Introduce adaptorless signatures and redefine adaptor signature

Author: jonasnick

md/atomic-swap.md

@@ -12,9 +12,9 @@ to B on one chain, while B is sending coins to A on the other.
 
 1. Both parties A and B put their coins into multisignature outputs on each chain
    which require both parties' signatures to be spent.
-2. A gives B auxiliary data "adaptor signatures" which allow A to extract a
-   discrete logarithm from a signature on one chain, and conversely to extract a
-   signature from the same discrete logarithm on the other chain.
+2. A gives B auxiliary data, "adaptorless signatures", for each output. This will allow B to extract a
+   discrete logarithm from a signature on one chain, and then to adapt A's
+   signature with the same discrete logarithm on the other chain.
 3. B then signs to give A her coins on one chain.
 4. When A signs to take her coins, B is able to extract a discrete logarithm
    from her signature.
@@ -38,21 +38,23 @@ with public key `P` is a pair `(s, R)` satisfying the equation
 ```
 sG = R + H(P || R || m)P
 ```
-Closely related, an _adaptor signature_ is a triplet `(s', R, T)` satisfying
+Closely related, an _adaptorless signature_ is a triplet `(s', R, T)` satisfying
 ```
-s'G = T + R + H(P || R || m)P
+s'G = R + H(P || R + T || m)P
 ```
-It is easy to see that given a Schnorr signature `(s, R)` and adaptor signature
-`(s', R, T)` (notice both `R`s are the same) that the discrete logarithm of `T`
-can be computed as `s' - s`, since subtracting the above equations reveals
-`(s' - s)G = T`.
 
-Similarly, given an adaptor signature `(s', R, T)` and `t` such that `T = tG`,
-it is easy to compute a Schnorr signature `(s, R)` by the equation `s = s' - t`.
+It is easy to see that given a Schnorr signature `(s, R + T)` and adaptor signature
+`(s', R, T)` that the discrete logarithm of the _adaptor_ `T`,
+can be computed as `s - s'`, since subtracting the above equations reveals
+`(s - s')G = R + T - R = T`.
 
-We conclude that given an adaptor signature `(s', R, T)` with public key `P`,
-knowledge of a Schnorr signature with same `P` and same `R` is equivalent to
-knowledge of the discrete logarithm of `T`.
+Similarly, given an adaptorless signature `(s', R, T)` and `t` such that `T = tG`,
+it is easy to compute a Schnorr signature `(s, R + T)` by the equation `s = s' + t`.
+
+We conclude that given an adaptorless signature `(s', R, T)` with public key `P`,
+knowledge of a Schnorr signature `(s, R + T)` with same `P` is equivalent to
+knowledge of the discrete logarithm of `T`. Schnorr signature `(s, R + T)` is an
+_adaptor signature_ for `(s', R, T)` because it provides the adaptor.
 
 #### Schnorr Multisignatures
 
@@ -68,17 +70,17 @@ On a lower level, the above scheme works as follows. We assume first that both
 blockchains use the same group generated by the same fixed generator `G`, and
 that both blockchains support Schnorr signatures.
 
-1. Each party puts their coins into a multisignature output. They agree on an
+1. Each party puts their coins into a multisignature output. They agree on a public Schnorr signature nonce
    `R` for each signature that they'll eventually use to move the coins to their
    final destinations.
-2. A chooses a random `t`, sets `T = tG`, and produces adaptor signatures in place
+2. A chooses a random `t`, sets `T = tG`, and produces adaptorless signatures in place
    of her contributions to `s`. Each signature uses the same `T`. She sends these
-   to B.
+   and `T` to B.
 3. B reveals his contribution to `s` for the signature that sends his coins to A.
-4. A reveals her contribution to `s` for that signature, completing it, and
+4. A reveals her contribution to `s` for that signature, completing it by adapting previous adaptorless signature, and
    publishes it to take her coins.
-5. Using the adaptor signature, B learns `t` from the output of step (4), and uses
-   it to compute A's contribution to `s` for the signature that sends her coins to
+5. Using the adaptorless signature, B learns `t` from the output of step (4), and uses
+   it to adapt A's contribution to `s` for the signature that sends her coins to
    him.
 6. B adds his contribution to `s`, completing the signature, and publishes it to
    take his coins.
@@ -90,4 +92,4 @@ aggregation techniques such as [Schnorr
 "half-aggregation"](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014272.html).
 This is because with aggregation the `s`-part in a signature can be
 re-randomized while staying valid, such that knowledge of a corresponding
-adaptor signature does not allow to compute the adaptor secret `t` as `s' - s`.
+adaptor signature does not allow to compute the adaptor secret `t` as `s - s'`.

