Table of contents
Open Table of contents
What it is
An adaptor signature is a modified signature that only verifies if it’s updated by applying a secret value. Once the signature is updated, the verification succeeds which also results in the secret value being publicly visible.
Adaptor signatures are oftentimes used in Blockchain protocols to implement ”Scriptless Scripts” which are rules that can solely be implemented and enforced with digital signatures.
One such implementation is an atomic swap in which two parties who don’t trust each other want to exchange pre-determined values of currency with one another.
We’ll be using the example of an atomic swap throughout this post to explain how adaptor signatures work. However it’s important to note that atomic swaps are just one implementation in which adaptor signatures can be used. Adaptor signatures are a generic construction which can be used to solve problems outside the Cryptocurrency realm.
Before diving straight into specifics we should briefly talk about the problem we’re trying to solve with adaptor signatures.
In our case we have two actors, Alice and Bob. Both want to transact with each other and both have agreed on the amount of currency they want to exchange. The problem is that Alice only wants to pay Bob the agreed amount if she knows for sure that Bob pays her the correct amount.
While this problem could be solved via a trusted third party (an escrow) that custodies the funds and ensures that both parties transfer the agreed on amount to each other, we can use adaptor signatures to sign transactions that enforce this contractual agreement without any dependency on a trusted entity.
How it works
Given that this post describes adaptor signatures based on Schnorr Signatures, it’s useful to have a basic understanding of those before continuing.
We’ll be working with an Elliptic Curve that is of order and has a generator . All calculations are done if not stated otherwise.
Note: If not stated otherwise, we’ll be using the subscript for parameters generated by Alice and the subscript for parameters generated by Bob.
Setup
The first step is the same as with a regular Schnorr Signature. Alice and Bob both generate their private keys and by sampling a random value from . Next up, they compute their public keys by multiplying their private keys with the generator .
In addition to that, Alice and Bob both separately generate their random secret nonce value and as well as its public derivative and :
Both then share their public keys and as well as their public values and with each other.
Adaptor Generation (Alice)
In this example, Alice goes first and wants to send Bob a signature over a transaction that shows him, that Alice will transfer the correct amount of currency to him.
Remember that in a regular Schnorr Signature Alice would commit to her nonce , her public key and the transaction by computing . She’d then calculate which results in the signature tuple .
The problem is that this is already a valid signature which won’t just show Bob that he gets paid but will pay him if broadcasted given that is true:
Is there a way Alice can modify the signature such that it still shows Bob that he gets paid but doesn’t allow him to simply broadcast it to get paid immediately?
As it turns out, there’s a way to modify the signature such that the intent (Alice pays Bob amount ) is preserved and visible while requiring a secret value to turn the modified signature into one that verifies successfully (and therefore pays Bob).
To do so, Alice generates a secret value by randomly sampling a value from . She also derives it’s public value by multiplying with the generator .
One can think of this as just another key pair that Alice generates. Given that will be used as another private key, she also keeps that value to herself and doesn’t share it with Bob.
Next up, Alice follows the Schnorr Signature protocol and generates and . However she deviates slightly from the protocol by adding to and to respectively.
She also calculates which removes the secret value from :
Note that given this modification, a valid signature tuple would be .
Alice now shares and with Bob.
Adaptor Verification
Upon receiving and Bob can check that Alice generated a modified signature that will pay him.
To do so he calculates and checks :
Adaptor Generation (Bob)
Note that while Bob can verify that the adapted signature he received from Alice is correct, he can’t publish it to get paid as the value he got from Alice doesn’t include her secret value which is necessary to turn the adapted signature into a valid one ( is necessary because Alice committed to both and in by calculating . More on that later).
Given that Bob has access to the public value that is linked to the secret that only Alice knows, he can create another, adapted signature with the help of over a transaction that pays Alice.
To do so, Bob calculates and :
Bob then sends to Alice.
Signature Generation (Alice)
For Alice to get paid, she now needs to use Bob’s adapted signature and her secret value to turn it into a signature that ensures that .
Once the signature is validated on-chain Bob can learn .
Signature Generation (Bob)
By observing the Blockchain and therefore learning Alice’s published signature that pays her, Bob can extract the secret value by calculating .
Equipped with the value , Bob can now update the adapted signature he got from Alice to turn it into one that verifies by doing the same Alice did:
That way Bob get’s paid by Alice as well.
Why it works
The key ingredient that turns a regular Schnorr Signature into an adaptor signature is the usage of the secret and its public value in the calculation of and .
To see the difference, let’s quickly recap how a regular Schnorr Signature works.
Given a secret key with its corresponding public key , a random nonce with its corresponding value and a message we can generate a signature by calculating and as follows:
Verification is done by checking if :
To turn a regular Schnorr Signature into an adaptor signature one needs to include the secret and its public value in a way that the signature is only valid if both values are known.
To do so, the calculation of is updated to add to :
Trying to verify the signature as before would fail because we haven’t used the secret value yet:
However by knowing we can add it to to ensure that the signature verification succeeds:
References
The following resources have been invaluable for me to learn the concepts discussed in this article.
You should definitely give them a read if you want to dive deeper into the topic.
- Wikipedia - Schnorr Signature
- Andrew Poelstra - Lightning in Scriptless Scripts
- Bitcoin Optech - Adaptor Signatures
- Conduition - A Dive Into the Math Behind Bitcoin Schnorr Signatures
- Conduition - The Riddles of Adaptor Signatures
- YouTube - Generalized Channels from Limited Blockchain Scripts and Adaptor Signatures
- Ichiro Kuwahara - Adaptor Signature - Schnorr Signature and ECDSA
- Ichiro Kuwahara - Adaptor Signature on Schnorr - Cross Chain Atomic Swaps
- Ichiro Kuwahara - Adaptor Signature on Schnorr - Lightning Network