TeachMeBitcoin

Conceptual adaptor signature (not production code):

From TeachMeBitcoin, the free encyclopedia Reading time: 4 min

13. Adaptor Signatures in Tapscript

Adaptor signatures are a cryptographic technique that allows conditional signature revelation. An adaptor signature commits to a secret value: it is a "pre-signature" that becomes a valid Schnorr signature only when combined with a specific secret. Tapscript's use of Schnorr signatures makes adaptor signatures practical for Bitcoin.

What is an Adaptor Signature

An adaptor signature ties a signature to a secret scalar t. The signer produces an adaptor signature σ' that:

  1. Is not a valid signature by itself

  2. Becomes a valid signature σ = σ' + t when combined with the secret t

  3. Reveals t to anyone who sees both σ' and σ

# Conceptual adaptor signature (not production code):

def create_adaptor_signature(secret_key, message, adaptor_point):
    """
    adaptor_point: T = t × G, the public commitment to the secret t
    """
    # Standard Schnorr nonce
    k = generate_nonce(secret_key, message)
    R = k * G  # Nonce point

    # Shift the nonce point by the adaptor point
    R_prime = R + adaptor_point  # R' = R + T

    # Compute adaptor signature (like Schnorr but with shifted R)
    e = tagged_hash("BIP0340/challenge", 
                    x_only(R_prime) + x_only(secret_key * G) + message)

    s_prime = k + int.from_bytes(e, 'big') * secret_key  # s' = k + e*x
    # Note: NOT s' = k + t + e*x (the secret t is NOT included)

    return (R_prime, s_prime)  # Adaptor signature

def complete_adaptor_signature(adaptor_sig, secret_t):
    """Complete the adaptor signature by adding the secret."""
    R_prime, s_prime = adaptor_sig
    s = s_prime + secret_t  # s = s' + t
    # Now (R_prime, s) is a valid Schnorr signature
    return (R_prime, s)

def extract_secret(adaptor_sig, completed_sig):
    """Extract the secret from an adaptor and its completion."""
    R_prime, s_prime = adaptor_sig
    R_prime, s = completed_sig
    t = s - s_prime  # t = s - s'
    return t

Adaptor Signatures and Atomic Swaps

The most important application of adaptor signatures in Bitcoin is scriptless atomic swaps — cross-chain swaps that require no hash preimage reveal on-chain.

Traditional HTLC atomic swap (on-chain trace):
Alice's chain: OP_SHA256 <hash_of_secret> OP_EQUAL ← secret visible when Bob claims
Bob's chain:   OP_SHA256 <hash_of_secret> OP_EQUAL ← links the two transactions

Adaptor signature atomic swap:
Alice's chain: Key path spend (single Schnorr sig) ← looks like normal transaction
Bob's chain:   Key path spend (single Schnorr sig) ← looks like normal transaction
No on-chain link between the two swaps

The adaptor signature protocol for atomic swaps:

  1. Bob creates adaptor point T = t × G and reveals T (not t) to Alice

  2. Alice creates an adaptor signature for her chain's transaction, adapting to T

  3. Bob verifies the adaptor signature is correctly formed

  4. Bob reveals t to complete Alice's signature (spending Alice's HTLC equivalent)

  5. Alice sees t published on Bob's chain and uses it to complete her own signature

  6. Alice's transaction becomes valid, spending from her chain

Lightning Network Application

Adaptor signatures are the basis for Point Time Locked Contracts (PTLCs), the next-generation replacement for Hash Time Locked Contracts (HTLCs) in the Lightning Network.

Current Lightning (HTLC):
Payment path: Alice → Bob → Carol → Dave
Each hop reveals the same hash preimage
→ Hops can correlate payments, privacy is poor

Future Lightning (PTLC with adaptor signatures):
Payment path: Alice → Bob → Carol → Dave
Each hop uses a DIFFERENT adaptor point (related by a tweak)
→ Hops cannot correlate payments (each sees a different secret)
→ Payment privacy is massively improved

Technical Insight

This topic covers essential mechanics for Chapter 11. Understanding these details is key to mastering advanced Bitcoin script constructions like Taproot and specialized covenants.

☕ Help support TeachMeBitcoin

TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation:

Ethereum: 0x578417C51783663D8A6A811B3544E1f779D39A85
Bitcoin: bc1q77k9e95rn669kpzyjr8ke9w95zhk7pa5s63qzz
Solana: 4ycT2ayqeMucixj3wS8Ay8Tq9NRDYRPKYbj3UGESyQ4J
Address copied to clipboard!