Adapter Signatures and Their Application in Cross-Chain Atomic Swaps

With the rapid development of Bitcoin Layer 2 scaling solutions, the frequency of cross-chain asset transfers between Bitcoin and its Layer 2 networks has significantly increased. This trend is driven by the higher scalability, lower transaction fees, and high throughput offered by Layer 2 technology. These advancements facilitate more efficient and cost-effective transactions, thereby promoting the wider adoption and integration of Bitcoin in various applications. As a result, interoperability between Bitcoin and Layer 2 networks is becoming a key component of the cryptocurrency ecosystem, driving innovation and providing users with more diverse and powerful financial tools.

There are three typical solutions for cross-chain transactions between Bitcoin and Layer 2, namely centralized cross-chain transactions, BitVM cross-chain bridge, and cross-chain atomic swaps. These three technologies differ in terms of trust assumptions, security, convenience, transaction limits, etc., and can meet different application needs.

The advantages of centralized cross-chain trading lie in its speed and the relatively easy matching process. However, the security of this method completely relies on the reliability and reputation of the centralized institution. If the centralized institution encounters technical failures, malicious attacks, or defaults, users' funds face a higher risk. Additionally, centralized cross-chain trading may also leak user privacy, necessitating careful consideration by users when choosing this method.

The BitVM cross-chain bridge technology is relatively complex. This technology introduces an optimistic challenge mechanism, making it relatively complicated. Additionally, the optimistic challenge mechanism involves a large number of challenge and response transactions, resulting in higher transaction fees. Therefore, the BitVM cross-chain bridge is only suitable for large transactions and is used infrequently.

Cross-chain atomic swaps are a type of contract that enables decentralized cryptocurrency trading. This means that the technology is decentralized, censorship-resistant, provides better privacy protection, and enables high-frequency cross-chain transactions, making it widely applicable in decentralized exchanges.

Cross-chain atomic swap technology mainly includes hash time lock and adapter signature. The cross-chain atomic swap based on hash time lock ( HTLC ) has user privacy leakage issues. The cross-chain atomic swap based on adapter signature has three advantages: first, the adapter signature swap scheme replaces the on-chain scripts relied upon by "secret hash" swaps, including time locks and hash locks. Second, since such scripts are not involved, the on-chain space usage is reduced, making atomic swaps based on adapter signatures more lightweight and cheaper. Finally, the transactions involved in the adapter signature atomic swap cannot be linked, achieving privacy protection.

Schnorr/ECDSA adapter signatures have a random number security issue and need to use RFC 6979 for prevention. RFC 6979 specifies a method for generating deterministic digital signatures using DSA and ECDSA, addressing the security problems associated with generating random value k.

In cross-chain scenarios, it is necessary to consider the heterogeneity issue between the UTXO and account model systems. Bitcoin adopts the UTXO model and implements native ECDSA signatures based on the Secp256k1 curve. Bitlayer is an EVM-compatible Bitcoin L2 chain that uses the Secp256k1 curve and supports native ECDSA signatures. The adapter signature implements the logic required for BTC exchange, while the Bitlayer exchange counterpart is supported by the powerful capabilities of Ethereum smart contracts.

If Bitcoin and Bitlayer both use the Secp256k1 curve, but Bitcoin uses Schnorr signatures while Bitlayer uses ECDSA, then the adapter signatures based on Schnorr and ECDSA are provably secure. However, if Bitcoin uses the Secp256k1 curve and ECDSA signatures, while Bitlayer uses the ed25519 curve and Schnorr signatures, then adapter signatures cannot be used.

Based on the adapter signature, non-interactive threshold digital asset custody can be achieved, and a subset of threshold spending policies can be instantiated without interaction. This subset consists of two types of participants: participants involved in the initialization and participants not involved in the initialization, the latter being referred to as custodians. Custodians cannot sign arbitrary transactions but can only send secrets to one of the supported parties.

Verifiable encryption is an important cryptographic primitive for achieving non-interactive digital asset custody. Currently, there are two promising approaches to verifiable encryption based on the Secp256k1 discrete logarithm, namely Purify and Juggling. Purify was originally proposed to create the MuSig protocol with a deterministic nonce (DN). Juggling encryption involves four steps: partitioning the discrete logarithm, using the public key to ElGamal encrypt the segments, creating range proofs for each segment, and using the sigma protocol to prove the correctness of the encryption.