Adapter Signatures and Their Application in Cross-Chain Atomic Swaps

With the rapid development of Bitcoin Layer 2 scaling solutions, the frequency of cross-chain asset transfers between Bitcoin and Layer 2 networks has significantly increased. This trend is driven by the higher scalability, lower transaction fees, and high throughput provided by Layer 2 technology. These advancements facilitate more efficient and cost-effective transactions, leading to broader adoption and integration of Bitcoin in various applications. Therefore, the interoperability between Bitcoin and Layer 2 networks is becoming a key component of the cryptocurrency ecosystem, driving innovation and providing users with a more diverse and powerful set of financial tools.

There are three typical solutions for cross-chain transactions between Bitcoin and Layer 2: centralized cross-chain trading, BitVM cross-chain bridge, and cross-chain atomic swaps. These three technologies have their own characteristics in terms of trust assumptions, security, convenience, and transaction limits, and can meet different application needs.

Centralized cross-chain trading is fast, and the matching process is relatively easy, but its security completely relies on the reliability and reputation of centralized institutions, resulting in higher risks. The BitVM cross-chain bridge technology is relatively complex, introducing an optimistic challenge mechanism, with high transaction fees, and is only suitable for large transactions. Cross-chain atomic swaps are decentralized, censorship-resistant, and offer good privacy protection, enabling high-frequency cross-chain trading and are widely used in decentralized exchanges.

Cross-chain atomic swap technology mainly includes two solutions: one based on Hash Time-Locked Contracts (HTLC) and another based on adapter signatures. The HTLC solution has issues with user privacy leakage. Atomic swaps based on adapter signatures have three advantages over HTLC: they replace on-chain scripts, reducing on-chain space usage; they are lighter and have lower costs; and they provide better privacy protection.

Adapter Signatures and Cross-Chain Atomic Swaps

( Schnorr adapter signature and atomic swap

The process of Schnorr adapter signatures is as follows:

1. Alice generates a random number r and calculates R = r·G
2. Alice calculates c = H)X||R||m###
3. Alice calculates s' = r + c·x
4. Alice sends (R, s') to Bob
5. Bob verifies s'·G ?= R + c·X
6. Bob calculates s = s' + y
7. (R,s) is a valid Schnorr signature.

The cross-chain atomic swap process based on Schnorr adapter signatures is as follows:

1. Alice creates transaction TxA to send her Bitcoin to Bob
2. Bob creates transaction TxB, sending his Bitcoin to Alice.
3. Alice generates a random number y and calculates Y = y·G
4. Alice signs TxA with the adapter signature, sending (R, s') to Bob.
5. Bob verifies the adapter signature
6. Bob performs a regular Schnorr signature on TxB and broadcasts TxB.
7. After Alice receives TxB, she sends y to Bob.
8. Bob calculates s = s' + y, obtaining the complete signature for TxA.
9. Bob broadcasts TxA, completes the exchange

( ECDSA adapter signature and atomic swap

The process of ECDSA adapter signing is as follows:

1. Alice generates a random number k and calculates R = k·G
2. Alice calculates r = R_x mod n
3. Alice calculates s' = k^) - 1###(H)m( + r·x( mod n
4. Alice sends )r,s') to Bob
5. Bob verifies (s')^(-1)·H(m)·G + (s')^(-1)·r·X ?= R
6. Bob calculates s = s' + y mod n
7. (r,s) is a valid ECDSA signature.

The cross-chain atomic swap process based on ECDSA adapter signatures is similar to the Schnorr scheme.

Problems and Solutions

( Random Number Problem and Solutions

The adapter signature has security risks of random number leakage and reuse, which may lead to private key exposure. The solution is to use the RFC 6979 specification to deterministically derive the random number k from the private key and message.

k = SHA256)sk, msg, counter###

This ensures the uniqueness and reproducibility of the random number while avoiding the security risks of the random number generator.

( cross-chain scenarios issues and solutions

1. The heterogeneous problem between UTXO and account model systems:

Bitcoin uses the UTXO model, while Bitlayer uses the account model. In the Ethereum system, it is not possible to pre-sign refund transactions, so smart contracts are needed to implement atomic swaps. This sacrifices a certain level of privacy, which can be provided for Bitlayer transactions through Dapps like Tornado Cash.

2. Security of adapter signatures with the same curve but different algorithms:

If Bitcoin and Bitlayer use the same Secp256k1 curve, but adopt Schnorr and ECDSA signatures respectively, the adapter signature is still secure.

3. Different curve adapter signatures are insecure:

If Bitcoin uses the Secp256k1 curve and Bitlayer uses the ed25519 curve, due to different modulus coefficients, adapter signatures cannot be used directly.

![Analyzing Bitcoin and Layer2 Asset Cross-Chain Technology])https://img-cdn.gateio.im/webp-social/moments-dbf838762d5d60818e383c866ca2d318.webp###

Digital Asset Custody Application

Based on the adapter signature, non-interactive digital asset custody can be achieved, and the specific process is as follows:

1. Create an unsigned funding transaction to send BTC to a 2-of-2 MuSig output.
2. Alice and Bob create adapter signatures respectively and exchange them.
3. Alice and Bob verify the validity of the ciphertext, sign, and broadcast the funding transaction.
4. In case of a dispute, the custodian may decrypt the adapter secret and send it to one party.
5. The party that obtains the secret can complete the signature and broadcast the settlement transaction.

This scheme has the advantage of non-interactivity compared to threshold Schnorr signatures.

Verifiable encryption is a key technology for implementing non-interactive asset custody, primarily consisting of two solutions: Purify and Juggling. Purify is based on zero-knowledge proofs, while Juggling achieves this through sharding and range proofs. The performance of the two solutions is not significantly different, although Juggling is theoretically simpler.

Overall, adapter signatures provide powerful cryptographic tools for applications such as cross-chain atomic swaps and digital asset custody. However, in practical applications, issues such as randomness security and system heterogeneity still need to be considered. In the future, with the development of related technologies, cross-chain interoperability based on adapter signatures will bring more innovative applications to the blockchain ecosystem.