TECHNICAL_DOC // CRYPTOGRAPHY / ADAPTOR-SIGNATURES
ADAPTOR
SIGNATURES
SIGNATURES
An adaptor signature is a partially-formed signature that becomes valid only
when combined with a secret value (the "adaptor secret" or "tweak"). Publishing the completed
signature on-chain reveals the secret to the other party. This enables atomic swaps,
scriptless scripts, and private payment channels — all as regular-looking signatures
with no special opcodes.
THE_CORE_MECHANISM
ADAPTOR SIGNATURE CONSTRUCTION
Alice wants to pay Bob IF Bob reveals secret t
where T = t×G is the known "adaptor point"
Normal Schnorr signature: s = r + e×x (r=nonce, e=challenge, x=privkey)
Adaptor signature (pre-signature):
s' = r + t + e×x ← shifted by secret t
s' is NOT a valid Schnorr signature.
T = t×G is shared publicly.
Bob receives (R', s') and can verify:
s'×G = R' + e×P where R' = R + T
→ Checks out structurally, but not yet valid
To complete: Bob adds t → s = s' + (correction)
Actually: Alice publishes s = s' − t (the completed tx)
→ s is now a valid Schnorr signature on-chain
Bob observes s on-chain, computes: t = s' − s → learns t ✓
USE_CASES
Atomic Swap — Cross-Chain
SCRIPTLESS
Two parties exchange coins on different blockchains atomically — either both transfers happen or neither does, without any hash-lock contracts visible on-chain.
Alice: has BTC, wants LTC
Bob: has LTC, wants BTC
1. Bob generates secret t, shares T = t×G with Alice
2. Alice creates adaptor sig for BTC payment, locked to T
3. Bob creates adaptor sig for LTC payment, locked to T
To complete:
- Bob reveals t to complete Alice's BTC payment → Alice gets LTC
- Alice observes t on BTC chain → completes LTC payment
- Bob gets LTC
If Bob goes silent → Alice's tx never completes → funds safe
No OP_HASH160, no HTLC visible on-chain — just two normal signatures
This is "scriptless scripts" — complex contract logic expressed purely through signature mathematics, leaving no script fingerprint on-chain.
Point Time-Locked Contracts (PTLCs)
LIGHTNING UPGRADE
PTLCs replace HTLCs in Lightning channels. Instead of revealing a hash preimage, they reveal a discrete-log secret — more private and enabling payment decorrelation.
HTLC (current Lightning):
Reveals: same hash preimage across all routing hops
Problem: correlates payment path — reduces privacy
PTLC (adaptor signature based):
Reveals: different scalar t at each hop (offset by adaptor)
Result: payment path cannot be correlated by watching on-chain
Bonus: native to Schnorr/Taproot, no OP_HASH160 needed
Each hop: T_i = T_{i-1} + delta_i (blinded adaptor points)
Sender and receiver coordinate the initial and final secrets
TERMINOLOGY_INDEX
Adaptor Signature
A pre-signature shifted by a secret scalar. Valid completion reveals the secret to the counterparty.
Adaptor Point
T = t×G. The public commitment to the secret t. Shared before the secret is revealed.
Scriptless Scripts
Smart contract logic expressed through signature properties rather than on-chain opcodes.
PTLC
Point Time-Locked Contract. An adaptor-signature-based replacement for HTLC in Lightning, improving privacy.
Atomic Swap
Cross-chain exchange where either both legs complete or neither does, enforced cryptographically.
HTLC
Hash Time-Locked Contract. Current Lightning mechanism using hash preimage revelation. Being replaced by PTLCs.