Adapter Signatures and Their Application in Cross-Chain Atomic Swaps

With the rapid development of Bitcoin Layer 2 scaling solutions, the frequency of asset transfers between Bitcoin and Layer 2 networks has significantly increased. This trend is driven by the higher scalability, lower transaction fees, and high throughput offered by Layer 2 technology. Therefore, the interoperability between Bitcoin and Layer 2 networks has become a key component of the cryptocurrency ecosystem, driving innovation and providing users with more diverse and powerful financial tools.

There are mainly three solutions for cross-chain transactions between Bitcoin and Layer 2: centralized cross-chain trading, BitVM cross-chain bridge, and cross-chain atomic swaps. These technologies have their own characteristics in terms of trust assumptions, security, convenience, and transaction limits, which can meet different application needs.

Centralized cross-chain trading is fast, and the matching process is relatively easy, but security completely relies on the reliability of centralized institutions. The BitVM cross-chain bridge introduces an optimistic challenge mechanism, which is relatively complex and has higher transaction fees, making it suitable only for very large transactions. Cross-chain atomic swaps are decentralized, censorship-resistant, and provide good privacy protection, enabling high-frequency cross-chain trading and are widely used in decentralized exchanges.

Cross-chain atomic swap technology mainly includes hash time locks and adapter signatures. Although atomic swaps based on hash time locks are a significant breakthrough in decentralized exchange technology, they have issues with user privacy leakage. Atomic swaps based on adapter signatures replace on-chain scripts, making swaps lighter, cheaper, and capable of achieving privacy protection.

This article introduces the principles of Schnorr/ECDSA adapter signatures and cross-chain atomic swaps, analyzes the random number security issues in adapter signatures and the system heterogeneity problems in cross-chain scenarios, and provides solutions. Finally, it extends the application of adapter signatures to achieve non-interactive digital asset custody.

Adapter Signature and Cross-Chain Atomic Swap

Schnorr adapter signatures and atomic swaps

The Schnorr adapter signature process is as follows:

1. Alice chooses a random number r and calculates R = r·G
2. Alice calculates c = H(R||P||m)
3. Alice calculates s' = r + c·x
4. Alice sends (R,s') to Bob
5. Bob verifies s'·G = R + c·P
6. Bob chooses y, calculates Y = y·G
7. Bob calculates s = s' + y
8. Bob broadcasts (R, s) completed the transaction

Atomic swap process:

1. Alice creates transaction TX1, sending Bitcoin to Bob.
2. Alice signs TX1 with the adapter, obtaining (R, s')
3. Alice sends (R,s') to Bob
4. Bob verifies (R,s')
5. Bob creates transaction TX2, sending altcoin to Alice
6. Bob performs a regular signature on TX2 and broadcasts it.
7. After Alice obtains TX2, she tells y to Bob.
8. Bob calculates s = s' + y, broadcasts TX1 to complete the transaction.
9. Alice extracts y from s, completing TX2

ECDSA adapter signature and atomic swap

The ECDSA adapter signing process is as follows:

1. Alice chooses a random number k and computes R = k·G
2. Alice calculates r = R_x mod n
3. Alice calculates s' = k^(-1)(H(m) + rx) mod n
4. Alice sends (r,s') to Bob
5. Bob verifies r = (s'^(-1)H(m)·G + s'^(-1)r·P)_x mod n
6. Bob chooses y, calculates Y = y·G
7. Bob calculates s = s' + y mod n
8. Bob broadcasts (r, s) completes the transaction

The atomic swap process is similar to the Schnorr signature process.

Questions and Solutions

Random Number Problem and Solutions

There are issues of random number leakage and reuse in the adapter signature, which may lead to private key exposure. The solution is to use RFC 6979, generating random numbers in a deterministic manner:

k = SHA256(sk, msg, counter)

This ensures that k is unique for each message, while also having reproducibility, avoiding security risks related to random number generators.

cross-chain scenario issues and solutions

1. The heterogeneity issue between UTXO and account model systems: Bitcoin uses the UTXO model, while Ethereum employs the account model, which prevents pre-signed transactions on Ethereum. The solution is to implement atomic swap logic using smart contracts on the Ethereum side.

2. Security of adapter signatures with the same curve and different algorithms: When two chains use the same curve but different signature algorithms, the adapter signatures remain secure.

3. Different curve adapter signatures are not secure: when two chains use different elliptic curves, adapter signatures cannot be used for atomic swaps.

Digital Asset Custody Application

Non-interactive digital asset custody can be achieved based on adapter signatures.

1. Alice and Bob create a funding transaction with a 2-of-2 MuSig output.
2. Alice and Bob each generate a pre-signed signature based on the adaptor secret and encrypt the secret using a verifiable encryption method.
3. In case of a dispute, the custodian may decrypt the secret and assist one party in completing the transaction.

Verifiable encryption can be achieved through the Purify or Juggling schemes.

Summary

This article details the principles of Schnorr/ECDSA adapter signatures and cross-chain atomic swaps, analyzes the security issues involved, and proposes solutions. When considering adapter signatures in cross-chain scenarios, differences in system models and algorithms need to be taken into account. This technology can also be extended to applications such as non-interactive digital asset custody.