- let mut part_a = revocation_base_secret.clone();
- part_a.mul_assign(&rev_append_commit_hash_key)?;
- let mut part_b = per_commitment_secret.clone();
- part_b.mul_assign(&commit_append_rev_hash_key)?;
- part_a.add_assign(&part_b[..])?;
- Ok(part_a)
+ // Only the transaction broadcaster owns a valid witness to propagate
+ // a revoked commitment transaction, thus per_commitment_secret always
+ // come from broadcaster and revocation_base_secret always come
+ // from countersignatory of the transaction.
+ let mut countersignatory_contrib = revocation_base_secret.clone();
+ countersignatory_contrib.mul_assign(&rev_append_commit_hash_key)?;
+ let mut broadcaster_contrib = per_commitment_secret.clone();
+ broadcaster_contrib.mul_assign(&commit_append_rev_hash_key)?;
+ countersignatory_contrib.add_assign(&broadcaster_contrib[..])?;
+ Ok(countersignatory_contrib)