md/partially-blind-swap.md

@@ -11,8 +11,8 @@ confidential). This property is very similar to
 script](https://github.com/apoelstra/scriptless-scripts/blob/master/md/atomic-swap.md)
 and therefore purely in the elliptic curve discrete logarithm setting.
 
-The basic idea is that the discrete logarithm of the auxiliary point `T` in the
-adaptor signature is not chosen uniformly at random by Alice. Instead, Bob
+The basic idea is that the discrete logarithm of the adaptor point `T` in the
+is not chosen uniformly at random by Alice. Instead, Bob
 computes `T = t*G` where `t` is a [blind Schnorr
 signature](https://blog.cryptographyengineering.com/a-note-on-blind-signature-schemes/)
 of Alice over a transaction spending the funding transaction without knowing `t`
@@ -40,7 +40,7 @@ follows.
      timelocked refund transactions in case one party disappears.
 2. Blind signing
 
-   Bob creates a transaction `tx_B` spending O1. Then Bob creates an auxiliary
+   Bob creates a transaction `tx_B` spending O1. Then Bob creates adaptor
    point `T = t*G` where `t` is a Schnorr signature over `tx_B` in the
    following way:
 
@@ -56,15 +56,15 @@ follows.
         * the blinded challenge `c = c'+beta`
         * and the blinded signature of A times `G`: `T = R + c*A`
    * Bob sends `c` to Alice
-   * Alice replies with an adaptor signature over `tx_A` spending `O2` with
-     auxiliary point `T = t*G, t = ka + c*a` where `a` is the discrete
+   * Alice replies with an adaptorless signature over `tx_A` spending `O2` with
+     adaptor point `T = t*G, t = ka + c*a` where `a` is the discrete
      logarithm of permanent key `A`.
 3. Swap
 
     * Bob gives Alice his contribution to the signature over `tx_A`.
     * Alice adds Bob's contribution to her own signature and uses it to take
       her coins out of O2.
-    * Due to previously receiving an adaptor signature Bob learns `t` from step (2).
+    * Due to previously receiving an adaptorless signature Bob learns `t` from step (2).
 4. Unblinding
 
    * Bob unblinds Alice's blind signature `t` as `t' = t + alpha + c'*h` where

md/pedersen-swap.md

@@ -62,19 +62,19 @@ s1*T2 + s2*H = k1*T2 + H(R1,R2)*t1*T2 + k2*H + H(R1,R2)*x*H
 Protocol rationale
 ---
 Assume someone wants to buy the opening `(r, x)` of a Pedersen commitment `Q =
-r*G + x*H` from a seller. The seller can't just use `r*G` as the auxiliary
-point in an adaptor signature and send it to the buyer. Upon receiving `r*G`
+r*G + x*H` from a seller. The seller can't just use `r*G` as the adaptor
+point in an adaptorless signature and send it to the buyer. Upon receiving `r*G`
 the buyer would compute `Q - r*G = x*H` and since `x` can belong to a small
 set, the buyer could simply brute-force `x` without paying.
 This is where the multiplication proof for Pedersen commitments comes into
 play: the seller chooses t1 and t2 s.t. `t1*t2 = r`, sends `T1 = t1*G` and
-`T2 = t2*G` as auxiliary points to the buyer along with the multiplication
+`T2 = t2*G` as adaptor points to the buyer along with the multiplication
 proof. Obtaining `r` from `T1` and `T2` is the computational Diffie-Hellman
 problem, but learning `t1` and `t2` during the swap allows the buyer to compute
 `r`.
 
 Because `x` is multiplied by `H` and not `G` there is no straightforward way to
-similarly put `x*H` in an adaptor signature. Let `xi` be the `i`-th bit of `x`.
+similarly put `x*H` in an adaptorless signature. Let `xi` be the `i`-th bit of `x`.
 The seller creates one Pedersen commitment `Qi = ri*G + xi*G` for every bit of
 `x`. After learning all `ri` during the swap, the buyer can reconstruct `x`
 bitwise by checking whether `Qi` is a commitment to `0` or `1`. Committing to
@@ -84,13 +84,19 @@ transactions](https://people.xiph.org/~greg/confidential_values.txt). So we
 can abuse that scheme not to prove ranges, but to prove that each `Qi` commits
 to a bit of `x`.
 
