Adaptor Signatures FtW
note
I am not a cryptographer, nor a mathematician. This article is the result of my own research and understanding of the subject. If you find any mistakes, please let me know!
The vast majority of what is written here is taken from various sources, which are listed at the end of this article. I highly recommend you to read them if you want to dive deeper into the subject.
When we compute and share a Schnorr signature, anyone can directly verify if it is valid for the attached message and signer. But what if we wanted to defer revealing the full signature while already emitting it to other people? We can produce such a signature by encrypting the nonce it contains with an additional scalar 
.
This scalar will be published "along" with the signature in its public form 
. The basic signing process is the following:
- Sample the random nonce
, along with the locking scalar 
- Compute their public versions
and - Compute the aggregated public nonce
. - Hash the challenge
using the aggregated nonce 
and 
, where 
is the private key of the signer. - Compute and publish the (encrypted) locked signature
note
You may notice that we're never actually using in the signing process. This is a feature, not a bug! We can also generate this locked signature only knowing 
.
The final published data should be 
(along with the message 
of course).
Anyone with will now be able to get the "decrypted" signature 
, which is behind the locking point .
With 
, we will define as follows:
Likewise, if someone had both and 
, they would also be able to recover :
While isn't a valid Schnorr signature by itself:
We notice we can make the verification equation work if we add the public locking point :
While this doesn't give us , we can confirm that by adding to , the resulting signature will be the one we're expecting!
Atomic Swaps
Exchanging cryptocurrencies between different blockchains is hard. Typically, you'd need a trusted third party to act as a middleman, which would obviously need to be compensated financially for his work. Doing things this way is costly and pretty inefficient. Instead, we can leverage Adaptor Signatures to ensure that either both parties get what they expected, either both get nothing.
We have Alice, holder of 
, and Bob, holder of 
. They want to exchange both their balances, and we assume they already know each other's addresses on both chains.
Alice starts by sampling 
, and computes an adaptor signature as usual, on a message that attests the transaction of her to Bob's address:
The BIP340 standard expects to receive a signature pair in the form 
, on which the following check is performed:
If Bob was to try to give in 
and 
:
Or 
and :
You could say that he cannot satisfy both the challenge 
and the nonce 
. To do so, he needs to know to compute 
so that when he gives in and 
:
Back to our stuff, when Bob receives the adaptor signature from Alice, after having carefully verified that the given data is correct, he can also generate his own adaptor signature 
on Alice's by using :
After he sends it to Alice, she can claim the transaction linked to the signature 
by unlocking it with her and publishing it to the blockchain. By doing so, everyone will be able to see the transaction and the associated decrypted signature 
.
After this publication, Bob will also be able to compute and unlock Alice's 
:
Nullifying Adaptor Signatures
In the previous case, we saw how two parties could jointly sign a transaction without the need for a trusted third party. But what if one of the parties wanted to cancel the transaction?
If Alice wants to cancel the transaction, she can simply discard her and never publish it. Bob will then be unable to unlock the signature and claim the transaction.
However, if Bob wants to cancel the transaction, how can Alice confirm that she will never publish ? There needs to be some sort of threat against Alice to ensure that she will not publish .
Private Key Exposure Threat
By publishing her random nonce 
, Alice guarantees that she will never publish . Otherwise, Bob will be able to recover 
and thus compute Alice's private key 
:
Bob can also verify that the nonce published by Alice is authentic:
Secret Sharing + Adaptor Signatures = ?
One cool feature of 
-of-
treshold schemes, such as Shamir's Secret Sharing, is that they can be integrated into pretty much anything that has a secret in it. This includes Adaptor signatures locking scalars!
By defining our polynomial 
as follows:
We can split our locking scalar into shares 
:
With shareholders forming the recovery group , we can then collectively reconstruct with Lagrange interpolation (or any other similar interpolation method):
And unlock the adaptor signature!
References and Suggested readings
The Riddles of Adaptor Signatures
conduition.ioBitcoin Optech - Adaptor Signatures
bitcoinops.orgAdaptor Signatures: New Security Definition and A Generic Construction for NP Relations⋆
Xiangyu Liu, Ioannis Tzannetos, and Vassilis Zikas
eprint.iacr.org [PDF]