Each time there's a commitment transaction, the "committer" (self) sends a
per_commitment_secret so that the other party (remote) can punish them in the future, in case they cheat. Once the other party receives it, from the committer's
revoke_and_ack, they can use it to construct the revocation signing key for the old commitment, which will allow them to spend both theirs and the committer's funds.
The committer is safe as long as they don't publish that old signed transaction. What I don't understand is what will they reveal if they do broadcast it. According to my understanding, the other party needs to somehow work out the private key of
revocation_pubkey, which is
revocation_priv.
revocation_priv = (revocationbase_priv * sha256(revocation_basepoint || per_commitment_point)) + (per_commitment_secret * sha256(per_commitment_point || revocation_basepoint)) mod N
They lack knowledge of
revocationbase_priv, right? So how can they calculate it?