Rename adaptorless signatures to partial signatures

Author: jonasnick

md/atomic-swap.md

@@ -12,7 +12,7 @@ to B on one chain, while B is sending coins to A on the other.
 
 1. Both parties A and B put their coins into multisignature outputs on each chain
    which require both parties' signatures to be spent.
-2. A gives B auxiliary data, "adaptorless signatures", for each output. This will allow B to extract a
+2. A gives B a partial signature with auxiliary data for each output. This will allow B to extract a
    discrete logarithm from a signature on one chain, and then to adapt A's
    signature with the same discrete logarithm on the other chain.
 3. B then signs to give A her coins on one chain.
@@ -38,23 +38,24 @@ with public key `P` is a pair `(s, R)` satisfying the equation
 ```
 sG = R + H(P || R || m)P
 ```
-Closely related, an _adaptorless signature_ is a triplet `(s', R, T)` satisfying
+Closely related, a partial signature with _adaptor_ `T`  is a triplet `(s', R, T)` satisfying
 ```
 s'G = R + H(P || R + T || m)P
 ```
 
-It is easy to see that given a Schnorr signature `(s, R + T)` and adaptor signature
-`(s', R, T)` that the discrete logarithm of the _adaptor_ `T`,
+It is easy to see that given a Schnorr signature `(s, R + T)` and partial signature
+`(s', R, T)` that the discrete logarithm of the adaptor `T`,
 can be computed as `s - s'`, since subtracting the above equations reveals
 `(s - s')G = R + T - R = T`.
 
-Similarly, given an adaptorless signature `(s', R, T)` and `t` such that `T = tG`,
+Similarly, given a partial signature `(s', R, T)` and `t` such that `T = tG`,
 it is easy to compute a Schnorr signature `(s, R + T)` by the equation `s = s' + t`.
 
-We conclude that given an adaptorless signature `(s', R, T)` with public key `P`,
+We conclude that given a partial signature `(s', R, T)` with public key `P`,
 knowledge of a Schnorr signature `(s, R + T)` with same `P` is equivalent to
-knowledge of the discrete logarithm of `T`. Schnorr signature `(s, R + T)` is an
-_adaptor signature_ for `(s', R, T)` because it provides the adaptor.
+knowledge of the discrete logarithm of `T`. The Schnorr signature `(s, R + T)` is an
+_adaptor signature_ because it reveals the secret adaptor to anyone
+with partial signature `(s', R, T)`.
 
 #### Schnorr Multisignatures
 
@@ -73,13 +74,13 @@ that both blockchains support Schnorr signatures.
 1. Each party puts their coins into a multisignature output. They agree on a public Schnorr signature nonce
    `R` for each signature that they'll eventually use to move the coins to their
    final destinations.
-2. A chooses a random `t`, sets `T = tG`, and produces adaptorless signatures in place
+2. A chooses a random `t`, sets `T = tG`, and produces a partial signatures in place
    of her contributions to `s`. Each signature uses the same `T`. She sends these
    and `T` to B.
 3. B reveals his contribution to `s` for the signature that sends his coins to A.
-4. A reveals her contribution to `s` for that signature, completing it by adapting previous adaptorless signature, and
+4. A reveals her contribution to `s` for that signature, completing it by adapting the partial signature, and
    publishes it to take her coins.
-5. Using the adaptorless signature, B learns `t` from the output of step (4), and uses
+5. Using the partial signature, B learns `t` from the output of step (4), and uses
    it to adapt A's contribution to `s` for the signature that sends her coins to
    him.
 6. B adds his contribution to `s`, completing the signature, and publishes it to

md/partially-blind-swap.md

@@ -56,15 +56,15 @@ follows.
         * the blinded challenge `c = c'+beta`
         * and the blinded signature of A times `G`: `T = R + c*A`
    * Bob sends `c` to Alice
-   * Alice replies with an adaptorless signature over `tx_A` spending `O2` with
+   * Alice replies with a partial signature over `tx_A` spending `O2` with
      adaptor point `T = t*G, t = ka + c*a` where `a` is the discrete
      logarithm of permanent key `A`.
 3. Swap
 
     * Bob gives Alice his contribution to the signature over `tx_A`.
     * Alice adds Bob's contribution to her own signature and uses it to take
       her coins out of O2.
-    * Due to previously receiving an adaptorless signature Bob learns `t` from step (2).
+    * Due to previously receiving a partial signature Bob learns `t` from step (2).
 4. Unblinding
 
