Adaptor generalisation

59 views
Skip to first unread message

waxwing/ AdamISZ

unread,
Oct 9, 2024, 12:35:43 PMOct 9
to Bitcoin Development Mailing List
Hi list,
I wrote a post about generalisation of the concept of adaptor signatures here:


Motivating Q: "Is there a value in being able to verify a statement that is not limited to the default secp256k1 generator G, on chain?"

I think the natural answer is twofold: yes that could definitely be useful for various ZKP constructions, and also: it's not possible, which makes it a lot less interesting!

The paper is basically an investigation into whether the concept of adaptors could somehow "sneak in" some kind of such verification via the backdoor, so to speak.

The conclusion is that *something* like this seems to be possible: it's a 2-party protocol in which A convinces B that if a BIP340 signature is published, then a DLEQ statement (which is a statement with two bases, G and something else) is true. It's interactive: A needs to give B an adaptor first, which *doesn't* prove the DLEQ relationship in itself.

To summarize the post for the time constrained:

the first half is looking at one way of generalising; for multi base single statements ("proof of representation" if that phrase is familiar). I don't pursue that into anything concrete for now, so feel free to skip it unless that's interesting in itself.

the second half focuses on the idea that, by embedding 1 or 2 curve points into the transaction message, you could craft a BIP340 signature such that a valid adaptor on it will satisfy the other party that: *if* the signature is published on chain, it proves the DLEQ relationship (if not, the adaptor could have been forged, as argued in detail).

Would love to extend this all the way to generalised sigma protocols using the idea of the first half of the blog post, in combination with the second, but it seems very unclear.

Cheers,
AdamISZ/waxwing
Reply all
Reply to author
Forward
0 new messages