Original title: Adaptor Signatures and Its Application to CrossChain Atomic Swaps
Liên kết gốc: https://blog.bitlayer.org/Adaptor_Signatures_and_Its_Application_to_CrossChain_Atomic_Swaps/
Original author: mutourend, lynndell
1 Giới thiệu
With the rapid development of Bitcoins Layer 2 scaling solution, the frequency of crosschain asset transfers between Bitcoin and its Layer 2 counterpart has increased significantly. This trend is driven by the higher scalability, lower transaction fees, and high throughput provided by Layer 2 technologies such as Bitlayer. These advances facilitate more efficient and economical transactions, thereby promoting the wider adoption and integration of Bitcoin in various applications. As a result, interoperability between Bitcoin and Layer 2 networks is becoming a key component of the cryptocurrency ecosystem, driving innovation and providing users with more diverse and powerful financial tools.
As shown in Table 1, there are three typical solutions for crosschain transactions between Bitcoin and Layer 2, namely centralized crosschain transactions, BitVM crosschain bridge, and crosschain atomic swaps. These three technologies differ in terms of trust assumptions, security, convenience, transaction amounts, etc., and can meet different application requirements.
Table 1. Comparison of crosschain transaction technologies
Centralized crosschain transactions: Users first pay Bitcoin to a centralized institution (such as a project party or exchange), and the centralized institution pays the equivalent assets to the address specified by the user on the Layer 2 network, thereby completing the crosschain asset transfer. The advantage of this technology is that it is fast and the matching process is relatively easy because the centralized institution can quickly confirm and process the transaction. However, the security of this method depends entirely on the reliability and reputation of the centralized institution. If the centralized institution encounters technical failures, malicious attacks, or defaults, the users funds are at high risk. In addition, centralized crosschain transactions may also leak user privacy, and users need to consider carefully when choosing this method. Therefore, although its convenience and efficiency provide great convenience to users, security and trust are the main challenges facing centralized crosschain transactions.
BitVM crosschain bridge: This technology is relatively complex. First, in the Pegin phase, users pay Bitcoin to the multisignature address controlled by the BitVM Alliance to lock Bitcoin. The corresponding number of tokens is minted in Layer 2, and the token is used to implement Layer 2 transactions and applications. When the user destroys the Layer 2 token, the Operator will advance the payment. Subsequently, the Operator reimburses the corresponding number of Bitcoins to the multisignature pool controlled by the BitVM Alliance. To prevent the Operator from doing evil, the reimbursement process adopts an optimistic challenge mechanism, that is, any third party can challenge malicious reimbursement behavior and thwart the evil behavior. This technology introduces an optimistic challenge mechanism, so the technology is relatively complex. In addition, the optimistic challenge mechanism involves a large number of challenge and response transactions, and the transaction fee is high. Therefore, the BitVM crosschain bridge is only suitable for ultralarge transactions, similar to the issuance of U, and thus has a low frequency of use.
Crosschain atomic swap: An atomic swap is a contract that enables decentralized cryptocurrency transactions. In this context, atomic means that a change in ownership of one asset actually means a change in ownership of another asset. The concept was first proposed by TierNolan on the Bitcointalk forum in 2013. For 4 years, atomic swaps remained in the theoretical realm. It was not until 2017 that Decred and Litecoin became the first blockchain systems to successfully complete atomic swaps. An atomic swap must involve two parties, and no third party can interrupt or interfere with the exchange process. This means that the technology is decentralized, uncensorable, has good privacy protection, and can achieve highfrequency crosschain transactions, which is widely used in decentralized exchanges. Currently, crosschain atomic swaps require 4 transactions, and some schemes try to compress the number of transactions to 2, but this will increase the realtime online requirements for both parties of the exchange. Finally, crosschain atomic swap technology mainly includes hash time locks and adapter signatures.
