How to properly use Adaptor Signatures

[ghost]

I studied the description of atomic swaps by Joel Gugger (https://eprint.iacr.org/2020/1126.pdf) and also by Philipp Hoenisch and Lucas Soriano (https://arxiv.org/pdf/2101.12332.pdf), which are used in your project. These articles talk about using adaptor signatures. I studied your project and still don't understand exactly how adaptor signatures should be used correctly in combination with multi-signatures in bitcoin transactions.

Ultimately, the adaptor signatures on ECDSA should give me the correct signature, which I can then use in a transaction that uses the OP_CHECKMULTISIG operation.

I used this (https://github.com/BlockstreamResearch/secp256k1-zkp) project to try and figure out adaptor signatures. As a rule, the same 4 functions are found everywhere:

• Encrypt - generates the adaptor signature (EncSign)
• Verify - verifies the adaptor signature (EncVrfy)
• Decrypt - gets the ECDSA signature from the adaptor signature (DecSig)
• Recover - restores the secret key from the adaptor signature (RecKey)

I used the protocol described by Joel Gugger, where Alice have XMR and Bob have BTC. Accordingly, Bob needs to generate the adaptor signature, which he then passes to Alice. Alice, using her private key, will receive an ECDSA signature that will allow her to redeem BTC.

Let's look at an example of using adaptor signatures.

// b_b - Bob's private key that he generated
// B_b - Bob's public key: b_b * H

// b_b^s - Bob's private key that was used in DLProve (b_b^s == k_b^s)
// B_b^s - Bob's public key, which was obtained from DLProve(k_b^s)

// b_a^s - Alice's private key that was used in DLProve (b_a^s == k_a^s)
// B_a^s - Alice's public key, which was obtained from DLProve(k_a^s)

// sighash - BTX_buy transaction signature hash

// On Bob's side:
adaptor_sig_b = Encrypt(b_b, B_a^s, sighash); // Bob's adaptor signature

// On Alice's side:
Verify(B_b, B_a^s, sighash, adaptor_sig_b) == 1 ?
ecdsa_sig_b = Decrypt(adaptor_sig_b, b_a^s); // Bob's ECDSA BTX_buy transaction signature ???

// On Bob's side:
key = Recover(B_a^s, adaptor_sig_b, ecdsa_sig_b); // getting Alice's private key to redeem XMR (key == k_a^s)

My misunderstanding of adaptor signatures lies in this section of code:

ecdsa_sig_b = Decrypt(adaptor_sig_b, b_a^s); // Bob's ECDSA BTX_buy transaction signature ???

It turns out that Alice gets the correct ECDSA signature of Bob's BTX_buy transaction from the adaptor signature?
In order for Alice to take BTC, she needs to provide the correct witness stack to 0 input, where it will be:

- 0
- alice_tx_endorsement
- bob_tx_endorsement
- 0
- SWAPLOCK_script

bob_tx_endorsement - derived from Decrypt(adaptor_sig_b, b_a^s) ? (if compared without encoding in DER format, arrays of 64 bytes)

I tried to write code where I sign sighash via libbitcoin-system library and sign(out_signature, b_a^s, sighash) function and then compare the result with Decrypt(adaptor_sig_b, b_a^s). They were not equal in any way.

Can you please help me figure out how to use the adaptor signature correctly so that later I can get the correct bob_tx_endorsement and execute the BTX_buy transaction?