Adaptor Signature

An adaptor signature is a partial signature that is cryptographically bound to a secret value. It allows a transaction to be authorized only if the secret is revealed. This creates a powerful conditional logic: the transaction can be broadcast, but it remains invalid until the secret is published, at which point the signature becomes complete and valid.

This is the canonical use case. Two parties can swap assets atomically without a trusted third party:

• Party A creates an adaptor signature for a transaction paying Party B, locking it with a secret.
• Party B, upon seeing this, can create a valid transaction for Party A using the same cryptographic adaptor point.
• When Party B claims their payment by broadcasting their transaction, they inadvertently reveal the secret.
• Party A can then extract the secret and use it to finalize and broadcast their own transaction, completing the swap.

Adaptor signatures are the core building block for Discreet Log Contracts. Oracles sign outcomes of real-world events (e.g., "BTC > $60K") using adaptor signatures. Each possible outcome is tied to a different secret. When the oracle reveals the signature for the actual outcome, it also reveals the secret, allowing the winning party to claim the contract funds without revealing the other, unchosen outcomes on-chain.

Adaptor signatures enable Scriptless Scripts, where complex smart contract logic (like multi-party conditions) is executed off-chain through cryptographic protocols instead of on-chain scripting languages. This improves privacy, as the contract terms are not visible on the public ledger, and can reduce transaction size and cost compared to traditional script-based solutions.

Technically, an adaptor signature is built on Schnorr or ECDSA signatures. It involves:

• A secret t and its public point T = t*G.
• A partial signature s' that is verifiable against the public key plus the adaptor point T.
• The complete, valid signature s is derived as s = s' + t. Knowledge of t allows anyone to convert the adaptor signature into a standard one.

Compared to traditional hash-based atomic swaps or complex scripts, adaptor signatures offer significant advantages:

• Enhanced Privacy: On-chain transactions appear standard; the conditional logic and swap details are hidden.
• Reduced On-chain Footprint: The proof of the secret's revelation is embedded within a normal-looking signature, minimizing data usage.
• Interoperability: The technique is agnostic to the underlying blockchain, enabling cross-chain swaps between any chains supporting the same elliptic curve cryptography.

Adaptor signatures enable atomic swaps between different blockchain protocols (e.g., Bitcoin and Litecoin) without a trusted third party.

• Process: Party A locks funds in a transaction with an adaptor signature. To claim them, Party B must solve the adaptor, which reveals a secret. Party A then uses this revealed secret to claim the funds Party B locked on the other chain.
• Guarantee: The swap is atomic—either both parties complete the trade, or neither does, eliminating counterparty risk.

Adaptor signatures are a key component of scriptless scripts, a concept for executing smart contract logic using pure cryptography instead of blockchain-specific opcodes.

• Principle: Complex conditions (e.g., "sign only if you know secret X") are embedded directly into Schnorr/Taproot signatures, making the logic private and more efficient.
• Benefit: This reduces on-chain footprint, increases privacy by making contracts indistinguishable from regular transactions, and improves scalability.

Adaptor signatures facilitate CoinSwap protocols, which improve transactional privacy by breaking the on-chain link between sender and receiver.

• Operation: Multiple parties cooperatively create a set of transactions locked with adaptor signatures. The completion of the swap reveals secrets in a way that obfuscates which outputs belong to which original owner.
• Outcome: This creates a trustless, decentralized mixing service that is more private and robust than centralized tumblers or CoinJoin.

This advanced use case combines adaptor signatures with time-locks to create signatures that only become valid after a certain time, or to prove a signature was prepared in advance.

• Application: Useful for proof-of-liability protocols where an exchange must cryptographically prove its solvency without immediately moving funds, or for creating covenants with time-based conditions.
• Mechanism: The adaptor secret is linked to the passage of time or a verifiable delay function (VDF), releasing control of funds only when the condition is met.

An adaptor signature is a partial digital signature that commits to a hidden secret (a preimage or discrete logarithm). It is created by tweaking a standard Schnorr or ECDSA signature with this secret. The signature can only be completed by someone who knows the secret, revealing it upon completion. This creates a cryptographic proof-of-payment or proof-of-knowledge without requiring an on-chain transaction for the condition itself.

A primary application of adaptor signatures is in Discreet Log Contracts (DLCs), enabling trustless blockchain oracles and complex financial derivatives.