Crosschain atomic swaps based on hash time locks (HTLCs): The first project to successfully implement crosschain atomic swaps is Decred, which uses hash locks and time locks to implement the atomic swap proposed by TierNolan with the help of onchain scripts (or smart contracts). HTLC allows two users to conduct timelimited cryptocurrency transactions, that is, the recipient must submit a cryptographic proof (secret) to the contract within a specified time (determined by the number of blocks or block height), otherwise the funds will be returned to the sender. If the recipient confirms the payment, the transaction is successful. Therefore, both participating blockchains are required to have hash lock and time lock functions.
While HTLC atomic swaps are a major breakthrough in the field of decentralized exchange technology, there are the following issues. These atomic swap transactions and the data associated with them are all conducted onchain, resulting in user privacy leakage. In other words, every time a swap occurs, the same hash value appears on both blockchains, only a few blocks apart. This means that an observer can link the currencies involved in the swap by finding the same hash value in blocks close to each other (TimeStampwise). When tracking currencies across chains, it is easy to determine the source. Although this analysis does not reveal any relevant identity data, third parties can easily infer the identities of the participants involved.
Crosschain atomic swaps based on adapter signatures: The second type of swap offered by BasicSwap is called an adapter signature atomic swap, based on a 2020 paper by Monero developer Joël Gugger titled Bitcoin–Monero Crosschain Atomic Swap . The paper can be said to be an implementation of Lloyd Fourniers 2019 paper OneTime Verifiably Encrypted Signatures, AKA Adaptor Signatures . An adapter signature is an additional signature that is combined with the initial signature to reveal secret data, allowing two parties to reveal two pieces of data to each other at the same time, and is a key component of the scriptless protocol that makes Monero atomic swap pairs possible.
Compared with HTLC atomic swaps, adaptersignaturebased atomic swaps have three advantages: First, the adaptersignature swap scheme replaces the onchain scripts that the secret hash swap relies on, including time locks and hash locks. In other words, the secret and secret hash in the HTLC swap have no direct correspondence in the adaptersignature swap. Therefore, it is called scriptless scripts in the Bitcoin research community. In addition, since such scripts are not involved, the space occupied on the chain is reduced, making adaptersignaturebased atomic swaps lighter and cheaper. Finally, HTLC requires each chain to use the same hash value, while the transactions involved in the adaptersignature atomic swap cannot be linked to achieve privacy protection.
This article first introduces the Schnorr/ECDSA adapter signature and the principle of crosschain atomic swap. Then, it analyzes the random number security issues in the adapter signature and the system heterogeneity and algorithm heterogeneity problems in the crosschain scenario, and gives solutions. Finally, the adapter signature is extended and applied to realize noninteractive digital asset custody.
2. Adapter Signatures and CrossChain Atomic Swaps
2.1 Schnorr Adapter Signatures and Atomic Swaps
2.2 ECDSA Adapter Signature and Atomic Swap
2.2.1 Zeroknowledge proof zk{v  Ṽ = v ᐧ G, V = v ᐧ Y}
3. Security issues and solutions
3.1 Random Number Problems and Solutions
3.1.1 Random number leakage problem
The presignature of the Schnorr/ECDSA adapter signature commits to the random number $r$Ȓ = r ᐧ G. In addition, the zeroknowledge proof commits to the random number $v$ as $Ṽ=v ᐧ G, V=v ᐧ Y$. If the random number is leaked, the private key will be leaked.
Specifically, in the Schnorr protocol, if the random number $r$ is leaked, it can be recovered according to the equation
$ŝ = r + c x.$
Calculate the private key $x$.
Similarly, in the ECDSA protocol, if the random number $r$ is leaked, it can be obtained according to the equation
$ŝ = r^{1 }(hash(m)+R_x x).$
Calculate the private key $x$.
Finally, in the zeroknowledge proof protocol, if the random number $v$ is leaked, it can be obtained according to the equation
$z := v + c r.$
Calculate the random number $r$, and then further calculate the private key $x$ based on the random number $r$. Therefore, the random number must be deleted immediately after use.
3.1.2 Random number reuse problem
For any two crosschain transactions, if the adapter signature protocol uses the same random number, it will lead to private key leakage. Specifically, in the Schnorr protocol, if the same random number $r$ is used, only $r$ and $x$ are unknown in the following system of equations:
