From 7360e6eb9299e257362dfbae7ab8eb7e1ba3e1ab Mon Sep 17 00:00:00 2001 From: Chris Sonek Date: Wed, 18 Sep 2024 14:17:42 +0000 Subject: [PATCH 1/2] + added the step of validating the adaptor signature + mentined the 2nd adaptor necessary for swaps. --- md/atomic-swap.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/md/atomic-swap.md b/md/atomic-swap.md index 2e0d780..d60bb8c 100644 --- a/md/atomic-swap.md +++ b/md/atomic-swap.md @@ -15,10 +15,11 @@ to B on one chain, while B is sending coins to A on the other. 2. A gives B auxiliary data "adaptor signatures" which allow B to extract a discrete logarithm from a signature on one chain, and conversely to extract a signature from the same discrete logarithm on the other chain. -3. B then signs to give A her coins on one chain. -4. When A signs to take her coins, B is able to extract a discrete logarithm +3. B validates, that knowing the discrete logarithm would actually allow him to obtain a valid signature from the adaptor signature he got from A. +4. B then creates an adaptor signature with the adaptor A has given him before. That adaptor signature would give A her coins on one chain. +5. A converts the adaptor signature from B to a valid signature by using her knowledge of the discrete logarithm, then A signs to take her coins, B is able to extract the discrete logarithm from her signature. -5. He uses this to form a signature on the other chain, giving him A's coins. +6. He uses this to form a signature on the other chain, giving him A's coins. We see that this executes an atomic exchange: if A signs, then both transactions execute; if A does not sign, then the protocol times out and neither transaction @@ -74,13 +75,14 @@ that both blockchains support Schnorr signatures. 2. A chooses a random `t`, sets `T = tG`, and produces adaptor signatures in place of her contributions to `s`. Each signature uses the same `T`. She sends these to B. -3. B reveals his contribution to `s` for the signature that sends his coins to A. -4. A reveals her contribution to `s` for that signature, completing it, and +3. B verifies, that with the knowledge of `t`, the adaptor signature, he could actually produce a valid signature. +4. B creates an adaptor signature using the same `T` and reveals his contribution to `s` for the signature that sends his coins to A. +5. A reveals her contribution to `s` for that signature, completing it, and publishes it to take her coins. -5. Using the adaptor signature, B learns `t` from the output of step (4), and uses +6. Using the adaptor signature, B learns `t` from the output of step (5), and uses it to compute A's contribution to `s` for the signature that sends her coins to him. -6. B adds his contribution to `s`, completing the signature, and publishes it to +7. B adds his contribution to `s`, completing the signature, and publishes it to take his coins. ### Compatibility From 04580286156f7efd83d901412c4713a6d5367f56 Mon Sep 17 00:00:00 2001 From: Chris Sonek Date: Mon, 30 Sep 2024 11:41:37 +0000 Subject: [PATCH 2/2] removed the use of a second adaptor from my first commit, to seperate the 2 changes (an discuss seperately). So now it PR only has the change the B verifies the adaptor signature --- md/atomic-swap.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/md/atomic-swap.md b/md/atomic-swap.md index d60bb8c..b151034 100644 --- a/md/atomic-swap.md +++ b/md/atomic-swap.md @@ -16,8 +16,8 @@ to B on one chain, while B is sending coins to A on the other. discrete logarithm from a signature on one chain, and conversely to extract a signature from the same discrete logarithm on the other chain. 3. B validates, that knowing the discrete logarithm would actually allow him to obtain a valid signature from the adaptor signature he got from A. -4. B then creates an adaptor signature with the adaptor A has given him before. That adaptor signature would give A her coins on one chain. -5. A converts the adaptor signature from B to a valid signature by using her knowledge of the discrete logarithm, then A signs to take her coins, B is able to extract the discrete logarithm +4. B then signs to give A her coins on one chain. +5. When A signs to take her coins, B is able to extract a discrete logarithm from her signature. 6. He uses this to form a signature on the other chain, giving him A's coins. @@ -75,16 +75,17 @@ that both blockchains support Schnorr signatures. 2. A chooses a random `t`, sets `T = tG`, and produces adaptor signatures in place of her contributions to `s`. Each signature uses the same `T`. She sends these to B. -3. B verifies, that with the knowledge of `t`, the adaptor signature, he could actually produce a valid signature. -4. B creates an adaptor signature using the same `T` and reveals his contribution to `s` for the signature that sends his coins to A. +3. B verifies, that with the knowledge of `t` he could actually produce a valid signature from step (2). +4. B reveals his contribution to `s` for the signature that sends his coins to A. 5. A reveals her contribution to `s` for that signature, completing it, and publishes it to take her coins. -6. Using the adaptor signature, B learns `t` from the output of step (5), and uses +6. Using the adaptor signature, B learns `t` from the output of step (4), and uses it to compute A's contribution to `s` for the signature that sends her coins to him. 7. B adds his contribution to `s`, completing the signature, and publishes it to take his coins. + ### Compatibility Adaptor signatures are *not* compatible with non-interactive signature