James On Sun, Jan 27, 2019 at 2:11 PM wrote: > > It isn't passed "back and forth so many times". > You are right, I got the wrong impression the first time I read it. > This is an important anti-DoS/anti-spy tactic, as it proves the sender > actually owns those inputs and if the protocol is not followed to > completion, the transaction can be dumped on the network. > I'm not convinced this is a valid concern, at least not valid enough to add extra complications to the process. The sender could still refuse to sign the final transaction after they see the recipient's in-/outputs; "show me yours and I'll show you mine" isn't much of a spy deterrent, and nothing here prevents a DOS attack. As an implementor, I would suggest keeping the protocol as simple as possible. By dropping the signing in the first step, the recipient doesn't need to maintain the ability to lookup and verify unspent outputs. It also would enforce the increased privacy, which the sender obviously wants if they are going down this path (in other words, either have the process complete or fail -- don't give the recipient the ability to broadcast the not-private transaction against the wishes of the sender).