|
| 1 | +Partially Blind Atomic Swap Using Adaptor Signatures |
| 2 | +=========================== |
| 3 | + |
| 4 | +In this scheme one of the participants of the swap does not learn which coins |
| 5 | +are being swapped. For example if Alice engages in a partially blind atomic |
| 6 | +swap with Bob and Carol, she would not be able to determine if a swapped output |
| 7 | +belongs to Bob or Carol (assuming the transaction amounts are identical or |
| 8 | +confidential). This property is very similar to |
| 9 | +[TumbleBit](https://eprint.iacr.org/2016/575.pdf) but in the form of a |
| 10 | +[scriptless |
| 11 | +script](https://github.com/apoelstra/scriptless-scripts/blob/master/md/atomic-swap.md) |
| 12 | +and therefore purely in the elliptic curve discrete logarithm setting. |
| 13 | + |
| 14 | +The basic idea is that the discrete logarithm of the auxiliary point `T` in the |
| 15 | +adaptor signature is not chosen uniformly at random by Alice. Instead, Bob |
| 16 | +computes `T = t*G` where `t` is a [blind Schnorr |
| 17 | +signature](https://blog.cryptographyengineering.com/a-note-on-blind-signature-schemes/) |
| 18 | +of Alice over a transaction spending the funding transaction without knowing `t` |
| 19 | +(similar to [Discreet Log Contracts](https://adiabat.github.io/dlc.pdf)). |
| 20 | + |
| 21 | +Protocol description |
| 22 | +--- |
| 23 | +Assume Alice has a permanent public key `A = a*G`, ephemeral pubkey `A1 = A + |
| 24 | +h*G` and ephemeral pubkey `A2`, Bob has two pubkeys `B1 = b1*G` and `B2 = b2*G` |
| 25 | +and `H` is a cryptographic hash function. Public key aggregation in "2-of-2" |
| 26 | +scripts is achieved with [MuSig](https://eprint.iacr.org/2018/068.pdf) and the |
| 27 | +signature scheme is adapted from |
| 28 | +[Bellare-Neven](https://cseweb.ucsd.edu/~mihir/papers/multisignatures-ccs.pdf). |
| 29 | +The partially blind atomic swap protocol where Alice acts as a tumbler works as |
| 30 | +follows. |
| 31 | + |
| 32 | +1. Setup |
| 33 | + |
| 34 | + * Bob anonymously asks Alice to put coins into a key aggregated output O1 |
| 35 | + with public key `P1 = H(A1,B1,A1)*A1 + H(A1,B1,B1)*B1`. |
| 36 | + * Bob puts coins into a key aggregated output O2 with `P2 = H(A2,B2,A2)*A2 + |
| 37 | + H(A2,B2,B2)*B2`. As usual, before sending coins Alice and Bob agree on |
| 38 | + timelocked refund transactions in case one party disappears. |
| 39 | +2. Blind signing |
| 40 | + |
| 41 | + Bob creates a transaction `tx_B` spending O1. Then Bob creates an auxiliary |
| 42 | + point `T = t*G` where `t` is a Schnorr signature over `tx_B` in the |
| 43 | + following way: |
| 44 | + |
| 45 | + * Bob asks Alice for nonce `Ra = ka*G` |
| 46 | + * Bob creates nonce `Rb = kb*G` |
| 47 | + * Bob computes |
| 48 | + * the combined nonce `R = Ra+Rb` |
| 49 | + * the "blinded" nonce `alpha,beta = rand, R' = R + alpha*G + beta*A` |
| 50 | + * the challenge `c1` as the Bellare-Neven style challenge hash of |
| 51 | + `tx_B` with respect to `P1` and input 0 for aggregated key `P1`: `c1 |
| 52 | + = H(P1, 0, R', tx_B)` |
| 53 | + * the challenge `c'` for `A1` as part of `P1`: `c' = c1*H(A1,B1,A1)` |
| 54 | + * the blinded challenge `c = c'+beta` |
| 55 | + * and the blinded signature of A times `G`: `T = R + c*A` |
| 56 | + * Bob sends `c` to Alice |
| 57 | + * Alice replies with an adaptor signature over `tx_A` spending `O2` with |
| 58 | + auxiliary point `T = t*G, t = ka + c*a` where `a` is the discrete |
| 59 | + logarithm of permanent key `A`. |
| 60 | +3. Swap |
| 61 | + |
| 62 | + * Bob gives Alice his contribution to the signature over `tx_A`. |
| 63 | + * Alice adds Bob's contribution to her own signature and uses it to take |
| 64 | + her coins out of O2. |
| 65 | + * Due to previously receiving an adaptor signature Bob learns `t` from step (2). |
