Adapter Signatures and Their Applications in Cross-Chain Atomic Swaps

With the rapid development of Bitcoin Layer 2 scaling solutions, the frequency of cross-chain asset transfers between Bitcoin and its Layer 2 networks has significantly increased. This trend is driven by the higher scalability, lower transaction fees, and high throughput provided by Layer 2 technology. These advancements facilitate more efficient and cost-effective transactions, thereby promoting broader adoption and integration of Bitcoin across various applications. As a result, interoperability between Bitcoin and Layer 2 networks is becoming a key component of the cryptocurrency ecosystem, driving innovation and providing users with more diverse and powerful financial tools.

There are mainly three solutions for cross-chain transactions between Bitcoin and Layer 2: centralized cross-chain transactions, BitVM cross-chain bridge, and cross-chain atomic swaps. These three technologies differ in trust assumptions, security, convenience, transaction limits, and can meet different application needs.

The advantages of centralized cross-chain trading are fast speed and a relatively easy matching process. However, its security completely relies on the reliability and reputation of the centralized institution. If there are issues with the centralized institution, user funds are at a higher risk. Additionally, centralized cross-chain trading may also expose user privacy.

The BitVM cross-chain bridge technology is relatively complex, involving multi-party signatures and optimistic challenge mechanisms. This technology is mainly suitable for ultra-large transactions and is used infrequently.

Cross-chain atomic swaps are a decentralized technology that offers advantages such as censorship resistance and good privacy protection, widely used in decentralized exchanges. Currently, cross-chain atomic swaps mainly include two solutions based on Hash Time-Lock (HTLC) and adapter signatures.

Compared to HTLC, adapter signature-based atomic swaps have the following advantages:

1. replaced on-chain scripts, on-chain space usage is smaller, and costs are lower;
2. Transaction cannot be linked, achieving better privacy protection.

This article mainly introduces adapter signatures and their application in cross-chain atomic swaps, including the following aspects:

1. The principle of Schnorr and ECDSA adapter signatures
2. Implementation of cross-chain atomic swaps
3. Security issues of the random number in adapter signatures and solutions
4. The issues of system heterogeneity and algorithm heterogeneity in cross-chain scenarios and solutions.
5. Application of Adapter Signatures in Non-Interactive Digital Asset Custody

Schnorr Adapter Signatures and Atomic Swaps

The process of generating Schnorr signatures is as follows:

1. Choose a random number r, calculate R = r * G
2. Calculate the challenge c = H(R||P||m)
3. Calculate s = r + cx

Where G is the base point, P is the public key, m is the message, and x is the private key. The signature is (R, s).

The verification process is: check sG ?= R + cP

The generation process of Schnorr adapter signatures is as follows:

1. Choose a random number r, calculate R = r * G
2. Calculate the challenge c = H(R + Y||P||m), where Y is the adaptation point.
3. Calculate s' = r + cx

The pre-signature is (R,s'). The complete signature is (R,s = s' + y), where y is the adaptation value, satisfying Y = y * G.

The verification process is: check sG ?= R + Y + cP

Atomic swap process:

1. Alice generates a pre-signed message and sends it to Bob.
2. Bob verifies the pre-signature, generates his own pre-signature, and sends it to Alice.
3. Alice verifies Bob's pre-signed message and broadcasts her complete signature.
4. Bob extracts y from Alice's complete signature, completes his own signature, and broadcasts it.

ECDSA Adapter Signature and Atomic Swap

The process of generating an ECDSA signature is as follows:

1. Choose a random number k, calculate R = k * G, r = R_x mod n
2. Calculate s = k^(-1)(H(m) + rx) mod n

In this, G is the base point, n is the curve order, x is the private key, and m is the message. The signature is (r, s).

The verification process is: check R'_x ?= r, where R' = s^(-1)H(m)G + s^(-1)rP

The process of generating ECDSA adapter signatures is as follows:

1. Choose a random number k, calculate R = k * G, r = R_x mod n
2. Calculate s' = k^(-1)(H(m) + r(x + y)) mod n, where y is the adaptation value.

The pre-signature is (R,s'). The complete signature is (R,s = s' * (x + y) / x).

The verification process is: check R'_x ?= r, where R' = s^(-1)H(m)G + s^(-1)r(P + Y)

The atomic swap process is similar to Schnorr.

Random Number Problem and Solution

The pre-signatures of Schnorr/ECDSA adapter signatures commit to the random number r. If the random number is leaked or reused, it can lead to the exposure of the private key.

The solution is to use RFC 6979 to derive random numbers from the private key and message in a deterministic manner:

k = SHA256(sk, msg, counter)

This ensures that k is unique for each message, while having reproducibility for the same input, reducing the risk of private key exposure related to random number generators.

Cross-chain Scenario Issues and Solutions

UTXO and account model systems are heterogeneous: Bitcoin adopts the UTXO model, while Ethereum adopts the account model. In the account model, it is not possible to pre-sign refund transactions. The solution is to implement atomic swap logic using smart contracts on the Ethereum side.

Same curve different algorithm: If two chains use the same curve but different signature algorithms, such as one using Schnorr and the other using ECDSA, the adapter signature is still secure.

Different curves: If two chains use different curves, the adapter signature will be insecure because the order of the curves is different, and the modulus coefficients are different.

Digital Asset Custody Application

The adapter signature can be used to implement non-interactive digital asset custody:

1. Alice and Bob create a 2-of-2 multi-signature output.
2. Alice and Bob each generate pre-signed values and encrypt their respective adaptation values with the custodian's public key.
3. In case of a dispute, the custodian may decrypt the adaptation value and send it to one party for them to complete the signature.

This solution is more flexible and decentralized compared to traditional custody.

Verifiable encryption is the key technology to implement this solution, mainly including two schemes: Purify and Juggling. Purify is based on zkSNARK, while Juggling adopts methods of sharding and range proofs.

Overall, adapter signatures provide new possibilities for applications such as cross-chain atomic swaps and digital asset custody, but practical applications still need to consider issues such as random number security and system heterogeneity. In the future, with the further development of related technologies, adapter signatures are expected to play an important role in more scenarios.