|
| 1 | +Atomic Pedersen Swap Using Adaptor Signatures |
| 2 | +=== |
| 3 | + |
| 4 | +An atomic Pedersen swap exchanges a coin with the opening `(r, x)` of a |
| 5 | +Pedersen commitment `r*G + x*H`. By using adaptor signatures this can be done |
| 6 | +as a scriptless script such that a Bitcoin output that requires revealing an |
| 7 | +opening appears like a normal payment on-chain. Therefore, it can be a |
| 8 | +replacement for scripts involving `OP_SHA256 <hash> OP_EQUAL` when it's not |
| 9 | +required to commit or open publicly. |
| 10 | + |
| 11 | +Additionally, it allows using Pedersen commitments in Bitcoin or any other |
| 12 | +crypto-currency supporting adaptor signatures without adding Pedersen |
| 13 | +commitment in the consensus code (for example in the form of a new opcode). |
| 14 | +Pedersen commitments are *homomorphic commitments* which enables many |
| 15 | +interesting applications. For example, proving knowledge of the opening of a |
| 16 | +commitment in zero knowledge or re-blinding a given commitment by adding `r'*G` |
| 17 | +(maybe useful in lightning). Current applications of Pedersen commitments in |
| 18 | +crypto-currencies include Confidential Transactions, Confidential Assets and |
| 19 | +Mimblewimble. |
| 20 | + |
| 21 | +One important ingredient for these swaps is a multiplication proof of Pedersen |
| 22 | +commitments described below. |
| 23 | + |
| 24 | + |
| 25 | +Multiplication Proof for Pedersen Commitments |
| 26 | +--- |
| 27 | +This is a non-interactive zero knowledge proof that for given Pedersen |
| 28 | +commitments `Q = r*G + x*H`, `T1 = t1*G` and `T2 = t2*G` it holds that `r = |
| 29 | +t1*t2`. The given construction is special case (commitment to 0) of the proof |
| 30 | +from the paper [Zero-knowledge proofs of knowledge for group |
| 31 | +homomorphisms](https://sci-hub.la/10.1007/s10623-015-0103-5) by Ueli Maurer |
| 32 | +section 6.7 with the addition of the Fiat-Shamir heuristic. |
| 33 | + |
| 34 | +Informally, the scheme consists of the two algorithms "generate" and "check": |
| 35 | + |
| 36 | +* Generate |
| 37 | + ``` |
| 38 | + select `k1, k2` to be uniformly random scalars and compute |
| 39 | + R1 <- k1*G |
| 40 | + R2 <- k1*t2*G + k2*H |
| 41 | + s1 <- k1 + H(R1, R2)*t1 |
| 42 | + s2 <- k2 + H(R1, R2)*x |
| 43 | + return proof (R1, R2, s1, s2) |
| 44 | + ``` |
| 45 | + |
| 46 | +* Check proof `(R1, R2, s1, s2)` |
| 47 | + ``` |
| 48 | + s1*G ?= R1 + H(R1, R2)*T1 |
| 49 | + s1*T2 + s2*H ?= R2 + H(R1, R2)*Q |
| 50 | + ``` |
| 51 | + |
| 52 | +It helps to get some intuition for the proof by verifying completeness: |
| 53 | +``` |
| 54 | +s1*G = k1*G + H(R1, R2)*t1*G |
| 55 | + = R1 + H(R1, R2)*T1 |
| 56 | +s1*T2 + s2*H = k1*T2 + H(R1,R2)*t1*T2 + k2*H + H(R1,R2)*x*H |
| 57 | + = k1*t2*G + k2*H + H(R1,R2)*(t1*T2 + x*H) |
| 58 | + = R2 + H(R1, R2)*Q |
| 59 | +``` |
| 60 | + |
| 61 | + |
| 62 | +Protocol rationale |
| 63 | +--- |
| 64 | +Assume someone wants to buy the opening `(r, x)` of a Pedersen commitment `Q = |
| 65 | +r*G + x*H` from a seller. The seller can't just use `r*G` as the auxiliary |
| 66 | +point in an adaptor signature and send it to the buyer. Upon receiving `r*G` |
| 67 | +the buyer would compute `Q - r*G = x*H` and simply brute-force `x` without |
| 68 | +paying. This is where the multiplication proof for Pedersen commitments comes |
| 69 | +into play: the seller chooses t1 and t2 s.t. `t1*t2 = r`, sends `T1 = t1*G` and |
| 70 | +`T2 = t2*G` as auxiliary points to the buyer along with the multiplication |
| 71 | +proof. Obtaining `r` from `T1` and `T2` is the computational Diffie-Hellman |
| 72 | +problem, but learning `t1` and `t2` during the swap allows the buyer to compute |
| 73 | +`r`. |
| 74 | + |
| 75 | +Because `x` is multiplied by `H` and not `G` there is no straightforward way to |
| 76 | +similarly put `x*H` in an adaptor signature. Let `xi` be the `i`-th bit of `x`. |