• How it works: A contract's outcome (e.g., "BTC > $60K") is encoded into adaptor signatures. The oracle, who learns the outcome off-chain, provides the secret to complete the correct signature, allowing only the winning party to claim the funds.
• Key benefit: The contract terms and oracle data remain off-chain, ensuring privacy and scalability.

Adaptor signatures are fundamental to atomic swaps between different blockchain protocols (e.g., Bitcoin and Litecoin).

• Process: Party A creates a transaction locked with an adaptor signature, requiring a secret to claim. Party B can only learn this secret if they first complete a corresponding transaction on the other chain, also locked with the same secret.
• Result: The swap either completes atomically across both chains or fails entirely, eliminating counterparty risk without a trusted intermediary.

Within payment channel networks like the Lightning Network, adaptor signatures enable Hash Time-Locked Contracts (HTLCs).

• Function: An HTLC payment is a conditional payment locked by a hash preimage. The adaptor signature scheme allows the payment receiver to claim funds by revealing the preimage, which then automatically proves payment to intermediate routing nodes.
• This mechanism is what enables secure, multi-hop payments across the network without trusting intermediaries.

Adaptor signatures are a key component of scriptless scripts, a concept for executing complex smart contract logic without placing the logic itself on-chain.

• Principle: Instead of writing contract conditions in a blockchain's scripting language (e.g., Bitcoin Script), the conditions are encoded into the cryptographic relationships between signatures and secrets.
• Advantages: This improves privacy (contract logic is invisible), reduces on-chain footprint, and can enhance fungibility by making transactions indistinguishable from regular payments.

Adaptor signatures are often compared to simpler hash locks (used in HTLCs).

• Hash Lock: Locks funds with a hash H. Anyone who reveals the preimage R where hash(R) = H can claim the funds. The claim transaction reveals R on-chain.
• Adaptor Signature: Locks funds cryptographically within a signature. The claim transaction is a standard signature that implicitly reveals the secret. This is more private and efficient, as the secret is not directly visible in the transaction data, only derivable by the involved parties.

A primary risk is signature malleability. If an adaptor signature is revealed before the final signature, a malicious party could modify it to create a different, valid signature. This could allow them to claim the on-chain funds without revealing the secret witness t, breaking the protocol's fairness. Implementations must use non-malleable signature schemes (like Schnorr in Bitcoin Taproot) and ensure the final signature is published atomically.

The core security property is that completing an adaptor signature reveals the secret witness t. This enables protocols like atomic swaps. However, this also means:

• Data Leakage: The extracted witness can reveal linkable information about the transaction's origin or purpose.
• Timing Attacks: If the adaptor is published to a public mempool before the final signature, observers can learn t and front-run the settlement. Using point time-locked contracts (PTLCs) over hash time-locked contracts (HTLCs) can mitigate some privacy leaks.

Errors in the cryptographic implementation can lead to catastrophic failures:

• Invalid Curve Points: Using a non-secure or incorrectly generated encryption point can make the secret t trivial to extract.
• Randomness Reuse: Reusing a nonce r across different adaptor signatures can leak private keys.
• Protocol Logic Bugs: Flaws in the surrounding protocol (e.g., incorrect script conditions) can allow funds to be claimed without the correct adaptor completion. Rigorous auditing of the elliptic curve operations and protocol state machine is essential.

Adaptor signature protocols are vulnerable to off-chain DoS attacks. A malicious participant can:

• Generate and share a valid adaptor signature but then refuse to provide the final signature, leaving counterparty funds in a pending state.
• Spam a peer with invalid or malformed adaptor signatures to waste computational resources. Protocols must incorporate timeouts, penalty transactions, and reputation systems to disincentivize this behavior.

In cross-chain atomic swaps, adaptor signatures synchronize settlement across independent ledgers. This introduces asynchrony risks:

• Blockchain Reorgs: A transaction revealing t on one chain could be reorganized, leaving the secret exposed but the contingent claim on the other chain invalid.
• Congestion & Fee Spikes: High fees on one chain can prevent timely settlement, causing the entire swap to fail after secrets are revealed. These risks require careful fee management and sufficient time-lock buffers.

The security of the adaptor signature protocol depends entirely on the security of the private keys used to generate them. Compromise of a signing key allows an attacker to:

• Create fraudulent adaptor signatures.
• Sign completion transactions without the correct witness, stealing funds.
• Secure, offline key generation and hardware security module (HSM) storage for long-term keys are critical, especially in institutional or custody settings.