more edits

RFC/src/RFC-0241_AtomicSwapXMR.md

@@ -166,9 +166,7 @@ $$
 This method relies purely on TariScript to enforce the exposure of the private Monero aggregate keys. The script forces 
 the spending party to supply their Monero private key part as input data to the script, evaluated via the operation 
 `Ed25519Point`. This TariScript operation will reveal part of the aggregated Monero private key publicly but this is still secure:
-see [Key security](#key-security)., but due to the way Elliptic
-Curve Cryptography works; we can add two secret keys together and share the public version of both. And at the same time, 
-we know that no one can calculate the secret key with just one part. More reading on this can be done here: [.
+see [Key security](#key-security).
 
 The simplicity of this method lies therein that the spending party creates all transactions on their 
 own. Bob requires a pre-image from Alice to complete the swap transaction; Alice needs to verify that Bob published the 
@@ -195,9 +193,9 @@ We know that \\(Xm\\), \\(Xm_a\\), \\(Xm_b\\) is public. While \\(xm\\), \\(xm_a
 But if we expose \\(xm_b\\), we can try to do the following:
 $$
 \begin{aligned}
-(x_a + x_b) \cdot M &= Xm_a + Xm_b\\\\
-x_a \cdot M &= (Xm_a + Xm_b - x_b \cdot M) \\\\
-x_a \cdot M &= Xm_a \\\\
+(xm_a + xm_b) \cdot M &= Xm_a + Xm_b\\\\
+xm_a \cdot M &= (Xm_a + Xm_b - xm_b \cdot M) \\\\
+xm_a \cdot M &= Xm_a \\\\
 \end{aligned}
 \tag{3}
 $$
@@ -244,7 +242,7 @@ Alice and Bob have to negotiate the exchange rate and the amount exchanged in th
 how the two UTXO's will look on the blockchain. To accomplish this, the following needs to be finalized:
 
 * Amount of Tari to swap for the amount of Monero
-* Monero public key parts \\(X_a\\), \\(X_b\\) and its aggregate form \\(X\\)
+* Monero public key parts \\(Xm_a\\), \\(Xm_b\\) and its aggregate form \\(Xm\\)
 * Tari [script key] parts \\(K_{Sa}\\), \\(K_{Sb}\\) 
 * The [TariScript] to be used in the Tari UTXO
 * The blinding factor \\(k_i\\) for the Tari UTXO, which can be a Diffie-Hellman between their addresses.
@@ -279,25 +277,11 @@ Alice needs to provide Bob with the following:
 * Script public key: \\( K_{Sa}\\)
 * Monero public key:  \\( Xm_a'\\)
 
-$$
-\begin{aligned}
-Xm_a' &=  x_a' \cdot M \\\\
-\end{aligned}
-\tag{5}
-$$
-
 Bob needs to provide Alice with the following:
 
 * Script public key: \\( K_{Sb}\\)
 * Monero public key:  \\( Xm_b'\\)
 
-$$
-\begin{aligned}
-Xm_b' &=  x_b' \cdot M \\\\
-\end{aligned}
-\tag{6}
-$$
-
 ### XTR payment
 
 Alice will construct the Tari UTXO with the correct [script](#tariscript) and publish the containing transaction to the 
@@ -408,7 +392,7 @@ k_{Sla} &=  \hash{\hash{K_{Sla}' \cat K_{Slb}'} \cat K_{Sla}' } * k_{Sla}' \\\\
 k_{Slb} &=  \hash{\hash{K_{Sla}' \cat K_{Slb}'} \cat K_{Slb}' } * k_{Slb}' \\\\
 k_{Sl} &= k_{Sla} + k_{Slb} \\\\
 \end{aligned}
-\tag{7}
+\tag{5}
 $$
 
 The [sender offset key] parts for Alice and Bob is constructed as follows:
@@ -425,20 +409,24 @@ k_{Ola} &=  \hash{\hash{K_{Ola}' \cat K_{Olb}'} \cat K_{Ola}' } * k_{Ola}' \\\\
 k_{Olb} &=  \hash{\hash{K_{Ola}' \cat K_{Olb}'} \cat K_{Olb}' } * k_{Olb}' \\\\
 k_{Ol} &= k_{Ola} + k_{Slb} \\\\
 \end{aligned}
-\tag{8}
+\tag{6}
 $$
 
