Conceptual adaptor signature (not production code):
13. Adaptor Signatures in Tapscript
Adaptor signatures are a cryptographic technique that allows conditional signature revelation. An adaptor signature commits to a secret value: it is a "pre-signature" that becomes a valid Schnorr signature only when combined with a specific secret. Tapscript's use of Schnorr signatures makes adaptor signatures practical for Bitcoin.
What is an Adaptor Signature
An adaptor signature ties a signature to a secret scalar t. The signer produces an adaptor signature σ' that:
-
Is not a valid signature by itself
-
Becomes a valid signature
σ = σ' + twhen combined with the secrett -
Reveals
tto anyone who sees bothσ'andσ
# Conceptual adaptor signature (not production code):
def create_adaptor_signature(secret_key, message, adaptor_point):
"""
adaptor_point: T = t × G, the public commitment to the secret t
"""
# Standard Schnorr nonce
k = generate_nonce(secret_key, message)
R = k * G # Nonce point
# Shift the nonce point by the adaptor point
R_prime = R + adaptor_point # R' = R + T
# Compute adaptor signature (like Schnorr but with shifted R)
e = tagged_hash("BIP0340/challenge",
x_only(R_prime) + x_only(secret_key * G) + message)
s_prime = k + int.from_bytes(e, 'big') * secret_key # s' = k + e*x
# Note: NOT s' = k + t + e*x (the secret t is NOT included)
return (R_prime, s_prime) # Adaptor signature
def complete_adaptor_signature(adaptor_sig, secret_t):
"""Complete the adaptor signature by adding the secret."""
R_prime, s_prime = adaptor_sig
s = s_prime + secret_t # s = s' + t
# Now (R_prime, s) is a valid Schnorr signature
return (R_prime, s)
def extract_secret(adaptor_sig, completed_sig):
"""Extract the secret from an adaptor and its completion."""
R_prime, s_prime = adaptor_sig
R_prime, s = completed_sig
t = s - s_prime # t = s - s'
return t
Adaptor Signatures and Atomic Swaps
The most important application of adaptor signatures in Bitcoin is scriptless atomic swaps — cross-chain swaps that require no hash preimage reveal on-chain.
Traditional HTLC atomic swap (on-chain trace):
Alice's chain: OP_SHA256 <hash_of_secret> OP_EQUAL ← secret visible when Bob claims
Bob's chain: OP_SHA256 <hash_of_secret> OP_EQUAL ← links the two transactions
Adaptor signature atomic swap:
Alice's chain: Key path spend (single Schnorr sig) ← looks like normal transaction
Bob's chain: Key path spend (single Schnorr sig) ← looks like normal transaction
No on-chain link between the two swaps
The adaptor signature protocol for atomic swaps:
-
Bob creates adaptor point
T = t × Gand revealsT(nott) to Alice -
Alice creates an adaptor signature for her chain's transaction, adapting to
T -
Bob verifies the adaptor signature is correctly formed
-
Bob reveals
tto complete Alice's signature (spending Alice's HTLC equivalent) -
Alice sees
tpublished on Bob's chain and uses it to complete her own signature -
Alice's transaction becomes valid, spending from her chain
Lightning Network Application
Adaptor signatures are the basis for Point Time Locked Contracts (PTLCs), the next-generation replacement for Hash Time Locked Contracts (HTLCs) in the Lightning Network.
Current Lightning (HTLC):
Payment path: Alice → Bob → Carol → Dave
Each hop reveals the same hash preimage
→ Hops can correlate payments, privacy is poor
Future Lightning (PTLC with adaptor signatures):
Payment path: Alice → Bob → Carol → Dave
Each hop uses a DIFFERENT adaptor point (related by a tweak)
→ Hops cannot correlate payments (each sees a different secret)
→ Payment privacy is massively improved
Technical Insight
This topic covers essential mechanics for Chapter 11. Understanding these details is key to mastering advanced Bitcoin script constructions like Taproot and specialized covenants.
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: