Published on: 2023-05-14T08:37:50+00:00
In an email exchange between AdamISZ and Lloyd Fournier, they discuss the usefulness of single signer adaptors in Bitcoin. They conclude that single key signature adaptor in isolation is basically useless in a Bitcoin context but it could be useful in combination with another locking condition on the utxo such as another pubkey lock. They also discuss the canonical adaptor-based swap where Alice can encrypt the single-key signature for her payment to Bob, revealing the partial signature of Bob, on the payout from a multisig, to Alice. However, they mention that Alice can still move the funds even if Bob decrypts and broadcasts by revealing s if she gets confirmed first. Lloyd states that single signer adaptor signatures have been used as signature encryption in practice for years for the transaction signatures by DLC client implementations and are even used in channel implementations as well as atomic swaps.On May 11th, 2023, AdamISZ sent an email to Lloyd Fournier discussing a potential variant of the canonical adaptor based swap. He suggests that Alice can encrypt the single-key signature for her payment to Bob with the encryption key being T = sG, where s is the partial signature of Bob on the payout from a multisig to Alice. However, Lloyd points out that Alice could still move the funds even if Bob decrypts and broadcasts by revealing s if she gets confirmed first. He notes that a multisig is always necessary in these situations, but it need not be a key aggregated multisig like MuSig. Lloyd also mentions that there is no useful use of a single signer adaptor signature in Bitcoin without some kind of other spending constraint.On May 8th, 2023, Lloyd and AdamISZ had a conversation discussing the usefulness of single signer adaptors. Lloyd argues that they do provide a way to create enforcement that the publication of signature on a pre-defined message will reveal a secret. He gives an example of holding a secret key for X and creating a signature adaptor with some encryption key Y with message m. If he does not create any further signatures on m, then any signature on m that is published necessarily reveals the secret on Y to him. This property can be useful in practice and has already been used for years by DLCs in production. However, AdamISZ struggles to understand this point and references Dryja's construct and single key Schnorr, stating that they are missing and therefore making them useless. Lloyd clarifies that he was not referencing the DLC oracle attestation protocol but rather pointing out that DLC client implementations have been using single signer adaptor signatures as signature encryption in practice for years for transaction signatures. There are even channel implementations using them as well as atomic swaps doing this.In an email exchange between AdamISZ and Lloyd Fournier via bitcoin-dev, they discuss the usefulness of single signer adaptors. Fournier argues that if a secret key is held for X and a signature adaptor is created with encryption key Y for message m, any signature on m published reveals the secret on Y to the holder of the secret key for X, making it a useful property in theory and practice. AdamISZ initially struggles to understand this concept but eventually acknowledges his error and admits to having a misconception about adaptors for years. They also discuss the framing of s' = k - t +H(R|P|m)x vs s' = k + H(R+T|P|m)x and a potential variant of the canonical adaptor based swap. Fournier clarifies that he was not referencing the DLC oracle attestation protocol, but rather pointing out that DLC client implementations have been using single signer adaptor signatures as signature encryption in practice for years for transaction signatures, making them a pretty useful thing. The conversation ends on a cordial note with cheers exchanged.In an email exchange between AdamISZ and Lloyd Fournier, they discussed the usefulness of single signer adaptors. While Fournier had previously claimed that they were useless as they did not provide a way to create enforcement that the publication of signature on a pre-defined message will reveal a secret, AdamISZ disagreed. He argued that if he held a secret key for X and created a signature adaptor with some encryption key Y with message m and did not create any further signatures (adaptor or otherwise) on m, then any signature on m that is published necessarily reveals the secret on Y to him. This property is useful in theory and practice. Fournier was confused by AdamISZ's statement and asked for clarification on what he meant by "any signature on m that is published reveals y." AdamISZ elaborated that if only one adaptor signature is generated on m and no other signatures on m are created, then a signature on m that appears under the key would reveal y to him. Fournier thought that the confusion might be about the DLC construct, which is analogous to single key Schnorr.
Updated on: 2023-08-02T09:22:26.483449+00:00