Standardize the term adaptor signature #5
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently the term adaptor signature is defined as a triplet
(s', R, T)
satisfyingHowever, multi hop locks as described in the paper and in @apoelstra's original
mailing list post use adaptor signatures
(s', R + T, -T)
, soThe point is that the party creating these does not need to know the secret
adaptor
t
such thatT = t*G
. Both documents don't call these things adaptorsignatures and don't use a different name for them.
The current multi-hop-locks.md document and the libsecp-zkp MuSig PR don't call
these things adaptor signatures because functionally they are opposite in the
sense that they don't include the adaptor. Instead they call Schnorr signatures
(s + T, R + T)
adaptor signatures because creating them requires knowing theadaptor and they provide the adaptor.
For adaptor signatures
(s', R + T, -T)
I'd suggest using the termadaptorlesspartial signatures.signatures
Now there are the following options
the libsecp-zkp MuSig PR to use adaptor signature for adaptorless
signatures.
multi-hop-locks.md and the libsecp-zkp MuSig PR. As a consequence they would
not require adaptor signatures, only regular Schnorr sigs and adaptorless
sigs.
Introduce the term adaptorless signatureUse the term partial signature and redefine adaptor signatures tomean partial signature + adaptor. That requires rewriting
atomic-swap.md, blind-swap.md and pedersen-swap.md to match the terminology.
I
thought adaptorless signaturesthink partial signatures are strictly more general than adaptorsignatures because they don't require knowing the secret adaptor. So I went for
option 3 with this PR.
However, when you want to reveal multiple secretadaptors with a single signature as in the Pedersen Swap, you need to use the
same public nonce and adaptorless signatures don't support that unless you use
them in the non-intuitive way. So I'm torn now. Thoughts?