$ŝ_ 1 =r + c_ 1 x, $
$ ŝ_ 2 = r + c_ 2 x. $
Therefore, the system of equations can be solved to obtain the private key $x$.
Similarly, in the ECDSA adapter signature protocol, if the same random number $r$ is used, only $r$ and $x$ are unknown in the following system of equations:
$ ŝ_ 1 = r^{1 }(hash(m_ 1)+R_x x),$
$ ŝ_ 2 = r^{1 }(hash(m_ 2)+R_x x).$
Therefore, the system of equations can be solved to obtain the private key $x$.
Finally, in the zeroknowledge proof protocol, if the same random number $v$ is used, only $v$ and $r$ are unknown in the following system of equations:
$z_ 1 = v+c_ 1 r, $
$ z_ 2 = v+c_ 2 r. $
Therefore, the system of equations can be solved to obtain the random number $r$, and then the system of equations can be further solved to obtain the private key $x$.
Similarly, if different users use the same random number, the private key will also be leaked. In other words, two users who use the same random number can solve the equations and obtain each others private key. Therefore, RFC 6979 should be used to solve the random number reuse problem.
3.1.3 Solution: RFC 6979
RFC 6979 specifies a method for generating deterministic digital signatures using DSA and ECDSA that addresses security issues associated with generating a random value k. Traditional DSA and ECDSA signatures rely on a random number k that is randomly generated for each signing operation. If this random number is reused or generated improperly, the security of the private key is compromised. RFC 6979 eliminates the need to generate a random number by deterministically deriving $k$ from the private key and the message to be signed. This ensures that when the same private key is used to sign the same message, the signature is always the same, thereby enhancing reproducibility and predictability. Specifically, the deterministic $k$ is generated by HMAC. The process involves a hash function (such as SHA 256) computing a hash value over the private key, the message, and a counter.
$k = SHA 256(sk, msg, counter).$
In the above equation, for simplicity, only the private key sk, the message msg and the counter counter are hashed. The actual calculation process in RFC 6979 involves more hash calculations. This equation ensures that k is unique for each message, while being reproducible for the same input, and reduces the risk of private key exposure associated with weak or compromised random number generators. Therefore, RFC 6979 provides a powerful framework for deterministic digital signatures using DSA and ECDSA, solves major security issues related to random number generation, and enhances the reliability and predictability of digital signatures. This makes it a valuable standard for applications that require high security and meet strict operational requirements. Schnorr/ECDSA signatures have random number defects that need to be prevented using RFC 6979. Therefore, Schnorr/ECDSAbased adapter signatures also have these problems, and the RFC 6979 specification is also needed to solve these problems.
3.2 Crosschain scenario problems and solutions
3.2.1 UTXO and Account Model System Heterogeneity Problems and Solutions
As shown in Figure 1, Bitcoin uses the UTXO model and implements native ECDSA signatures based on the Secp 256k1 curve. Bitlayer is an EVMcompatible Bitcoin L2 chain that uses the Secp 256k1 curve and supports native ECDSA signatures. The adapter signature implements the logic required for BTC exchange, while the Bitlayer exchange counterpart is supported by the powerful functions of Ethereum smart contracts.
Crosschain atomic swaps based on adapter signatures, or at least semiscriptless adapter signature schemes designed for ECDSA curves, are incompatible with Ethereum. The reason is that Ethereum is an account model, not a UTXO model. Specifically, adaptersignaturebased atomic swaps require refund transactions to be presigned. However, in the Ethereum system, transactions cannot be presigned without knowing the nonce. Therefore, one party can send a transaction between the completion of the presignature and the execution of the transaction – which will invalidate the presigned transaction (because the nonce has been used and cannot be reused).
Additionally, from a privacy perspective, this means that Bitlayer swaps are more anonymous than HTLCs (the contract is available to both parties in the swap). However, the need for one party to have a public contract makes Bitlayer swaps less anonymous than adapter signatures. On the side without the contract, the swap transaction looks like any other transaction. However, on the side with the EVM contract, the transaction is clearly for an asset swap. Although one party has a public contract, it is impossible to trace it back to another chain, even with sophisticated chain analysis tools.
