You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I studied the description of atomic swaps by Joel Gugger (https://eprint.iacr.org/2020/1126.pdf) and also by Philipp Hoenisch and Lucas Soriano (https://arxiv.org/pdf/2101.12332.pdf), which are used in your project. These articles talk about using adaptor signatures. I studied your project and still don't understand exactly how adaptor signatures should be used correctly in combination with multi-signatures in bitcoin transactions.
Ultimately, the adaptor signatures on ECDSA should give me the correct signature, which I can then use in a transaction that uses the OP_CHECKMULTISIG operation.
Encrypt - generates the adaptor signature (EncSign)
Verify - verifies the adaptor signature (EncVrfy)
Decrypt - gets the ECDSA signature from the adaptor signature (DecSig)
Recover - restores the secret key from the adaptor signature (RecKey)
I used the protocol described by Joel Gugger, where Alice have XMR and Bob have BTC. Accordingly, Bob needs to generate the adaptor signature, which he then passes to Alice. Alice, using her private key, will receive an ECDSA signature that will allow her to redeem BTC.
Let's look at an example of using adaptor signatures.
// b_b - Bob's private key that he generated
// B_b - Bob's public key: b_b * H
// b_b^s - Bob's private key that was used in DLProve (b_b^s == k_b^s)
// B_b^s - Bob's public key, which was obtained from DLProve(k_b^s)
// b_a^s - Alice's private key that was used in DLProve (b_a^s == k_a^s)
// B_a^s - Alice's public key, which was obtained from DLProve(k_a^s)
// sighash - BTX_buy transaction signature hash
// On Bob's side:
adaptor_sig_b = Encrypt(b_b, B_a^s, sighash); // Bob's adaptor signature
// On Alice's side:
Verify(B_b, B_a^s, sighash, adaptor_sig_b) == 1 ?
ecdsa_sig_b = Decrypt(adaptor_sig_b, b_a^s); // Bob's ECDSA BTX_buy transaction signature ???
// On Bob's side:
key = Recover(B_a^s, adaptor_sig_b, ecdsa_sig_b); // getting Alice's private key to redeem XMR (key == k_a^s)
My misunderstanding of adaptor signatures lies in this section of code:
It turns out that Alice gets the correct ECDSA signature of Bob's BTX_buy transaction from the adaptor signature?
In order for Alice to take BTC, she needs to provide the correct witness stack to 0 input, where it will be:
bob_tx_endorsement - derived from Decrypt(adaptor_sig_b, b_a^s) ? (if compared without encoding in DER format, arrays of 64 bytes)
I tried to write code where I sign sighash via libbitcoin-system library and sign(out_signature, b_a^s, sighash) function and then compare the result with Decrypt(adaptor_sig_b, b_a^s). They were not equal in any way.
Can you please help me figure out how to use the adaptor signature correctly so that later I can get the correct bob_tx_endorsement and execute the BTX_buy transaction?
The text was updated successfully, but these errors were encountered:
ghost
changed the title
How to properly use Adapter Signatures
How to properly use Adaptor Signatures
Jul 11, 2023
I studied the description of atomic swaps by Joel Gugger (https://eprint.iacr.org/2020/1126.pdf) and also by Philipp Hoenisch and Lucas Soriano (https://arxiv.org/pdf/2101.12332.pdf), which are used in your project. These articles talk about using adaptor signatures. I studied your project and still don't understand exactly how adaptor signatures should be used correctly in combination with multi-signatures in bitcoin transactions.
Ultimately, the adaptor signatures on ECDSA should give me the correct signature, which I can then use in a transaction that uses the
OP_CHECKMULTISIG
operation.I used this (https://github.com/BlockstreamResearch/secp256k1-zkp) project to try and figure out adaptor signatures. As a rule, the same 4 functions are found everywhere:
I used the protocol described by Joel Gugger, where Alice have XMR and Bob have BTC. Accordingly, Bob needs to generate the adaptor signature, which he then passes to Alice. Alice, using her private key, will receive an ECDSA signature that will allow her to redeem BTC.
Let's look at an example of using adaptor signatures.
My misunderstanding of adaptor signatures lies in this section of code:
It turns out that Alice gets the correct ECDSA signature of Bob's BTX_buy transaction from the adaptor signature?
In order for Alice to take BTC, she needs to provide the correct witness stack to 0 input, where it will be:
bob_tx_endorsement
- derived fromDecrypt(adaptor_sig_b, b_a^s)
? (if compared without encoding in DER format, arrays of 64 bytes)I tried to write code where I sign
sighash
vialibbitcoin-system
library and sign(out_signature, b_a^s, sighash) function and then compare the result withDecrypt(adaptor_sig_b, b_a^s)
. They were not equal in any way.Can you please help me figure out how to use the adaptor signature correctly so that later I can get the correct
bob_tx_endorsement
and execute theBTX_buy
transaction?The text was updated successfully, but these errors were encountered: