Quiz: why is an adaptor signature not a signature?

@waxwing You mean why is it an invalid signature? Because it needs to be tweaked to be made valid?! 🤐

@michaelfolkson

Hmm yeah that's really a perfectly good answer, but I had another one in mind. chuckle.

What I had in mind is, if you treated it as a new signature scheme, which property would it violate, and why?

@michaelfolkson
OK my answer:
It violates soundness. In everyday language, it is forgeable. Even, very trivially forgeable.
On the other hand, the use of adaptors is deniable, for the same reason; there is no proof of knowledge of the private key.
How forgeable? (1/..)

Follow

@michaelfolkson

Consider given pubkey P, you can make an adaptor like this (' indicates adaptor).
We choose scalar q, find Q=qG, and set R+T =Q.
Then we know we must have s'G= R + H(P,Q,m)P.
Choose s' scalar at random and using above eqn, we find R = s'G - H(P,Q,m)P, and finally the adaptor point is T = Q-R.

Thus anyone can publish an adaptor signature (T, s') on any message m for any pubkey P at any time. It *really* isn't a signature 😃
(2/..)

· · Web · 1 · 0 · 0

@michaelfolkson
On the other hand, this doesnt matter unless someone makes some really bizarre design error.
A 'forger' cannot produce t such that T = tG.
If you give me an adaptor it only gives me a conditional: *if* you complete in the future, I will gain info (also that only really works in cooperative multisig, but details). I will learn t. If you forge the adaptor, that just won't be possible. (3/..)

@michaelfolkson
A detail that may yield insight: the soundness failure is a consequence of the addition R+T.
Remember a sigma protocol is (commit, challenge response). In base Schnorr, R onlyis committed. In adaptor, you commit to R+T, which is NOT the same as committing to R AND T.
If we used the equation s'G = R + H(P,R,T,m)G (concatenating R,T not adding) then it *would* have soundness - but that would not fit Schnorr verification (and lose deniability). (4/4 i think).

Many months later, after some discussions with .. some people, I see another aspect to this which is actually very useful and I had a total blind spot to it.

The fact that adaptors are deniable/not a proof of knowledge/forgeable (different ways of saying the same thing) means exactly that a person can create an adaptor signature for a secret they *don't* know.

And that means that adaptor-based atomic swaps can be done differently than I previously assumed.

Consider, you can do a swap like this between Alice and Bob: Alice makes a secret scalar x, then alice and bob fund two 2/2 schnorr multisigs (backouts etc etc see previous blog post on this).

Then Alice provides adaptor sigs on a tx paying bob with the alice-funded output, and vice versa. Bob verifies both have same secret and then can safely sign the output to Alice, because when Alice co-signs she implicitly reveals the secret which allows Bob to claim.

But there's another way!

(2/n..?)

(previous blog post referenced: joinmarket.me/blog/blog/flippi )

The other way: Bob can make the second adaptor sig - precisely because they are not proofs of knowledge/are forgeable.

So Alice can still be the secret owner, and make the first adaptor sig on the payment to Bob, and Bob can use the point (T in the blog) and construct an adaptor for his sig for the payment to Alice.

Almost identical function, but I suspect some differences can be found here that are useful (so tbc .. (3/n?))

Sign in to participate in the conversation
unidentified instance

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!