Figure 1. UTXO and account model heterogeneous system crosschain atomic swap
Bitlayer currently supports native ECDSA signatures, and can also implement Schnorr signature verification through smart contracts. If native Bitlayer transactions are used, refund transactions in atomic swaps cannot be presigned; Bitlayer smart contract transactions are required to implement atomic swaps. However, this process sacrifices privacy, that is, transactions participating in atomic swaps in the Bitlayer system are traceable, but cannot be traced back to transactions in the BTC system. Dapp applications such as Tornado Cash can be designed on the Bitlayer side to provide privacy services for transactions on the Bitlayer side in atomic swaps between BTC and Bitlayer.
3.2.2 Same curve, different algorithm, adapter signature security
As shown in Figure 2, assume that both Bitcoin and Bitlayer use the Secp 256 k 1 curve, but Bitcoin uses Schnorr signatures, while Bitlayer uses ECDSA. In this case, the adapter signature based on Schnorr and ECDSA is provably secure. Assuming that given the ECDSA and Schnorr signature oracles, a simulator S can be constructed to break ECDSA, then given only the ECDSA signature oracle, a simulator S can be constructed to break ECDSA. However, ECDSA is secure. Similarly, assuming that given the ECDSA and Schnorr signature oracles, a simulator S can be constructed to break Schnorr signatures, then given only the ECDSA signature oracle, a simulator S can be constructed to break Schnorr signatures. However, Schnorr signatures are secure. Therefore, in the crosschain scenario, the adapter signature uses the same curve, but the signature algorithm is different, which is secure. In other words, the adapter signature allows one end to use ECDSA and the other end to use Schnorr signatures.
Figure 2. Same curve, different algorithm, adapter signature
3.2.3 Different curves, unsafe adapter signatures
Assume that Bitcoin uses the Secp 256 k 1 curve and ECDSA signature, while Bitlayer uses the ed 25519 curve and Schnorr signature. In this case, the adapter signature cannot be used. Due to the different curves, the order of the elliptic curve group is different, that is, the modular coefficient is different. When Bob adapts $y$ to the ECDSA signature in the Bitcoin system, he calculates $s:= ŝ+y$. At this time, the value space of $y$ is the scalar space of the Secp 256 k 1 elliptic curve group. Subsequently, Alice needs to use $y$ to perform Schnorr signature on the ed 25519 elliptic curve group. However, the cofactor of the ed 25519 curve is 8, and the modular coefficient is not equal to the modular coefficient of the Secp 256 k 1 elliptic curve group. Therefore, it is unsafe to use $y$ to perform Schnorr signature on the ed 25519 curve.
4. Digital asset custody application
There are three parties involved in digital asset custody: Alice the buyer, Bob the seller, and the custodian. Using adapter signatures enables noninteractive threshold digital asset custody and instantiates a subset of threshold spending strategies without interaction. This subset consists of two types of participants: participants who participate in initialization and participants who do not participate in initialization, the latter of which is called the custodian. The custodian cannot sign arbitrary transactions, but only sends secrets to one of the supported parties.
On the one hand, the custodian can only choose among several fixed settlement transactions and cannot sign a new transaction with one of the other parties. Therefore, this secret release mechanism makes noninteractive threshold custody less flexible than threshold Schnorr signature. On the other hand, a 2of3 spending strategy can be set using threshold Schnorr signature. However, the threshold Schnorr signature protocol requires three parties to run a decentralized key generation protocol. Therefore, the asset custody protocol based on adapter signature has the advantage of being noninteractive.
4.1 Noninteractive asset custody based on adapter signature
Figure 3. Noninteractive asset custody based on adapter signature
As shown in Figure 3, Alice and Bob want to create a 2of3 transaction output with a stealth policy that includes a custodian. Depending on the condition $c$, Alice or Bob can spend the transaction output. If there is a dispute between Alice and Bob, the custodian (public key is $E$, private key is $e$) decides whether Alice or Bob gets the asset.