| 66 | +4. Unblinding |
| 67 | + |
| 68 | + * Bob unblinds Alice's blind signature `t` as `t' = t + alpha + c'*h` where |
| 69 | + c' is the unblinded challenge `h` is the tweak for `A1`. This results in a |
| 70 | + regular signature `(R', t')` of Alice (`A1`) over `tx_B`. |
| 71 | + * Bob adds his contribution to `t'` completing `(R', s), s = t' + kb + |
| 72 | + c1*H(A1,B1,B1)*b1` which is a valid signature over `tx_B` spending O1: |
| 73 | + ``` |
| 74 | + s*G = t' + kb + c1*H(A1,B1,B1) * b1 |
| 75 | + = (ka + (c'+beta)*a + alpha + c'*h + kb + c1*H(A1,B1,B1) * b1)*G |
| 76 | + = R + beta*A + alpha*G + c1*(H(A1,B1,A1) * (a+h) + H(A1,B1,B1) * b1)*G |
| 77 | + = R' + H(P1, 0, R', tx_B)*P1 |
| 78 | + ``` |
| 79 | + * Bob waits to increase his anonymity set and then publishes the signature |
| 80 | + to take his coins from O1 resulting in the following transaction graph: |
| 81 | + ``` |
| 82 | + +------------+ (R', s) +------------+ |
| 83 | + | O1 +----------->| ...| |
| 84 | + +------------+ +------------+ |
| 85 | + Alice's setup tx tx_B |
| 86 | +
|
| 87 | + +------------+ +------------+ |
| 88 | + | O2 +----------->| ...| |
| 89 | + +------------+ +------------+ |
| 90 | + Bob's setup tx tx_A |
| 91 | + ``` |
| 92 | +
|
| 93 | +As a result, Alice can not link Bob's original coins and his new coins. From |
| 94 | +Alice's perspective `tx_B` could have been just as well the result of a swap |
| 95 | +with someone else. |
| 96 | +
|
| 97 | +Blind Schnorr signatures suffer from a vulnerability known as "parallel attack" |
| 98 | +([Security of Blind Discrete Log Signatures Against Interactive Attacks, C. P. |
| 99 | +Schnorr](http://www.math.uni-frankfurt.de/~dmst/research/papers/schnorr.blind_sigs_attack.2001.pdf)) |
| 100 | +where the attacker collects a bunch of nonces `R` and sends specially crafted |
| 101 | +challenges `c`. The responses can be combined to create a signature forgery. |
| 102 | +Among proposed countermeasures is a simple, but currently unproven trick by |
| 103 | +Andrew Poelstra in which the signer randomly aborts after receiving a |
| 104 | +challenge. |
| 105 | +
|
| 106 | +
|
| 107 | +A simpler scheme that would be broken by Aggregated Signatures |
| 108 | +--- |
| 109 | +Note that Bob can get a signature of A over anything including arbitrary |
| 110 | +messages. Therefore, Alice must only use fresh ephemeral keys `A1` when |
| 111 | +creating outputs. This complicates the protocol because at the same time Alice |
| 112 | +must not be able to determine for which exact input she signs. As a result, |
| 113 | +It's Bob's job to apply tweak `h` to convert a signature of `A` to `A1`. |
| 114 | +
|
| 115 | +A simpler protocol where Alice uses `A` instead of `A1` is broken by aggregated |
| 116 | +signatures because it allows spending multiple inputs with a single signature. |
| 117 | +If Bob creates many funding txs with Alice, he can create a tx spending all of |
| 118 | +them, and prepares a message for Alice to sign which is her part of the |
| 119 | +aggregate signature of all the inputs. Alice just dumbly signs any blinded |
| 120 | +message, so can't decide if it's an aggregated sig or not. For example Bob may |
| 121 | +send Alice a challenge for an aggregate signature covering output 1 with |
| 122 | +pubkeys `L1 = {A, B1}` and output 2 with pubkeys `L2 = {A, B2}` as `c'=H(P1, 0, |
| 123 | +R', tx_B)*H(L1,A) + H(P2, 1, R', tx_B)*H(L2,A)`. |
| 124 | +
|
| 125 | +Similarly, the [SIGHASH_SINGLE |
| 126 | +bug](https://underhandedcrypto.com/2016/08/17/the-2016-backdoored-cryptocurrency-contest-winner/) |
| 127 | +for example would have been disastrous for this scheme. In general, the |
| 128 | +Blockchain this is used in must not allow spending more than one output with a |
| 129 | +single signature. |
0 commit comments