deterministically producing the encrypted signature oneself for any commitment transaction is possible with a deterministic nonce. Nonetheless, using MuSig may require storing each two-party generated encrypted signature. The likely way forward would be to use MuSig on an output which has a taproot that hides a discrete 2-of-2, making this storage issue not much of a problem.
Updated on: 2023-06-03T02:02:10.436652+00:00