    * Bob unblinds Alice's blind signature `t` as `t' = t + alpha + c'*h` where

md/pedersen-swap.md

@@ -63,7 +63,7 @@ Protocol rationale
 ---
 Assume someone wants to buy the opening `(r, x)` of a Pedersen commitment `Q =
 r*G + x*H` from a seller. The seller can't just use `r*G` as the adaptor
-point in an adaptorless signature and send it to the buyer. Upon receiving `r*G`
+point in a partial signature and send it to the buyer. Upon receiving `r*G`
 the buyer would compute `Q - r*G = x*H` and since `x` can belong to a small
 set, the buyer could simply brute-force `x` without paying.
 This is where the multiplication proof for Pedersen commitments comes into
@@ -74,7 +74,7 @@ problem, but learning `t1` and `t2` during the swap allows the buyer to compute
 `r`.
 
 Because `x` is multiplied by `H` and not `G` there is no straightforward way to
-similarly put `x*H` in an adaptorless signature. Let `xi` be the `i`-th bit of `x`.
+similarly put `x*H` in a partial signature. Let `xi` be the `i`-th bit of `x`.
 The seller creates one Pedersen commitment `Qi = ri*G + xi*G` for every bit of
 `x`. After learning all `ri` during the swap, the buyer can reconstruct `x`
 bitwise by checking whether `Qi` is a commitment to `0` or `1`. Committing to
@@ -84,14 +84,14 @@ transactions](https://people.xiph.org/~greg/confidential_values.txt). So we
 can abuse that scheme not to prove ranges, but to prove that each `Qi` commits
 to a bit of `x`.
 
-As a result, the seller must send adaptorless signatures for the factors `ti1`
+As a result, the seller must send partial signatures for the factors `ti1`
 and `ti2` of each `ri`. In general, in order to reveal multiple secret adaptors
-`u1, ..., un` with a single signature the seller must create adaptorless
+`u1, ..., un` with a single signature the seller must create partial
 signatures `(si, R + sum(uj over j)*G - ui*G, ui*G)`. This ensures that all
-adaptorless signatures commit to the same Schnorr signature nonce `R + sum(uj
+partial signatures commit to the same Schnorr signature nonce `R + sum(uj
 over j)*G`.
 
-However, simply sending multiple adaptorless signatures in that way is problematic.
+However, simply sending multiple partial signatures in that way is problematic.
 Say the seller sends one adaptorless signature with adaptor `Ti1=ti1*G` and one with
 adaptor `Ti2=ti2*G`. Then even without seeing the actual signature, by just
 subtracting the signatures the buyer learns `-ti1 + ti2`. Instead, the seller
@@ -123,20 +123,20 @@ r*G + x*H` from a seller.
     * For each bit commitment `Qi`, seller generates a uniformly random scalar
       `ti1` and sets `ti2`, such that `ti1*ti2*G = ri*G = Qi-xi*H`. Then the
       seller computes adaptors `Ti1 = ti1*G` and `Ti2 = ti2*G` and sends
-      adaptorless signatures `(si1, R + sum(Ai) - H(Ti1)*Ti1, H(Ti1)*Ti1)` and
+      partial signatures `(si1, R + sum(Ai) - H(Ti1)*Ti1, H(Ti1)*Ti1)` and
       `(si2, R + sum(Ai) - H(Ti2)*Ti2, H(Ti2)ti2)` where `Ai` is the sum of
       both adaptors.  The seller also sends a multiplication proof for Pedersen
       commitments proving the multiplicative relationship of the blinding
       factors of Ti1, Ti2 and Qi.
 3. Swap
 
-    * The buyer verifies the adaptorless signatures and multiplication proofs and
+    * The buyer verifies the partial signatures and multiplication proofs and
       sends his contribution to the signature.
     * The seller completes the signature `(R, s)` and publishes it along with
       the transaction to take her coins.
     * Just as in regular atomic swaps using adaptor signatures, the buyer can
       recover the discrete logarithm of the adaptor by subtracting
-      the adaptorless signature from the corresponding s. So for each bit commitment, the
+      the partial signature from the corresponding s. So for each bit commitment, the
       buyer is able to recover `ti1` and `ti2`.
     * Because it holds that `ti1*ti2 = ri`, the buyer can reconstruct `x` by
       setting the `i`-th bit of `x` to `0` if `Qi == ti1*ti2*G + 0*H` and to