Adaptor signature in Discreet Log Contracts on ECDSA

Adaptor signature series
1.Adaptor signature -Schnorr signature and ECDSA-
2.Adaptor signature on Schnorr -Cross chain atomic swaps-
3.Adaptor signature on Schnorr -Lightning Network-
4.Adaptor signature on ECDSA
5.Adaptor signature in Discreet Log Contracts on ECDSA

The previous chapters described ECDSA Adaptor signatures, which can be used on Bitcoin mainnet at this time. In this chapter, we will discuss the Discreet Log Contracts protocol using ECDSA Adaptor signatures. This protocol (Adaptor based DLC) is different from the original proposal (Punishment based DLC) and can improve privacy and security more than the original one.

1. What is DLC?

DLC is a protocol in which two or more parties enter in a contract with payouts dependent on the outcome of a certain event. The outcome of the event is attested by a third party entity called the oracle.

Crypto Garage developed a DLC-based application called P2P derivatives. If you would like to get an overview of this application, see here. Specific instances of previously executed DLCs are described for BTC/USD option and S&P 500 derivatives.

2.DLC using ECDSA Adaptor signatures

FIrst of all, let’s look at the information released by the Oracle before and after the event:

Using this information, Alice and Bob can enter into a DLC using the following steps:

1. They agree on the contents of the contract (the payouts for the different outcomes).
2. They exchange their UTXOs and public keys with each other, and create a Fund transaction, which locks their funds into a multisig address as well as a set of Contract Execution Transactions(CETs),one for each of the possible outcomes of the contract. At this point, they have not signed these transactions.

3. They then create Adaptor signatures for each CET using Tweak points created using the oracle public key and random point as well as the outcome value corresponding to each CET. The Adaptor signatures are created by encrypting their own signature for the CETs with the different Ts. They also create the necessary DLEq proofs and pass them along with the ECDSA Adaptor signatures to their counterparty.

4. Each party verifies their counterparty’s DLEq Proof and ECDSA Adaptor signatures before signing and broadcasting the fund transaction.

5. At contract maturity, the oracle releases a signature over the event outcome which can be used to compute the t value. Each party can decrypt its counterparty’s Adaptor signature (and use it to obtain a valid signed CET).

3. The benefits of Adaptor based DLC compared with Punishment based DLC

Compared with Punishment based DLC, Adaptor based DLC offers:

・Security
-Parties can’t broadcast a CET before the Oracle releases its signature t over the event outcome.
-No need to monitor the blockchain in case an invalid CET is broadcast

・Privacy
-More difficult for a third party to identify(using only OP_CHECKMULTISIG)

・Simplicity
-The CETS held by each party are exactly the same
-No need to create Closing Transaction

If you are interested in Adaptor signature on ECDSA, please see the repository cfd-dlc. Also, we are working with great developers on DLC Specification as well. If you’re interested, please check it out or contribute to it.
This concludes the Adaptor signature series.We look forward to further development of scriptless contracts proposals that utilize Adaptor signatures!

Reference:
Payment points without 2p-ECDSA or Schnorr(Oct. 2019,uSEkaCIO)
One-Time Verifiably Encrypted Signatures A.K.A. Adaptor Signatures (Oct. 2019 Lloyd Fournier)