 The Monero key parts for Alice and Bob is constructed as follows:
 
 $$
 \begin{aligned}
-X_a' &= x_a' \cdot M \\\\
-X_b' &= x_b' \cdot M \\\\
+xm_a' &= x_a' \\\\
+xm_b' &= x_b' \\\\
+Xm_a' &= x_a' \cdot M \\\\
+Xm_b' &= x_b' \cdot M \\\\
+X_a' &= x_a' \cdot G \\\\
+X_b' &= x_b' \cdot G \\\\
 x_a &=  \hash{\hash{X_a' \cat X_b'} \cat X_a' } * x_a' \\\\
 x_b &=  \hash{\hash{X_a' \cat X_b'} \cat X_b' } * x_b' \\\\
 x &= x_a + x_b \\\\
 \end{aligned}
-\tag{9}
+\tag{7}
 $$
 
 
@@ -491,7 +479,7 @@ e_r &= \hash{ (R_{Sr} + (X_a)) \cat \alpha_r \cat \input_r \cat (K_{Sra} + K_{Sr
 R_{Sr} &= r_{Sra_a} \cdot H + r_{Sra_b} \cdot G + R_{Srb} \\\\
 X_a &= x_a \cdot G \\\\
 \end{aligned}
-\tag{10}
+\tag{8}
 $$
 
 Alice constructs the Zero Knowledge proof for \\(x_a == xm_a\\) with:
@@ -503,7 +491,7 @@ s_{ZTa} = r + e(x_a) \\\\
 R_{ZTa} = r \cdot G \\\\
 R_{ZMa} = r \cdot M \\\\
 \end{aligned}
-\tag{11}
+\tag{9}
 $$
 
 Bob needs to provide Alice with the following values:
@@ -532,7 +520,7 @@ e_l &= \hash{ (R_{Sl} + (X_b)) \cat \alpha_i \cat \input_i \cat (K_{Sla} + K_{Sl
 R_{Sl} &= r_{Slb_a} \cdot H + r_{Slb_b} \cdot G + R_{Sla} \\\\
 X_b &= x_b \cdot G \\\\
 \end{aligned}
-\tag{12}
+\tag{10}
 $$
 
 Bob constructs the Zero Knowledge proof for \\(x_b == xm_b\\) with:
@@ -544,7 +532,7 @@ s_{Zb} = r + e(x_b) \\\\
 R_{ZTb} = r \cdot G \\\\
 R_{ZMb} = r \cdot M \\\\
 \end{aligned}
-\tag{13}
+\tag{11}
 $$
 
 #### Verify adaptor signatures and zero-knowledge proofs
@@ -556,7 +544,7 @@ $$
 a_{Ssb} \cdot H + b_{Ssb}' \cdot G &= R_{Ssb} + (C_i+K_{Ssb})*e_s \\\\
 a_{Slb} \cdot H + b_{Slb}' \cdot G &= R_{Slb} + (C_i+K_{Slb})*e_l \\\\
 \end{aligned}
-\tag{14}
+\tag{12}
 $$
 
 Alice needs to verify Bob's Monero public keys using the zero-knowledge proof:
@@ -567,7 +555,7 @@ e &= \hash{X_b \cat Xm_b \cat R_{ZTb} \cat R_{ZMb}} \\\\
 s_{Zb} \cdot G &= R_{ZTb} + e(X_b) \\\\
 s_{Zb} \cdot M &= R_{ZMb} + e(Xm_b) \\\\
 \end{aligned}
-\tag{15}
+\tag{13}
 $$
 
 Bob needs to verify Alice's adaptor signature with:
@@ -576,7 +564,7 @@ $$
 \begin{aligned}
 a_{Sra} \cdot H + b_{Sra}' \cdot G &= R_{Sra} + (C_i+K_{Sra})*e_r \\\\
 \end{aligned}
-\tag{16}
+\tag{14}
 $$
 
 Bob needs to verify Alice's Monero public keys using the zero-knowledge proof:
@@ -587,7 +575,7 @@ e &= \hash{X_a \cat XM_a \cat R_{ZTa} \cat R_{ZMa}} \\\\
 s_{Za} \cdot G &= R_{ZTa} + e(X_a) \\\\
 s_{Za} \cdot M &= R_{ZMa} + e(Xm_a) \\\\
 \end{aligned}
-\tag{17}
+\tag{15}
 $$
 
