Adaptor signature

In short

A cryptographic technique linking a signature to a secret, such that publishing the signature reveals the secret. Useful for atomic swaps without a trusted intermediary.

Detailed explanation
Cryptographic method that allows combining a genuine signature with an additional signature (called an "adaptor signature") to reveal a secret piece of data. This method works so that knowing two elements among the valid signature, the adaptor signature, and the secret allows deducing the missing third element. One interesting property of this method is that if we know our peer's adaptor signature and the specific point on the elliptic curve related to the secret used to compute that adaptor signature, we can then derive our own adaptor signature that corresponds to the same secret, all without ever having direct access to the secret itself. In an exchange between two parties who do not trust each other, this technique allows for the simultaneous disclosure of two sensitive pieces of information between the participants. This process removes the need for trust in instant transactions such as a Coinswap or an Atomic Swap. Let's look at an example to better understand. Alice and Bob each want to send 1 BTC to the other, but they do not trust each other. They will therefore use adaptor signatures to eliminate the need to trust one another during the exchange (thus making it an "atomic" exchange). They proceed as follows: Alice initiates this atomic exchange. She creates a transaction that sends 1 BTC to Bob. She creates a signature to validates this transaction using her private key (), a nonce , and a secret ( and ):
Alice calculates the adaptor signature using the secret and her real signature :
  • Alice sends to Bob her adaptor signature , her unsigned transaction , the point corresponding to the secret , and the point corresponding to the nonce . These pieces of information are referred to as an "adaptor". Note that with only this information, Bob cannot claim Alice’s BTC. However, Bob can verify that Alice is not deceiving him. To do so, he checks whether Alice's adaptor signature matches the promised transaction . If the following equation is correct, then he can be confident that Alice's adaptor signature is valid:
This verification gives Bob some assurance from Alice, allowing him to safely proceed with the atomic swap process. He then creates his own transaction sending 1 BTC to Alice and calculates his own adaptor signature , which is linked to the same secret (a value known only by Alice at this point, Bob only knows its corresponding point , which Alice provided):
  • Bob sends to Alice his adaptor signature , his unsigned transaction , the point corresponding to the secret , and the point corresponding to the nonce . Alice can now combine Bob's adaptor signature with the secret , which only she knows, to compute a valid signature for the transaction that sends her Bob's BTC:
Alice then broadcasts the signed transaction to the Bitcoin blockchain in order to claim the BTC Bob promised. Once this transaction is published, Bob can observe it on the blockchain. He is thus able to extract the signature . From this information, Bob can isolate the famous secret he needed:
This secret was the only missing information Bob needed to compute a valid signature , from Alice's adaptor signature . With it, he can now validate transaction which sends 1 BTC from Alice to Bob. He then calculates and broadcasts the transaction :
TermDefinition
51% attack
An attack where a malicious actor controls more than half of the mining hash power, allowing them to manipulate transactions, notably by performing double spends.
Account
In an HD wallet, a derivation level (depth 3) allowing hierarchical organization of keys and addresses.
Activation method
The process by which the Bitcoin community decides to activate a soft fork, seeking consensus among miners and users to avoid a blockchain split.
Addr
An old Bitcoin network message that allowed communicating IP addresses of nodes accepting connections. Replaced by addrv2 (BIP155) to support longer address formats.
Addr.dat
An old file in Bitcoin Core that stored information about network peers. Replaced by peers.dat since version 0.7.0.
Address reuse
A discouraged practice of using the same Bitcoin address multiple times to receive payments, which harms privacy by allowing funds to be traced.
Address spoofing
An attack where a malicious actor creates an address closely resembling the victim's to deceive them and divert their payments.
Addrv2
A new network message format (BIP155) allowing the broadcasting of Bitcoin node addresses. Supports longer addresses such as Tor v3 or I2P.
