Adaptor signature -Schnorr signature and ECDSA-

Adaptor signature series
1.Adaptor signature -Schnorr signature and ECDSA-
2.Adaptor signature on Schnorr -Cross chain atomic swaps-
3.Adaptor signature on Schnorr -Lightning Network-
4.Adaptor signature on ECDSA
5.Adaptor signature in Discreet Log Contracts on ECDSA

In the wake of Scriptless Scripts announced in 2017, there have been a lot of discussions about “Scriptless Contracts” (this term is used in this blog to mean general non-script-based payment terms). Scriptless Contracts are based on Adaptor signatures. In this blog, we will explain the general theory of Adaptor signatures.

1.Background of Scriptless Contracts

Conditions, such as multisig and timelocks can be created using bitcoin scripts. Such conditions (scripts) are visible on the blockchain and can be viewed by any third party. There are cases where a user would prefer not to reveal such conditions publicly. Also, there is the problem of congesting the mainchain with the size of the script.

2. ECDSA and Schnorr signature

Bitcoin uses ECDSA signatures. Schnorr signatures were not adopted as a Bitcoin signature method because they were patented until 2008. Let’s compare the signature formulas of ECDSA and Schnorr. The following red letters are secret values, and the black letters can be shared with counterparty.

The equation for a Schnorr signature contains only linear terms, which makes it possible to create multi-party signatures by simply adding them together.On the other hand, the r-1 term in the equation of ECDSA signature prevents us from doing the same.
Note that even though the linearity of Schnorr signatures simplifies the construction of multi-signature protocols, some precaution must be taken, for example to prevent Rogue key attacks. The Mu-Sig protocol includes steps to prevent such attacks. Please see here for details.

3. Adaptor signatures

At a high level, an Adaptor signature is an encrypted signature s’ which can be proven to decrypt to a signature s over a message m. The encryption can be done either using a secret key t or a public key T. In general, encryption using t is used if the party performing the encryption knows t, while encryption using T is chosen if they do not know t. In this Adaptor series, we refer to the former method as “Private key tweaking” and the latter one as “Public key tweaking”.
Adaptor signatures can be used in a single signer context, or in a two parties context. Let’s first explore the single signer case.

3–1. Single signer schnorr Adaptor signature
In the single signer case, the party creating the signature, for example Alice, wants to provide another party, Bob, a signature which can only be decrypted (and thus used) using a secret t. However, even without knowing t, Bob can verify that the decrypted signature will be valid for a given message m.

The Adaptor Schnorr signature is created by introducing t or T in the signature calculation (this is called “tweak”). The signature is completed by adding (or subtracting) t from the Adaptor signature. Signature verification is possible without using private information like p, r, and t.

3–2. Two party Adaptor signatures
In the two party Adaptor signature case, Alice and Bob engage in a multi-signature protocol which enables Alice to obtain Bob’s part of the signature, while guaranteeing Bob that upon Alice using (revealing) the multi-signature, he will learn the secret t (and nobody else can learn this secret)..

1. Both parties create a common R and P (using Mu-sig), and agree on a tweak point T(=tG).

2.Alice creates an Adaptor Schnorr signature and passes it to Bob.

3.Bob verifies Adaptor Schnorr signature and add his signature to Adaptor Schnorr signature and passes it to Alice.

4.Alice verifies the signature from Bob and decrypt Adaptor Schnorr signature using t.

In this chapter, we talked about the Adaptor signature construction and its variants. In the following ones, we will take these concepts and see what can be achieved with them.

Reference:
Scriptless Scripts(May. 2017,Andrew Poelstra)
Simple Schnorr Multi-Signatures with Applications to Bitcoin (2018,Gregory Maxwell, Andrew Poelstra, Yannick Seurin2,Pieter Wuille)
Fast Secure Two-Party ECDSA Signing(2017,Yehuda Lindell)