 #### Swap out refund and lapse transactions
@@ -612,7 +600,7 @@ R_{Mla} &= b_{Mla} \cdot G \\\\
 e &= \hash{ (R_{Mla} + R_{Mlb}) \cat \script_l \cat F_l \cat (K_{Ola} + K_{Olb}) \cat C_l} \\\\
 \so_{la} &= k_{Sla} - k_{Ola} \\\\
 \end{aligned}
-\tag{18}
+\tag{16}
 $$
 
 Bob needs to provide Alice with the following:
@@ -633,7 +621,7 @@ R_{Mrb} &= b_{Mrb} \cdot G \\\\
 e &= \hash{ (R_{Mra} + R_{Mrb}) \cat \script_r \cat F_r \cat (K_{Ora} + K_{Orb}) \cat C_r} \\\\
 \so_{rb} &= k_{Srb} - k_{Orb} \\\\
 \end{aligned}
-\tag{19}
+\tag{17}
 $$
 
 Although the script validation on output \\(C_i\\)  will not pass due to the lock height, both Alice and Bob need to
@@ -675,7 +663,7 @@ R_{Msa} &= b_{Msa} \cdot G \\\\
 e &= \hash{ (R_{Msa} + R_{Msb}) \cat \script_s \cat F_s \cat (K_{Osa} + K_{Osb}) \cat C_s} \\\\
 \so_{sa} &= k_{Ssa} - k_{Osa} \\\\
 \end{aligned}
-\tag{20}
+\tag{18}
 $$
 
 Bob constructs the swap transaction.
@@ -695,7 +683,7 @@ R_{Ms} &= R_{Msa} + R_{Msb} \\\\
 \so_{sb} &= k_{Ssb} - k_{Osb} \\\\
 \so_{s} &= \so_{sa} +\so_{sb} \\\\
 \end{aligned}
-\tag{21}
+\tag{19}
 $$
 
 Bob's transaction now has all the required signatures to complete the transaction. He will then publish the transaction.
@@ -713,7 +701,7 @@ b_{Ssb} &= r_{Ssb_b} + x_b + e_s(k_{Ssb} + k_i) \\\\
 b_{Ssb} - b_{Ssb}' &= r_{Ssb_b} + x_b + e_s(k_{Ssb} + k_i) -(r_{Ssb_b} +  e_s(k_{Ssb}+k_i))\\\\
 b_{Ssb} - b_{Ssb}' &= x_b \\\\
 \end{aligned}
-\tag{22}
+\tag{20}
 $$
 
 With \\(x_b\\) in hand she can calculate \\(X = x_a + x_b\\) and with this she claim the Monero.
@@ -741,7 +729,7 @@ R_{Mr} &= R_{Mra} + R_{Mrb} \\\\
 \so_{ra} &= k_{Sra} - k_{Ora} \\\\
 \so_{r} &= \so_{ra} +\so_{rb} \\\\
 \end{aligned}
-\tag{23}
+\tag{21}
 $$
 
 This allows Alice to claim back her Tari, but it also exposes her Monero key \\(x_a\\)
@@ -754,7 +742,7 @@ b_{Sra} &= r_{Sra_b} + x_a + e_r(k_{Sra} + k_i) \\\\
 b_{Sra} - b_{Sra}' &= r_{Sra_b} + x_a + e_r(k_{Sra} + k_i) -(r_{Sra_b} +  e_r(k_{Sra}+k_i))\\\\
 b_{Sra} - b_{Sra}' &= x_a \\\\
 \end{aligned}
-\tag{24}
+\tag{22}
 $$
 
 
@@ -780,7 +768,7 @@ R_{Ml} &= R_{Mla} + R_{Mlb} \\\\
 \so_{lb} &= k_{Slb} - k_{Olb} \\\\
 \so_{r} &= \so_{la} +\so_{lb} \\\\
 \end{aligned}
-\tag{25}
+\tag{23}
 $$
 
 This allows Bob to claim the Tari he originally wanted, but it also exposes his Monero key \\(x_b\\)
@@ -793,7 +781,7 @@ b_{Slb} &= r_{Slb_b} + x_a + e_r(k_{Slb} + k_i) \\\\
 b_{Slb} - b_{Slb}' &= r_{Slb_b} + x_b + e_r(k_{Slb} + k_i) -(r_{Slb_b} +  e_r(k_{Slb}+k_i))\\\\
 b_{Slb} - b_{Slb}' &= x_b \\\\
 \end{aligned}
-\tag{26}
+\tag{24}
 $$
 
 ## Notation