| 77 | +The seller creates one Pedersen commitment `Qi = ri*G + xi*G` for every bit of |
| 78 | +`x`. After learning all `ri` during the swap, the buyer can reconstruct `x` |
| 79 | +bitwise by checking whether `Qi` is a commitment to `0` or `1`. Committing to |
| 80 | +each bit of a value in a Pedersen commitment in a verifiable way is exactly |
| 81 | +what the range proof in [confidential |
| 82 | +transactions](https://people.xiph.org/~greg/confidential_values.txt). So we |
| 83 | +can abuse that scheme not to prove ranges, but to prove that each `Qi` commits |
| 84 | +to a bit of `x`. |
| 85 | + |
| 86 | +As a result, the seller must send an adaptor signatures for the factors `ti1` |
| 87 | +and `ti2` of each `ri`. Simply sending multiple adaptor sigs is problematic. |
| 88 | +Say the seller sends one adaptor sig with auxiliary point `Ti1=ti1*G` and one |
| 89 | +with aux point `Ti2=ti2*G`. Then even without seeing the actual signature, by |
| 90 | +just subtracting the signatures the buyer learns `ti1 - ti2`. Instead, the |
| 91 | +seller uses auxiliary points `H(Ti1)*ti1*G and H(Ti2)*ti2*G` revealing |
| 92 | +`H(Ti1)ti1 - H(Ti2)ti2` which is meaningless for the buyer. |
| 93 | + |
| 94 | + |
| 95 | +Protocol description |
| 96 | +--- |
| 97 | +Assume someone wants to buy the opening `(r, x)` of a Pedersen commitment `Q = |
| 98 | +r*G + x*H` from a seller. |
| 99 | + |
| 100 | +1. Setup |
| 101 | + |
| 102 | + * The seller publishes a range proof to allow potential buyers to later |
| 103 | + reconstruct `x` from just `Q` and `r`.A ssuming a prime order group with |
| 104 | + an order close to `2^256` the seller publishes `(Q0, ..., Q255, e, s0, |
| 105 | + ..., s255)` where `sum(Qi) = Q` and `e = hash(si*G + hash(si*G + |
| 106 | + e*Qi)*(Qi-2^i*H))`. |
| 107 | + * The buyer checks the range proof and sends the agreed-upon amount of |
| 108 | + coins to a key-aggregated multisig output of the buyer and seller (after |
| 109 | + receiving a timelocked refund transaction signed by the seller). |
| 110 | +2. Adaptor signatures |
| 111 | + |
| 112 | + * Just as in regular atomic swaps using adaptor signatures, the parties |
| 113 | + agree on an `R` for the the signature. The seller creates a transaction |
| 114 | + spending the coins from the multisig output and computes a Bellare-Neven |
| 115 | + challenge `c` for the transaction. |
| 116 | + * For each bit commitment `Qi`, seller generates a uniformly random scalar |
| 117 | + `ti1` and sets `ti2`, such that `ti1*ti2*G = ri*G = Qi-xi*H`. Then the |
| 118 | + seller computes `Ti1 = ti1*G` and `Ti2 = ti2*G` and sends the following |
| 119 | + adaptor signatures `si1` and `si2` with auxiliary points `H(Ti1)*Ti1` and |
| 120 | + `H(Ti2)*Ti2` to Bob: |
| 121 | + ``` |
| 122 | + si1 = k + H(Ti1)ti1 + c*a |
| 123 | + si2 = k + H(Ti2)ti2 + c*a |
| 124 | + ``` |
| 125 | + along with a multiplication proof for Pedersen commitments proving the |
| 126 | + multiplicative relationship of the blinding factors of Ti1, Ti2 and Qi. |
| 127 | +3. Swap |
| 128 | +
|
| 129 | + * The buyer verifies the adaptor signatures and multiplication proofs and |
| 130 | + sends his contribution to the signature. |
| 131 | + * The seller completes the signature `(R, s)` and publishes it along with |
| 132 | + the transaction to take her coins. |
| 133 | + * Just as in regular atomic swaps using adaptor signatures, the buyer can |
| 134 | + recover the discrete logarithm of the auxiliary points by subtracting s |
| 135 | + from the corresponding adaptor signature. So for each bit commitment, the |
| 136 | + buyer is able to recover `ti1` and `ti2`. |
| 137 | + * Because it holds that `ti1*ti2 = ri`, the buyer can reconstruct `x` by |
| 138 | + setting the `i`-th bit of `x` to `0` if `Qi == ti1*ti2*G + 0*H` and to |
| 139 | + `1` otherwise. |
0 commit comments