# Re: [bitcoin-dev] [Lightning-dev] RBF Pinning with Counterparties and Competing Interest

```Good morning Dave,

> ZmnSCPxj noted that pay-to-preimage doesn't work with PTLCs. I was
> hoping one of Bitcoin's several inventive cryptographers would come
> along and describe how someone with an adaptor signature could use that
> information to create a pubkey that could be put into a transaction with
> a second output that OP_RETURN included the serialized adaptor
> signature. The pubkey would be designed to be spendable by anyone with
> the final signature in a way that revealed the hidden value to the
> pubkey's creator, allowing them to resolve the PTLC. But if that's
> fundamentally not possible, I think we could advocate for making
> pay-to-revealed-adaptor-signature possible using something like
> OP_CHECKSIGFROMSTACK.```
```

Not a cryptographer, I just play one on the Internet, but maybe the
pay-for-signature construction could work...?

Assuming a PTLC has a pointlocked branch, which involves signing with MuSig(A,
B).
A offers to B the amount if B reveals the secret `t` behind `T = t * G`; A
knows `T` but not `t`.
This is done by B handing over `R[B]` and `s'[B]`:

R = R[A] + R[B] + T
s'[B] = r[B] + h(MuSig(A, B) | R | m) * b

Then A provides its partial signature to B.

s[A] = r[A] + h(MuSig(A, B) | R | m) * a

B has to complete the signature by:

s = s[A] + s'[B] + t

Since A knows both `s[A]` and `s'[B]`, once it knows `s`, it can compute `t`.

Now, we can massage the equation for `s`:

s = r[A] + h(MuSig(A, B) | R | m) * a + r[B] + h(MuSig(A, B) | R | m) * b +
t
; multiply both sides by G
s * G = r[A] * G + h(MuSig(A, B) | R | m) * a * G + r[B] * G + h(MuSig(A,
B) | R | m) * b * G + t * G
; replace with public points
s * G = R[A] + h(MuSig(A, B) | R | m) * A + R[B] + h(MuSig(A, B) | R | m) *
B + T

Note that A can compute `s * G` above, because it generated `R[A]`, was given
`R[B]` and `T`, and knows who `A` and `B` are.

So what A needs to do is to offer a fund that can only be claimed by leaking
knowledge of `s` behind `s * G`.
A can do this by creating a new keypair `A[p4s] = a[p4s] * G` and putting a
fund into it.

Then A generates an `R[A][p4s] = r[A][p4s] * G`, and computes:

R[p4s] = R[A][p4s] + s * G
s'[A][p4s] = r[A][p4s] + h(A | R[p4s] | m) * a[p4s]

The signed message could be a signature to `SIGHASH_NONE`, finally an actual
use for that flag.

A reveals publicly (in an `OP_RETURN` as you suggest):

* `R[A][p4s]`
* `s * G`
* `s'[A][p4s]`
* `A[p4s]` - Already the Schnorr output pubkey.

In order to complete the above signature, a third party C has to learn `s` from
B.

The third party has to scan every onchain 1-of-1 signature for an `s` that
matches `s * G`, so there is greater processing (point multiplies are more
expensive than hashes, also there are more 1-of-1s).
But once learned, the third party can complete the signature and claim the
funds.
And A then learns `s`, from which it can derive `t`.

The third party learns about which channel (i.e. the UTXO that was spent to
create the PTLC in the first place), but never learns `t` or `T`, which is a
small but nice privacy bonus.

Regards,
ZmnSCPxj
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
```