-As a result, the seller must send adaptor signatures for the factors `ti1` and
-`ti2` of each `ri`. Simply sending multiple adaptor signatures is problematic.
-Say the seller sends one adaptor signature with auxiliary point `Ti1=ti1*G` and
-one with auxiliary point `Ti2=ti2*G`. Then even without seeing the actual
-signature, by just subtracting the signatures the buyer learns `ti1 - ti2`.
-Instead, the seller uses auxiliary points `H(Ti1)*ti1*G and H(Ti2)*ti2*G`
-revealing `H(Ti1)ti1 - H(Ti2)ti2` which is meaningless for the buyer.
+As a result, the seller must send adaptorless signatures for the factors `ti1`
+and `ti2` of each `ri`. In general, in order to reveal multiple secret adaptors
+`u1, ..., un` with a single signature the seller must create adaptorless
+signatures `(si, R + sum(uj over j)*G - ui*G, ui*G)`. This ensures that all
+adaptorless signatures commit to the same Schnorr signature nonce `R + sum(uj
+over j)*G`.
+
+However, simply sending multiple adaptorless signatures in that way is problematic.
+Say the seller sends one adaptorless signature with adaptor `Ti1=ti1*G` and one with
+adaptor `Ti2=ti2*G`. Then even without seeing the actual signature, by just
+subtracting the signatures the buyer learns `-ti1 + ti2`. Instead, the seller
+uses adaptor `H(Ti1)*ti1*G and H(Ti2)*ti2*G` revealing `H(Ti1)ti1 - H(Ti2)ti2`
+which is meaningless for the buyer.
 
 
 Protocol description
@@ -116,24 +122,21 @@ r*G + x*H` from a seller.
       challenge `c` for the transaction.
     * For each bit commitment `Qi`, seller generates a uniformly random scalar
       `ti1` and sets `ti2`, such that `ti1*ti2*G = ri*G = Qi-xi*H`. Then the
-      seller computes `Ti1 = ti1*G` and `Ti2 = ti2*G` and sends the following
-      adaptor signatures `si1` and `si2` with auxiliary points `H(Ti1)*Ti1` and
-      `H(Ti2)*Ti2` to Bob:
-      ```
-      si1 = k + H(Ti1)ti1 + c*a
-      si2 = k + H(Ti2)ti2 + c*a
-      ```
-      along with a multiplication proof for Pedersen commitments proving the
-      multiplicative relationship of the blinding factors of Ti1, Ti2 and Qi.
+      seller computes adaptors `Ti1 = ti1*G` and `Ti2 = ti2*G` and sends
+      adaptorless signatures `(si1, R + sum(Ai) - H(Ti1)*Ti1, H(Ti1)*Ti1)` and
+      `(si2, R + sum(Ai) - H(Ti2)*Ti2, H(Ti2)ti2)` where `Ai` is the sum of
+      both adaptors.  The seller also sends a multiplication proof for Pedersen
+      commitments proving the multiplicative relationship of the blinding
+      factors of Ti1, Ti2 and Qi.
 3. Swap
 
-    * The buyer verifies the adaptor signatures and multiplication proofs and
+    * The buyer verifies the adaptorless signatures and multiplication proofs and
       sends his contribution to the signature.
     * The seller completes the signature `(R, s)` and publishes it along with
       the transaction to take her coins.
     * Just as in regular atomic swaps using adaptor signatures, the buyer can
-      recover the discrete logarithm of the auxiliary points by subtracting s
-      from the corresponding adaptor signature. So for each bit commitment, the
+      recover the discrete logarithm of the adaptor by subtracting
+      the adaptorless signature from the corresponding s. So for each bit commitment, the
       buyer is able to recover `ti1` and `ti2`.
     * Because it holds that `ti1*ti2 = ri`, the buyer can reconstruct `x` by
       setting the `i`-th bit of `x` to `0` if `Qi == ti1*ti2*G + 0*H` and to