Create an unsigned funding transaction to send BTC to a 2of2 MuSig output between Alice and Bob.

Alice chooses a random value $t_A$ and sends a Schnorr presignature $(hat{R}_A,hat{s}_A)$ of a transaction with an adapator of $t_A ᐧ G$ to Bob. This transaction sends the funding output to Bob. Alice also sends Bob a ciphertext that contains a verifiably encrypted $C = Enc(E_c, t_A)$ of the secret $t_A$ and adjusts the escrow public key $E$ to $E_c = E + hash(E, c)G$. During this process, after Bob receives Alices presignature, he adds his own signature, which does not satisfy 2of2 MuSig and cannot spend the funding output. The funding output can only be spent if Bob knows $t_A$ (provided by the escrow party) or Alice signs a full signature and sends it to Bob.

Correspondingly, Bob repeats step (2) based on his adaptor secret $t_B$. At this time, the transaction signed by Bob sends the funding output to Alice.

Alice and Bob both verify the validity of the received ciphertext, confirm that the ciphertext is an encryption of the secret $E_c$, and then sign and broadcast the funding transaction. Verifiable encryption eliminates the need for a custodian to participate in the setup phase and does not require a public contract $c$.

When there is a dispute, Alice and Bob can send the ciphertext and condition c to the custodian, who can then make a judgment based on the actual situation and use the adjusted private key $e+hash(E, c)$ to decrypt and send $t_A/t_B$ to Bob/Alice.
If there is no dispute, Alice and Bob can spend the 2of2 MuSig output as they wish. If there is a dispute, either party can contact the custodian and request its adaptor secret $t_A$ or $t_B$. Then, one of the parties, with the help of the custodian, can complete the adapter signature and broadcast the settlement transaction.
4.2 Verifiable Encryption
Practical Verifiable Encryption and Decryption of Discrete Logarithms cannot be used with Secp 256 k 1 adaptors because they only support verification of specially structured groups.
Currently, there are two promising ways to do verifiable encryption based on Secp 256k1 discrete logarithm, namely Purify Và Juggling .
Purify was originally proposed to create a MuSig protocol with a deterministic nonce (DN), requiring each signer to use zeroknowledge proof that their nonce is the result of correctly applying a pseudorandom function (PRF) to the public key and message. Purify PRF can be efficiently implemented in the arithmetic circuit of the Bulletproofs zeroknowledge protocol to create a verifiable encryption scheme for discrete logarithms on Secp 256 k 1. In other words, verifiable encryption is achieved using zkSnark.
Juggling encryption consists of four steps: (1) Divide the discrete logarithm $x$ into multiple segments $x_k$ of length $l$, such that $x = sum _k 2 ^{(k1)l} x_k$; (2) Use the public key $Y$ to perform ElGamal encryption ${ D_k, E_k} = { x_k ᐧ G + r_k ᐧ Y, r_k ᐧ G }$ on the segment $x_k ᐧ G$; (3) Create a range proof for each $x_k ᐧ G$ to prove that $D_k$ is a Pedersen commitment $x_k ᐧ G + r_k ᐧ Y$, and its value is less than $ 2 ^l$; (4) Use the sigma protocol to prove that ${sum D_k, sum E_k}$ is the correct encryption of $x_k ᐧ G$.
During the decryption process, ${D_k, E_k}$ is decrypted to obtain each $x_k ᐧ G$, and then $x_k$ (with a value range of $[ 0, 2 ^l)$) is exhaustively searched.
Purify needs to execute a PRF in Bulletproofs, which is relatively complicated, while Juggling is theoretically simpler. In addition, the difference between the two in proof size, proof time, and verification time is very small.
5. Kết luận
This article describes the principles of Schnorr/ECDSA adapter signatures and crosschain atomic swaps in detail. It deeply analyzes the random number leakage and duplication problems of adapter signatures, and proposes to use RFC 6979 to solve these problems. In addition, it analyzes in detail the differences between the blockchains UTXO model and the account model in crosschain application scenarios, and also considers whether the adapter signature supports different algorithms and curves. Finally, the adapter signature is extended to realize noninteractive digital asset custody, and the involved cryptographic primitives – verifiable encryption are briefly introduced.
tài liệu tham khảo

Gugger J. Bitcoinmonero crosschain atomic swap[J]. Cryptology ePrint Archive, 2020.

Fournier L. Onetime verifiably encrypted signatures aka adapter signatures[J]. 2019, 2019.

https://cryptoinaction.github.io/ecdsablockchaindangers/190816secp256k1ecdsadangers.pdf

Pornin T. Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA)[R]. 2013.

Komlo C, Goldberg I. FROST: flexible roundoptimized Schnorr threshold signatures[C]//Selected Areas in Cryptography: 27th International Conference, Halifax, NS, Canada (Virtual Event), October 2123, 2020, Revised Selected Papers 27. Springer International Publishing, 2021: 3465.

https://github.com/BlockstreamResearch/scriptlessscripts/blob/master/md/NITE.md

https://particl.news/thedexrevolutionbasicswapandprivateethereumswaps/

Camenisch J, Shoup V. Practical verifiable encryption and decryption of discrete logarithms[C]//Annual International Cryptology Conference. Berlin, Heidelberg: Springer Berlin Heidelberg, 2003: 126144.

Nick J, Ruffing T, Seurin Y, et al. MuSigDN: Schnorr multisignatures with verifiably deterministic nonces[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 17171731.

Shlomovits O, Leiba O. Jugglingswap: scriptless atomic crosschain swaps[J]. arXiv preprint arXiv: 2007.14423, 2020.
This article is sourced from the internet: Analysis of Bitcoin and Layer2 asset crosschain technology
Original title: Buffetts amazing move again! Berkshires cash surpasses Ethereums market value, reviewing his 20year brilliant record of escaping the top Original author: James, BlockTempo Berkshire Hathaway, an investment company owned by Warren Buffett, released its secondquarter 2024 financial report last Saturday, showing that the company cut its Apple stake by nearly 50% in Q2 and its cash position soared by US$276.9 billion, setting a new historical high. At the time, some analysts believed that Buffetts massive sale of Apple shares was likely due to his pessimism about the stock market and economic prospects, so he chose to go all in with cash. Now, with the collapse of U.S. and Asian stock markets in recent days, the community has once again admired Buffetts acumen in successfully escaping the top. Interestingly,…