Agorism
A libertarian political philosophy advocating economic action outside of state control (counter-economy) to progressively undermine state power.
Air cooling
A cooling system for mining machines using fans to dissipate heat. The most widespread and least expensive method.
Altcoin
Designates any cryptocurrency other than Bitcoin. A contraction of alternative and coin.
Aluvm
A virtual machine designed for deterministic execution of smart contracts, notably within the context of the RGB protocol on Bitcoin.
Analysis heuristic
An empirical method used to trace Bitcoin flows on the blockchain based on observable characteristics within transactions.
Ancestor mining
A principle whereby a miner selects transactions taking into account the fees of parent transactions, not only their own fees. Also called CPFP.
Anchor
In the RGB protocol, a set of data proving the inclusion of a commitment in a Bitcoin transaction, without publicly revealing its content.
Anchor outputs
A mechanism on Lightning allowing adjustment of the fees of a commitment transaction after its creation, to ensure quick channel closure.
Anchors.dat
A Bitcoin Core file storing IP addresses of nodes the client was connected to before shutdown, to facilitate reconnection on restart.
Anonsets (anonymity sets)
Indicators measuring the degree of privacy of a UTXO by counting the number of indistinguishable UTXOs in a set, typically after a coinjoin.
Anyprevout (apo)
A proposal (BIP118) adding new SigHash flags allowing the creation of signatures that do not cover any specific input of the transaction.
Arbitrage
A practice of exploiting price differences of Bitcoin between exchange platforms to realize a profit.
51% attack
An attack where a malicious actor controls more than half of the mining hash power, allowing them to manipulate transactions, notably by performing double spends.
Account
In an HD wallet, a derivation level (depth 3) allowing hierarchical organization of keys and addresses.
Activation method
The process by which the Bitcoin community decides to activate a soft fork, seeking consensus among miners and users to avoid a blockchain split.
Addr
An old Bitcoin network message that allowed communicating IP addresses of nodes accepting connections. Replaced by addrv2 (BIP155) to support longer address formats.
Addr.dat
An old file in Bitcoin Core that stored information about network peers. Replaced by peers.dat since version 0.7.0.
Address reuse
A discouraged practice of using the same Bitcoin address multiple times to receive payments, which harms privacy by allowing funds to be traced.
Address spoofing
An attack where a malicious actor creates an address closely resembling the victim's to deceive them and divert their payments.
Addrv2
A new network message format (BIP155) allowing the broadcasting of Bitcoin node addresses. Supports longer addresses such as Tor v3 or I2P.
Agorism
A libertarian political philosophy advocating economic action outside of state control (counter-economy) to progressively undermine state power.
Air cooling
A cooling system for mining machines using fans to dissipate heat. The most widespread and least expensive method.
Altcoin
Designates any cryptocurrency other than Bitcoin. A contraction of alternative and coin.
Aluvm
A virtual machine designed for deterministic execution of smart contracts, notably within the context of the RGB protocol on Bitcoin.
Analysis heuristic
An empirical method used to trace Bitcoin flows on the blockchain based on observable characteristics within transactions.
Ancestor mining
A principle whereby a miner selects transactions taking into account the fees of parent transactions, not only their own fees. Also called CPFP.
Anchor
In the RGB protocol, a set of data proving the inclusion of a commitment in a Bitcoin transaction, without publicly revealing its content.
Anchor outputs
A mechanism on Lightning allowing adjustment of the fees of a commitment transaction after its creation, to ensure quick channel closure.
Anchors.dat
A Bitcoin Core file storing IP addresses of nodes the client was connected to before shutdown, to facilitate reconnection on restart.
Anonsets (anonymity sets)
Indicators measuring the degree of privacy of a UTXO by counting the number of indistinguishable UTXOs in a set, typically after a coinjoin.
Anyprevout (apo)
A proposal (BIP118) adding new SigHash flags allowing the creation of signatures that do not cover any specific input of the transaction.
Arbitrage
A practice of exploiting price differences of Bitcoin between exchange platforms to realize a profit.