What is an adaptor signature in Bitcoin? A simple definition with some examples that could be understood without knowing cryptography in detail

In 2017, Andrew Poelstra published a scientific paper describing Adaptor Signature, inside the signature.
This is extremely interesting, since in the case of electronic financial transactions, for example, in order to claim money, a user must reveal the secret to the paying user. We consider t the payment secret (which is known to the recipient) and T = t ∗ G the point / public key associated with the secret t (which is known to both users). Just like in a regular payment, the sending user will create a Schnorr signature for the transaction and sending of money. Unlike a regular payment, the sender will modify his signature using the T in such a way that the recipient is able to modify this signature to get a valid one using the secret t. This invalid signature created will be sent to the recipient who will modify the signature using the secret before transmitting the transaction, using the invalid signature.

  1. User A creates a custom signature, which requires
    to know only T.
  2. User B verifies the custom signature.
  3. User B completes the custom signature using t and uses the completed signature.
  4. User A calculates the difference between a completed and a custom signature to learn the secret.

An adaptor signature s' is an encryption of a signature s over a message m, for which one can prove that decrypting s' leads to a valid signature s.

In the context of Discreet Log Contract, the signature s is for a given contract execution transaction, which is encrypted using a signature point of an oracle. Once an oracle releases a signature, the adaptor signature s' can be decrypted to s which can be used to create a validly signed transaction.

This is a basic definition with some context that I found in DLC specs repository.


Not the answer you’re looking for? Browse other questions tagged signature or ask your own question.