Adapter Signatures and Their Applications in Cross-Chain Atomic Swaps

With the rapid development of Bitcoin Layer 2 scaling solutions, the frequency of asset transfers between Bitcoin and Layer 2 networks has significantly increased. This trend is driven by the higher scalability, lower transaction fees, and high throughput offered by Layer 2 technology. The interoperability between Bitcoin and Layer 2 networks is becoming a key component of the cryptocurrency ecosystem, driving innovation and providing users with more diverse and powerful financial tools.

Currently, there are three main solutions for cross-chain transactions between Bitcoin and Layer 2: centralized cross-chain trading, BitVM cross-chain bridge, and cross-chain atomic swaps. These technologies differ in trust assumptions, security, convenience, transaction limits, and can meet various application needs.

Centralized cross-chain trading is fast and easy to match, but its security entirely depends on the reliability of the centralized institution. The BitVM cross-chain bridge introduces an optimistic challenge mechanism, which is relatively complex and suitable for large transactions. Cross-chain atomic swaps are decentralized, censorship-resistant, and offer good privacy protection, widely used in decentralized exchanges.

The cross-chain atomic swap technology mainly includes two schemes: the Hash Time-Locked Contract ( (HTLC) ) and the adapter signature. The HTLC scheme has privacy leakage issues, while the adapter signature-based scheme can effectively solve this problem.

This article mainly introduces the principles of Schnorr/ECDSA adapter signatures and cross-chain atomic swaps, analyzes the existing random number security issues, as well as the system heterogeneity and algorithm heterogeneity problems in cross-chain scenarios, and provides corresponding solutions. Finally, it extends the application of adapter signatures to achieve non-interactive digital asset custody.

Adapter Signature and Cross-Chain Atomic Swap

Schnorr adapter signature and atomic swap

The basic process of Schnorr adapter signatures is as follows:

1. Alice selects a random number r and y, calculates R = r·G and Y = y·G
2. Alice calculates c = H(X, R, m) and s' = r + cx
3. Alice sends (R,s',Y) to Bob
4. Bob verifies s'·G = R + c·X
5. Bob calculates s = s' + y
6. Bob broadcasts (R, s) as a valid signature

In atomic swaps, Alice and Bob can utilize adapter signatures to achieve cross-chain asset exchanges:

1. Alice creates the transaction Tx1 to send BTC to Bob and generates the pre-signed (R,s',Y).
2. Bob creates a transaction Tx2 to send assets to Alice and broadcasts it.
3. After Alice verifies Tx2, she reveals y.
4. After Bob obtains y, he can calculate the complete signature (R,s) and broadcast Tx1 to complete the exchange.

ECDSA adapter signature and atomic swap

The process of ECDSA adapter signatures is similar, with the main difference being:

1. Alice calculates s' = k^(-1)(H(m) + rx)
2. Bob verifies R = (H(m)·s'^(-1))·G + (r·s'^(-1))·X
3. Bob calculates s = s' + y

The atomic swap process is basically the same as the Schnorr scheme.

Questions and Solutions

Random Number Problem and Solution

The adapter signature has security risks of random number leakage and reuse, which may lead to private key leakage. The solution is to use the RFC 6979 specification to generate random numbers through a deterministic method:

k = SHA256(sk, msg, counter)

This ensures the uniqueness and reproducibility of the random number, effectively reducing the risk of private key exposure.

cross-chain scenario issues and solutions

1. The heterogeneity problem between UTXO and account model systems: Bitcoin uses the UTXO model, while Ethereum uses the account model, which prevents pre-signed refund transactions on Ethereum. The solution is to implement atomic swap logic using smart contracts on the Ethereum side.

2. Security of the same curve with different algorithms: When using the same curve ( such as Secp256k1) but with different signature algorithms ( such as one party using Schnorr and the other using ECDSA ), the adapter signature remains secure.

3. Incompatibility of different curves: If two systems use different elliptic curves ( such as Secp256k1 and ed25519), adapter signatures cannot be used directly for cross-chain exchanges.

Digital Asset Custody Application

Non-interactive digital asset custody can be achieved based on adapter signatures:

1. Alice and Bob create a funding transaction with 2-of-2 MuSig output.
2. Both parties exchange adapter signatures and encrypted secret
3. Broadcast funding transaction
4. In the event of a dispute, the custodian may decrypt and provide the secret to the prevailing party.
5. The winning party uses secret to complete the adapter signature and obtain the assets.

The key to this solution lies in verifiable encryption, mainly implemented in two ways: Purify and Juggling.

Summary

This article provides a detailed introduction to the application of Schnorr/ECDSA adapter signatures in cross-chain atomic swaps, analyzing the security issues and solutions involved, and discussing the feasibility of using adapter signatures among heterogeneous blockchain systems. Finally, it also introduces non-interactive digital asset custody applications based on adapter signatures. Adapter signatures provide a secure, efficient, and privacy-preserving solution for cross-chain asset exchanges, and are expected to play an important role in future blockchain interoperability.