Adapter Signatures and Their Application in Cross-Chain Atomic Swaps

With the rapid development of Bitcoin Layer2 scaling solutions, the frequency of cross-chain asset transfers between Bitcoin and Layer2 networks has significantly increased. This trend is driven by the higher scalability, lower transaction fees, and high throughput provided by Layer2 technology. The interoperability between Bitcoin and Layer2 networks is becoming a key component of the cryptocurrency ecosystem, fostering innovation and providing users with more diverse and powerful financial tools.

There are three main solutions for cross-chain transactions between Bitcoin and Layer 2: centralized cross-chain trading, BitVM cross-chain bridge, and cross-chain atomic swaps. These technologies differ in terms of trust assumptions, security, convenience, transaction limits, etc., and can meet various application needs.

This article focuses on the cross-chain atomic swap technology based on adapter signatures. Compared to the atomic swap based on hash time lock (HTLC), the adapter signature scheme has the following advantages:

1. Replaced on-chain scripts to achieve "invisible scripts"
2. The on-chain space occupancy is smaller, and the fees are lower.
3. Transactions cannot be linked, achieving better privacy protection.

Adapter Signatures and Cross-Chain Atomic Swaps

Schnorr adapter signature and atomic swap

The pre-signing process for Schnorr adapter signatures is as follows:

1. Alice chooses a random number r and calculates R = r·G
2. Alice calculates c = Hash(R||P_A||m)
3. Alice calculates s' = r + c·x_A + y
4. Alice sends (R,s') to Bob

Verification process:

1. Bob calculates c = Hash(R||P_A||m)
2. Bob verifies s'·G = R + c·P_A + Y

Final Signature: s = s' - y

ECDSA adapter signing and atomic swap

The pre-signing process for ECDSA adapter signatures is as follows:

1. Alice chooses a random number k and calculates R = k·G
2. Alice calculates r = R_x mod n
3. Alice calculates s' = k^(-1)(Hash(m) + r·x_A + y) mod n
4. Alice sends (r,s') to Bob

Verification process:

1. Bob calculates u1 = Hash(m)·s'^(-1) mod n
2. Bob calculates u2 = r·s'^(-1) mod n
3. Bob verifies R' = u1·G + u2·P_A + Y

Final Signature: s = s' - y

Questions and Solutions

Random Number Problem and Solutions

There is a security risk of random number leakage and reuse in the adapter signature, which may lead to private key exposure. The solution is to use RFC 6979 to generate random numbers in a deterministic manner:

k = SHA256(sk, msg, counter)

cross-chain scenarios issues and solutions

1. The heterogeneous problem between UTXO and account model systems: Bitcoin uses the UTXO model, while Ethereum and others use the account model, which makes it impossible to pre-sign refund transactions. The solution is to implement exchange logic using smart contracts on the account model chain.

2. Adapter signatures with the same curve but different algorithms are secure. For example, Bitcoin uses Schnorr signatures, while Bitlayer uses ECDSA signatures, and adapter signatures can still be used securely.

3. The adapter signatures for different curves are insecure due to the differing orders of the elliptic curve groups.

Digital Asset Custody Application

Non-interactive threshold digital asset custody can be achieved based on adapter signatures:

1. Alice and Bob create a 2-of-2 multi-signature output.
2. Alice and Bob each generate adapter signatures and encrypt the adapter secret.
3. In case of dispute, the custodian may decrypt the secret and authorize one party to complete the signature.

Verifiable encryption can be achieved through the Purify or Juggling schemes.

Adapter signatures provide more efficient and secure cryptographic tools for applications such as cross-chain atomic swaps and digital asset custody. However, in practical applications, issues such as random number security and system heterogeneity still need to be considered, and appropriate solutions should be chosen based on specific scenarios.