Adapter Signature and Its Application in Cross-Chain Atomic Swaps

With the rapid development of Bitcoin Layer 2 scaling solutions, the frequency of cross-chain asset transfers between Bitcoin and Layer 2 networks has significantly increased. This trend is driven by the higher scalability, lower transaction fees, and high throughput provided by Layer 2 technology. These advancements facilitate more efficient and cost-effective transactions, thereby promoting the wider adoption and integration of Bitcoin in various applications. Consequently, the interoperability between Bitcoin and Layer 2 networks is becoming a key component of the cryptocurrency ecosystem, driving innovation and providing users with more diverse and powerful financial tools.

There are three main solutions for cross-chain transactions between Bitcoin and Layer 2: centralized cross-chain transactions, BitVM cross-chain bridge, and cross-chain atomic swaps. These technologies have their own characteristics in terms of trust assumptions, security, convenience, and transaction limits, catering to different application needs.

Centralized cross-chain transactions are fast and easy to match, but their security completely relies on centralized institutions, which poses risks of fund loss and privacy leakage. The BitVM cross-chain bridge introduces an optimistic challenge mechanism, making the technology relatively complex and the transaction fees higher, mainly suitable for large transactions. Cross-chain atomic swaps are a decentralized, censorship-resistant solution with good privacy protection for high-frequency cross-chain transactions, widely used in decentralized exchanges.

Cross-chain atomic swap technology mainly includes two types: hash time lock and adapter signature. Atomic swaps based on hash time lock ( HTLC ) represent a significant breakthrough in decentralized exchanges, but there are issues with user privacy leakage. Atomic swaps based on adapter signatures replace on-chain scripts, occupy less space, incur lower costs, and transactions cannot be linked, achieving better privacy protection.

This article introduces the principles of Schnorr/ECDSA adapter signatures and cross-chain atomic swaps, analyzes the random number security issues in adapter signatures and the system heterogeneity issues in cross-chain scenarios, and provides corresponding solutions. Finally, it extends the application of adapter signatures to achieve non-interactive digital asset custody.

Schnorr Adapter Signatures and Atomic Swaps

The basic process of Schnorr adapter signatures is as follows:

1. Alice generates a random number r and calculates R = r·G
2. Alice calculates the adapter signature: c = H(X, R, m), s' = r + c·x
3. Alice sends (R,s') to Bob
4. Bob verifies the adapter signature: s'·G = R + c·X
5. Bob generates y, calculates Y = y·G
6. Bob calculates s = s' + y, obtaining the complete signature (R,s).
7. Alice extracts y = s - s' from s

The atomic swap process based on Schnorr adapter signatures is as follows:

1. Alice generates transaction TxA, sending coins to Bob.
2. Bob generates transaction TxB, sending coins to Alice.
3. Alice generates an adapter signature for TxA and sends it to Bob.
4. Bob generates the adapter signature for TxB and sends it to Alice.
5. Bob broadcasts the complete signed TxB
6. Alice extracts y from the TxB signature, completes the TxA signature, and broadcasts it.

ECDSA Adapter Signatures and Atomic Swaps

The basic process of ECDSA adapter signature is as follows:

1. Alice generates a random number k and calculates R = k·G
2. Alice calculates: z = H(m), s' = k^(-1)·(z + R_x·x)
3. Alice sends (R, s') to Bob
4. Bob verifies the adapter signature: R = (z·s'^(-1))·G + (R_x·s'^(-1))·X
5. Bob generates y, calculates Y = y·G
6. Bob calculates s = s' + y, obtaining the complete signature (R,s)
7. Alice extracts y = s - s' from s

The atomic swap process based on ECDSA adapter signatures is similar to Schnorr.

Problems and Solutions

random number problem and solution

The adapter signature contains issues of random number leakage and reuse, which may lead to private key leakage. The solution is to use RFC 6979 to derive the random number k deterministically from the private key and message:

k = SHA256(sk, msg, counter)

This ensures that k is unique for each message, while also having reproducibility, reducing the risk of private key exposure.

cross-chain scenario issues and solutions

1. The heterogeneity problem between UTXO and account model systems: Bitcoin uses the UTXO model, while Bitlayer uses the account model. The solution is to implement atomic swaps using smart contracts on the Bitlayer side, but this sacrifices a certain level of privacy.

2. The adapter signatures with the same curve and different algorithms are secure. For example, Bitcoin uses Schnorr signatures, while Bitlayer uses ECDSA, and it can be proven to be secure based on security.

3. The adapter signatures of different curves are unsafe. For example, Bitcoin uses Secp256k1, while Bitlayer uses ed25519. Due to the different curves, the modulus coefficients are different, making them unsafe to use.

Digital Asset Custody Application

Non-interactive 2-of-3 digital asset custody can be achieved based on adapter signatures.

1. Alice and Bob create a funding transaction with a 2-of-2 MuSig output.
2. Alice and Bob respectively generate adapter signatures and ciphertexts and send them to each other.
3. Sign and broadcast the funding transaction after verification.
4. In the event of a dispute, the custodian may decrypt the ciphertext to obtain the secret, assisting one party in completing the transaction.

This solution does not require the involvement of a custodian for initialization and has non-interactive advantages. Verifiable encryption techniques, such as Purify and Juggling schemes, are used in the implementation.

Overall, adapter signatures provide innovative cryptographic tools for applications such as cross-chain atomic swaps and digital asset custody, but in practical applications, issues such as random number security and system compatibility still need to be addressed.