Adapter Signatures and Their Application in Cross-Chain Atomic Swaps

With the rapid development of Bitcoin Layer 2 scaling solutions, the frequency of cross-chain asset transfers between Bitcoin and its Layer 2 networks has significantly increased. This trend is driven by the higher scalability, lower transaction fees, and high throughput provided by Layer 2 technology, facilitating broader adoption and integration of Bitcoin across various applications. As a result, interoperability between Bitcoin and Layer 2 networks is becoming a key component of the cryptocurrency ecosystem, driving innovation and providing users with more diverse and powerful financial tools.

There are mainly three solutions for cross-chain transactions between Bitcoin and Layer 2: centralized cross-chain trading, BitVM cross-chain bridge, and cross-chain atomic swaps. These three technologies have their characteristics in terms of trust assumptions, security, convenience, and transaction limits, which can meet different application needs.

Cross-chain atomic swaps are contracts that enable decentralized cryptocurrency trading. "Atomic" means that a change in ownership of one asset effectively means a change in ownership of another asset. This concept was first introduced in 2013 on the Bitcointalk forum, and in 2017, Decred and Litecoin successfully completed atomic swaps for the first time. Atomic swaps must involve two parties, and no third party can interrupt or interfere with the swapping process. This means that the technology is decentralized, censorship-resistant, provides better privacy protection, and can achieve high-frequency cross-chain trading, thus being widely adopted in decentralized exchanges.

Currently, cross-chain atomic swaps mainly include two technologies: hash time-locked ( HTLC ) and adapter signature-based swaps. Adapter signature-based atomic swaps have the following advantages over HTLC atomic swaps:

1. Replaced on-chain scripts, including time locks and hash locks, known as "invisible scripts."
2. The on-chain space usage is reduced, making exchanges lighter and costs lower.
3. Transactions cannot be linked, achieving better privacy protection.

This article introduces the principles of Schnorr/ECDSA adapter signatures and cross-chain atomic swaps, analyzes the security issues of random numbers in adapter signatures and the problems of system heterogeneity and algorithm heterogeneity in cross-chain scenarios, and provides corresponding solutions. Finally, it expands the application of adapter signatures to achieve non-interactive digital asset custody.

Adapter Signatures and Cross-Chain Atomic Swaps

Schnorr adapter signature and atomic swap

The atomic swap process for Schnorr adapter signatures is as follows:

1. Alice generates a random number y and calculates Y = y·G
2. Bob generates a random number r and calculates R = r·G
3. Bob calculates c = H(R, pk, m), s = r + cx
4. Bob sends (R, s̃ = s - y) to Alice
5. Alice verifies R = s̃·G + c·pk - Y
6. Alice broadcasts transaction tx_A
7. Bob broadcasts transaction tx_B, revealing y
8. Alice extracts y from tx_B and calculates s = s̃ + y
9. Alice broadcasts (R,s)

ECDSA adapter signature and atomic swap

The atomic swap process of ECDSA adapter signatures is as follows:

1. Alice generates a random number y and computes Y = y·G
2. Bob generates a random number k and calculates R = k·G
3. Bob calculates r = R_x mod n, s̃ = k^(-1)(H(m) + rx) - y
4. Bob sends (r,s̃) to Alice
5. Alice verifies r·G = (s̃ + y)·H(m)·G^(-1) + r·pk
6. Alice broadcasts transaction tx_A
7. Bob broadcasts transaction tx_B, revealing y
8. Alice extracts y from tx_B and calculates s = s̃ + y
9. Alice broadcasts (r,s)

Questions and Solutions

Random Number Problem and Solutions

There are security issues in the adapter signature related to random number leakage and reuse, which may lead to private key exposure. The solution is to use RFC 6979, to deterministically derive the random number k from the private key and the message:

k = SHA256(sk, msg, counter)

This ensures that k is unique for each message while providing reproducibility for the same input, reducing the risk of private key exposure associated with weak random number generators.

cross-chain scenario issues and solutions

1. The heterogeneous issue between UTXO and account model systems: Bitcoin uses the UTXO model, while the Ethereum system uses the account model. In the Ethereum system, since the nonce cannot be predicted, refund transactions cannot be pre-signed. The solution is to use smart contracts on the Bitlayer side to achieve atomic swaps, but this will sacrifice some privacy.

2. Security of adapter signatures with the same curve and different algorithms: If both Bitcoin and Bitlayer use the Secp256k1 curve, but Bitcoin uses Schnorr signatures while Bitlayer uses ECDSA, the adapter signature in this case is provably secure.

3. Different curve adapter signatures are not secure: If Bitcoin uses the Secp256k1 curve and ECDSA signatures, while Bitlayer uses the ed25519 curve and Schnorr signatures, then adapter signatures cannot be used due to different curve parameters resulting in different modulus coefficients.

Digital Asset Custody Application

Non-interactive threshold digital asset custody can be achieved based on adapter signatures, and the main steps are as follows:

1. Create an unsigned funding transaction, sending BTC to a 2-of-2 MuSig output between Alice and Bob.
2. Alice generates a random value t_A and sends the pre-signed and ciphertext to Bob.
3. Bob repeats step 2
4. Alice and Bob verify the validity of the ciphertext, sign, and broadcast the funding transaction.
5. In case of a dispute, the custodian may decrypt and send t_A/t_B to Bob/Alice.

This scheme has non-interactive advantages compared to threshold Schnorr signatures, but has lower flexibility. Verifiable encryption is the key cryptographic primitive for implementing this scheme, with two main implementations: Purify and Juggling.

Adapter signatures provide a decentralized, efficient, and privacy-preserving solution for cross-chain asset exchanges between Bitcoin and Layer 2 networks. By addressing the random number security issue and the heterogeneous problems in cross-chain scenarios, adapter signatures can play an important role in practical applications, promoting the development of the Bitcoin ecosystem.